release: v1.3.0 — SDK 0.13.0 upgrade with local config, operations, and incidents commands

CLAUDE.md

@@ -51,6 +51,9 @@ Commands are organized by resource type:
 - `commands/network.py`: Security zone management
 - `commands/security.py`: Security rule management
 - `commands/deployment.py`: Bandwidth allocation management
+- `commands/local.py`: Device configuration version listing and XML download
+- `commands/operations.py`: Device operations (route-table, fib-table, dns-proxy, interfaces, device-rules, bgp-export, logging-status) with sync/async job support
+- `commands/incidents.py`: Security incident search and detail with filtering and JSON output
 
 ### Key Components
 
@@ -179,7 +182,7 @@ Always refer to the appropriate style guide when writing or modifying code to en
 
 ## Important Notes
 
-- The SDK version requires `pan-scm-sdk>=0.12.2` - verify compatibility when updating
+- The SDK version requires `pan-scm-sdk>=0.13.0` - verify compatibility when updating
 - Mock mode allows full testing without API credentials
 - Bulk operations use YAML files - see `examples/` for formats
 - All commands support `--mock` flag for testing

docs/about/release-notes.md

@@ -2,6 +2,25 @@
 
 This page contains the release history of the Strata Cloud Manager CLI, with the most recent releases at the top.
 
+## Version 1.3.0
+
+**Released:** April 2026
+
+### Added
+
+- **SDK Upgrade**: Upgraded `pan-scm-sdk` from 0.12.x to 0.13.0, bringing Operations API, Incidents API, and region support.
+- **Local Config Commands**: New `scm local list` and `scm local download` commands for listing device configuration versions and downloading configs as XML.
+- **Device Operations Commands**: New `scm operations` command group with 7 operation types (route-table, fib-table, dns-proxy, interfaces, device-rules, bgp-export, logging-status) plus job status tracking. Commands default to sync mode (poll to completion) with `--async` flag for fire-and-forget.
+- **Incidents Commands**: New `scm incidents list` and `scm incidents show` commands for searching and viewing security incidents from the Unified Incident Framework. Supports filtering by status, severity, and product. `--json` flag for automation.
+- **Region Support**: Added `--region` option to `scm context create` for per-context region configuration. Added global `--region` flag to override region per-invocation. Region precedence: global flag > context > "americas" default.
+- **Timeout Handling**: Added `GatewayTimeoutError` handling with recovery instructions in error messages.
+
+### Changed
+
+- **SDK Dependency**: Updated from `^0.12.2` to `^0.13.0`.
+- **Context Schema**: Context YAML files now support an optional `region` field. Existing contexts without this field default to "americas".
+- **Type Safety**: Added `type: ignore[arg-type]` annotations for SDK model constructors affected by stricter type stubs in 0.13.0.
+
 ## Version 1.2.0
 
 **Released:** March 31, 2026

docs/cli/incidents/index.md

@@ -0,0 +1,51 @@
+# Incidents
+
+Search and view security incidents from the SCM Unified Incident Framework.
+
+## Commands
+
+### List Incidents
+
+```bash
+# List all incidents
+scm incidents list
+
+# Filter by status and severity
+scm incidents list --status open --severity high
+
+# Filter by product
+scm incidents list --product "Prisma Access"
+
+# JSON output for automation
+scm incidents list --json
+```
+
+**Options:**
+
+| Option | Required | Description |
+|--------|----------|-------------|
+| `--status`, `-s` | No | Filter: open, closed, in_progress |
+| `--severity` | No | Filter: critical, high, medium, low, informational |
+| `--product`, `-p` | No | Filter by product name |
+| `--json`, `-j` | No | Output as JSON |
+
+### Show Incident Detail
+
+```bash
+scm incidents show INC-2026-04-001
+scm incidents show INC-2026-04-001 --json
+```
+
+Shows full incident detail including alerts and remediation steps. Use `--json` for the complete structured output.
+
+**Arguments:**
+
+| Argument | Required | Description |
+|----------|----------|-------------|
+| `incident_id` | Yes | Incident ID to show |
+
+**Options:**
+
+| Option | Required | Description |
+|--------|----------|-------------|
+| `--json`, `-j` | No | Output as JSON |

docs/cli/local/index.md

@@ -0,0 +1,39 @@
+# Local Config
+
+Manage local device configuration versions and downloads.
+
+## Commands
+
+### List Config Versions
+
+```bash
+scm local list --device fw-01
+```
+
+Lists available configuration versions for a device, showing version number, date, author, and description.
+
+**Options:**
+
+| Option | Required | Description |
+|--------|----------|-------------|
+| `--device`, `-d` | Yes | Device name |
+
+### Download Config
+
+```bash
+# Output to stdout
+scm local download --device fw-01 --version 42
+
+# Save to file
+scm local download --device fw-01 --version 42 --output config.xml
+```
+
+Downloads a specific configuration version as XML. Outputs to stdout by default; use `--output` to write to a file.
+
+**Options:**
+
+| Option | Required | Description |
+|--------|----------|-------------|
+| `--device`, `-d` | Yes | Device name |
+| `--version`, `-v` | Yes | Config version number |
+| `--output`, `-o` | No | Output file path (default: stdout) |

docs/cli/operations/index.md

@@ -0,0 +1,70 @@
+# Device Operations
+
+Dispatch and monitor asynchronous device jobs for network diagnostics and status checks.
+
+## Commands
+
+All operation commands support:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `--device`, `-d` | Required | Device name |
+| `--async` | `False` | Return job ID without waiting |
+| `--timeout`, `-t` | `300` | Sync polling timeout in seconds |
+
+### Route Table
+
+```bash
+scm operations route-table --device fw-01
+scm operations route-table --device fw-01 --async
+```
+
+### FIB Table
+
+```bash
+scm operations fib-table --device fw-01
+```
+
+### DNS Proxy
+
+```bash
+scm operations dns-proxy --device fw-01
+```
+
+### Network Interfaces
+
+```bash
+scm operations interfaces --device fw-01
+```
+
+### Device Rules
+
+```bash
+scm operations device-rules --device fw-01
+```
+
+### BGP Export
+
+```bash
+scm operations bgp-export --device fw-01
+```
+
+### Logging Status
+
+```bash
+scm operations logging-status --device fw-01
+```
+
+### Job Status
+
+Check on an async job:
+
+```bash
+scm operations status --job-id abc-123
+```
+
+## Sync vs Async
+
+By default, commands block and poll until the operation completes, then display results as a table. Use `--async` to get the job ID immediately and check later with `scm operations status`.
+
+If sync polling exceeds `--timeout`, the CLI reports the job ID and last known state for manual follow-up.