fix(org-data): skip prompts when CLI options are provided, fix entity store correlations

[seanrathier]

Summary

• Skip --size, --productivity-suite, and --detection-rules prompts when the corresponding CLI flags are provided (e.g. yarn start org-data --size small --integrations azure,entra_id no longer prompts)
• Fix azure_integration: ensure userPrincipalName is always set on targetResources for communicates_with user→user relationships; actor is always user-initiated so initiatedBy.user.userPrincipalName is always present
• Fix cloudtrail_integration: add actor_target_mapping/forwarded tags required by the ingest pipeline entity classification script; add host-target events (GetPasswordData, SendSSHPublicKey, SendCommand, StartSession) that produce host.target.entity.id
• Fix jamf_pro_integration: use device.ipAddress and {employee.userName}-mac hostname to correlate with endpoint entity store records
• Fix constants.ts: split FLEET_EPM_PACKAGES_URL into separate GET (metadata) and POST (install) variants to avoid passing latest as a semver version
• Fix kibana_api.ts: resolve latest to a real semver before calling the install endpoint; improve non-JSON error messages to surface misconfigured kibana.node

Test plan

• yarn start org-data --size small --integrations azure,entra_id — no prompts for size or productivity suite, still prompts for detection rules
• yarn start org-data --size small --integrations azure,entra_id --detection-rules — no prompts at all
• yarn start org-data --integrations azure,entra_id — prompts for size, productivity suite, and detection rules
• Verify Entra ID audit logs contain targetResources[0].userPrincipalName for User-type activities
• Verify CloudTrail documents include tags: ['actor_target_mapping', 'forwarded']

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR improves the org-data CLI’s non-interactive usability and tightens entity correlation for several org-data integrations, while also fixing Fleet package install behavior when using latest.

Changes:

• Add --size and --productivity-suite CLI options and skip interactive prompts when these are provided.
• Improve entity correlation/enrichment in org-data integrations (Azure audit logs, CloudTrail tagging + host-target events, Jamf hostname/IP correlation).
• Fix Fleet package installation by resolving latest to a concrete semver before calling the install endpoint, and improve Kibana API non-JSON error diagnostics.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/utils/kibana_api.ts	Resolve latest to semver for Fleet installs; improve non-JSON Kibana error handling; add prerelease handling to package metadata lookup.
src/constants.ts	Split Fleet package URL constants into GET metadata vs POST install variants.
src/commands/org_data/org_data.ts	Skip size/productivity-suite prompts when values are provided via CLI options.
src/commands/org_data/index.ts	Add --size and --productivity-suite options and pass them through to runOrgData.
src/commands/org_data/integrations/azure_integration.ts	Ensure user→user audit log target resources include userPrincipalName; make audit events always user-initiated for consistent actor UPN.
src/commands/org_data/integrations/cloudtrail_integration.ts	Add required tags for ingest classification and generate additional EC2/SSM/InstanceConnect events that produce host.target.entity.id.
src/commands/org_data/integrations/jamf_pro_integration.ts	Use device IP + endpoint-aligned hostname to improve correlation with endpoint entity store records.
README.md	Document non-interactive org-data usage and the new flags.

[Copilot]

The CLI help says --size accepts john-doe, but the codebase uses OrganizationSize = 'john_doe' | ... (underscore). Passing john-doe will propagate an invalid size value and can break lookups like SIZE_CONFIGS[size]. Update the help text (and README) to john_doe, or add normalization/validation to accept john-doe and map it to john_doe (ideally using Commander .choices(...)).

[Copilot]

options.size / options.productivitySuite can now come directly from the CLI, bypassing the interactive prompts that constrain values. If a user passes an invalid string, it will flow into downstream code (e.g. SIZE_CONFIGS[size]) and can cause runtime errors or inconsistent generation. Add runtime validation/normalization before using these values (or enforce allowed values at the Commander option level).

[Copilot]

README documents --size values as john-doe, but the implementation uses john_doe (underscore). Using the documented value will lead to an invalid size and can break generation (e.g. size-based config lookups). Update the docs to match the actual accepted value, or implement an alias mapping in the CLI.

Suggested change

	| `--size` | `john-doe`, `small`, `medium`, `enterprise` | interactive prompt |
	| `--size` | `john_doe`, `small`, `medium`, `enterprise` | interactive prompt |

[Copilot]

The new comment says these tags are required on every CloudTrail document for the ingest pipeline classification script to run, but not all generated CloudTrail events in this file add tags: CLOUDTRAIL_TAGS (e.g. the StartSession events returned by createStartSessionEvent still omit tags). Either ensure all CloudTrail document builders include the tags, or narrow/adjust the comment so it stays accurate.

Suggested change

	* Tags required on every document for the ingest pipeline's entity
	* classification script to run. Without 'actor_target_mapping' the
	* Painless script that populates host.target.entity.id, user.entity.id,
	* etc. is skipped entirely.
	* Tags to add to CloudTrail documents that should run through the ingest
	* pipeline's entity classification script. Without 'actor_target_mapping'
	* the Painless script that populates host.target.entity.id,
	* user.entity.id, etc. is skipped entirely.