v2.12.0

2.12.0

Minor Changes

• bcad4b8: airs runtime dlp generate now emits visible-text variants alongside the existing
  hidden-channel techniques: visible for PDF/PNG/JPEG/SVG/DOCX, plus
  visible-samecolor for PDF and DOCX (body text drawn in the same color as its
  background — extractable but camouflaged). Full corpus grows from 15 to 21
  dirty files per run.

• 49bbc33: Add airs runtime customer-apps consumption [appName] for per-app token consumption + violation breakdown, sourced from the SCM AI Security > Runtime > API Applications dashboard endpoints (via the new mgmt.dashboard SDK namespace).

  # pretty (default): per-app sections with tokens, sessions, firing detectors
  airs runtime customer-apps consumption chatbot
  
  # all apps in tenant (omit appName)
  airs runtime customer-apps consumption
  
  # 60-day window instead of default 30
  airs runtime customer-apps consumption chatbot --time-interval 60
  
  # structured outputs (table / csv / json / yaml) — one row per detector per app
  airs runtime customer-apps consumption --output csv > consumption.csv
  

  The API enforces an enum for --time-interval: only 7, 30, and 60 are accepted (verified live 2026-05-28; the CLI validates client-side before calling). The dashboard endpoints require both appId and appName, so the CLI resolves the UUID from the customer-apps list endpoint internally - users only supply the human-readable app name.

  Closes #222.

Patch Changes

• bcad4b8: CI: red team scan workflow now supports CUSTOM scans with prompt_sets from
  target configs and fails the build when any target's ASR exceeds the
  ASR_THRESHOLD (default 10%).

• bcad4b8: Fix: airs redteam report <jobId> now routes DYNAMIC jobs to the dynamic
  report endpoint (/v1/report/dynamic/{jobId}/report) instead of the static
  one, which was returning 500. Adds a dedicated dynamic report renderer
  (Score, ASR, Goals, Threats, Summary).

• 43c7e45: docs(examples): land DLP examples for filtering-profiles get, patterns get/replace/patch, profiles get/create after v2.11.0 + SDK 0.10.0 unblocked them.

• 11b621e: Rewire redteam properties commands for SDK 0.10.0 response shapes.

  • properties list now renders the SDK's plain string[] (was incorrectly typed/rendered as {name}[]); adds --output json|yaml support.
  • properties values <name> now renders the SDK's {name, values: string[]} object (was incorrectly typed/rendered as {name, value}[]); adds --output json|yaml.
  • properties create and properties add-value now print the SDK's mutation message instead of fabricating a fake name=value line.
  • Adds curated input/output examples for redteam properties list (refreshed), redteam properties values, and redteam properties add-value; updates .missing-allowlist accordingly.

v2.11.0 — DLP namespace consolidation

Highlights

Minor (breaking surface changes)

• Removed airs runtime dlp-profiles list — use airs runtime dlp profiles list (canonical; populated IDs + type/profile_type/status/version). The two endpoints overlap heavily but are not identical on the same tenant; see #226 for legacy-only / new-only profile differences observed during migration.
• Moved airs runtime dlp-gen → airs runtime dlp generate. All flags (--types, --count, --out, --techniques, --seed, --output) and behavior preserved.

Notable patches

• runtime dlp filtering-profiles|profiles|patterns|dictionaries get no longer mangle JSON/YAML keys (datarofile → data_profile, etc.).
• redteam report --attacks correctly labels BYPASSED vs BLOCKED, prints inline subcategory names, and interpolates severity placeholders.
• redteam properties add-value HTTP 422 fixed (sends property_name/property_value matching SDK schema).
• --output <pretty|json|yaml> added to redteam prompt-sets get and redteam properties values.
• Bumped @cdot65/prisma-airs-sdk to ^0.10.0 (picks up DLP get-by-ID schema fix).

Docs

• CLI Reference sidebar flattens DLP entries under Runtime (no more separate "Dlp" group).
• Live input/output examples landed for the bulk of runtime dlp *, runtime *, redteam *, and model-security * commands. .missing-allowlist shrunk substantially with tracking issues for the remaining upstream blockers.

Release plumbing

First release cut via pnpm changeset version. Installs @changesets/cli, initializes .changeset/config.json, and consumes the 38 queued changesets.

See CHANGELOG.md for the full entry list.

v2.10.1 — hotfix lazy-load docx

Fixed

• localStorage warning on every airs command — docx was imported eagerly in src/dlp/{generate,embed}/docx.ts. Because the command tree is built at startup, docx loaded on every invocation; its browserify polyfills pull in util-deprecate's browser shim, which reads localStorage at import time and triggered (node:NNNN) Warning: --localstorage-file was provided without a valid path on Node 22+. The docx import is now deferred into the DOCX builders, so unrelated commands (scan, profiles, redteam, etc.) are warning-free and start slightly faster. DOCX output for dlp-gen is unchanged. Thanks @scthornton.

Full Changelog: v2.10.0...v2.10.1

v2.10.0 — DLP UX (flags + curated output)

Changed

• DLP write commands now take structured flags — patterns|profiles|filtering-profiles create/replace accept --name, --regex, --weighted-regex, --pattern-id, --file-based, --direction, --tag k=v, etc. instead of forcing --body-file pattern.json. --body/--body-file retained as escape hatches for complex rule trees.
• DLP output curated across all formats — --output json|yaml now returns {items, page:{number,size,total,returned}} for lists and {action,id,name,type,status,version} for acks, dropping the raw SDK envelope leak (tenant_id, is_parent_managed, pageable.*).

Fixed

• dlp dictionaries create now honors --output — was hardcoded to pretty, ignoring the flag. Now matches the rest of the DLP command surface.

Full Changelog: v2.9.0...v2.10.0

v2.9.0 — runtime dlp command group

New

• DLP command group — airs runtime dlp adds full CRUD across four DLP subclients:
  • filtering-profiles (list/get/replace)
  • patterns (list/create/get/replace/patch/soft-delete)
  • profiles (list/create/get/replace/patch — no delete; archive via patching profile_status)
  • dictionaries (full CRUD with multipart upload; handles both 200+body and 204+empty replace responses)
• Optional PANW_DLP_ENDPOINT env var (defaults to SDK built-in).

Fixed

• --debug now captures DLP traffic — fetch interceptor's host allowlist was missing api.dlp.paloaltonetworks.com, so runtime dlp commands were silently bypassing the JSONL log.

Dependencies

• @cdot65/prisma-airs-sdk bumped to ^0.9.2 (DLP nested helper nullable sweep — unblocks runtime dlp patterns list and runtime dlp profiles list against live tenants).

Known issues

• Upstream DLP API returns HTTP 400 for GET /v2/api/data-patterns/{id} and GET /v2/api/data-profiles/{id} on live tenants. Server-side, reproducible via curl. Tracked: cdot65/prisma-airs-sdk#162, #80. Workaround: use list + filter client-side.

PRs

• #78 — feat: add airs runtime dlp commands
• #79 — fix(debug): include DLP host in AIRS_DOMAINS allowlist

v2.8.0 — DLP test-file generator

Minor release

Added

• airs runtime dlp-gen — generate DLP test corpora: clean carrier files plus "dirty" copies with synthetic sensitive data embedded across PDF, PNG, JPEG, SVG, DOCX via 15 techniques (metadata, hidden text, container trailers, PNG chunks, LSB steganography, EXIF/COM, DOCX core-props/hidden-run). Writes clean/, dirty/, and a manifest.json mapping each dirty file to its technique + embedded values for scanner scoring. Randomized synthetic payloads (reserved-range SSNs, Luhn-valid test PANs, example.com emails, AWS …EXAMPLE keys); --seed for reproducibility. No real PII.
• dlp-test-files skill — drives the command.
• Docs: new Runtime page, full-CLI-sweep + command-reference entries, AGENTS.md.

Changeset: 0018.

v2.7.0 — DYNAMIC scan flags, CSV upload + download fixes

What's new

Features

• --goals, --depth, --breadth flags for airs redteam scan --type DYNAMIC (#66) — pass attack goals as inline JSON or a JSON file; tune agent depth and breadth. Without --goals, DYNAMIC scans still run in fully automated mode (no behavior change).

Fixes

• airs redteam prompt-sets upload no longer fails with File must be a CSV (#67) — upload now sends a File (with filename) instead of a bare Blob, so the server can identify the multipart content type.
• airs redteam prompt-sets download no longer crashes with Cannot read properties of undefined (#68) — bumped @cdot65/prisma-airs-sdk to ^0.8.3 and replaced the 30-line OAuth workaround with a direct SDK call. The SDK fix is in prisma-airs-sdk v0.8.3.

Internal

• Hardened CLI flag parsing for DYNAMIC scans: positive-integer guard for --depth/--breadth, non-empty string-array validation for --goals, and parseAttackGoals/parsePositiveInt helpers with unit tests.
• New "Dynamic Scan (Agent-Driven)" section in docs/redteam/scanning.md.

Changesets: 0015–0017.

v2.6.1

Bug fix (the headline)

Fixes airs runtime profiles list against tenants with empty topic-list action buckets (via SDK 0.8.1). SDK 0.8.0 enabled runtime Zod validation on every response but had TopicArraySchema.topic as non-nullable; the AIRS API legitimately returns null when an allow or block bucket is empty. SDK 0.8.1 made the field .nullable() to match the wire shape. Without this, profile list errors with RESPONSE_VALIDATION on most real tenants.

Dependency upgrades

• @cdot65/prisma-airs-sdk ^0.7.1 → ^0.8.1
  • 0.8.0 — runtime Zod validation now ON for every response; ScanResponse.{timeout,error,errors} and CustomTopic.{revision,description,examples} tightened from optional → required; tool_detected reshape (not used in this CLI). New ErrorType.RESPONSE_VALIDATION enum value.
  • 0.8.1 — TopicArraySchema.topic .nullable() (the bug fix above).
• Removed unused msw devDependency (peer dep of vitest only — never imported).

Documentation

• New: Live Smoke Tests — 16-command checklist for catching wire-format drift after CLI/SDK releases.
• New: Full CLI Command Sweep — comprehensive deep-audit walkthrough of every command, with cleanup order.
• Fixed: docs/development/testing.md — corrected stale claims about MSW handlers and a wrong test-directory tree.
• Fixed: rule-instances command in smoke-tests.md (required <groupUuid> arg) and ~20 signature errors in full-cli-sweep.md (verified against src/cli/commands/*.ts).

Internal

• Test mocks updated to satisfy the now-required CustomTopic fields.
• Added a Known Issues section to full-cli-sweep.md noting:
  • runtime scan-logs query may RESPONSE_VALIDATION on some tenants — SDK schema follow-up tracked
  • redteam prompt-sets get second-call 500 from getPromptSetVersionInfo — CLI soft-fail follow-up tracked
  • runtime customer-apps get 403 is a permission boundary, not a bug

PRs in this release

• #52 chore(deps): upgrade @cdot65/prisma-airs-sdk to ^0.8.0
• #54 docs: add live AIRS smoke test reference
• #56 docs: fix stale testing.md, drop unused msw dep
• #58 chore(deps): upgrade @cdot65/prisma-airs-sdk to ^0.8.1
• #60 docs: fix rule-instances command in smoke test reference
• #62 docs: add full CLI command sweep reference
• #64 docs: fix wrong command signatures in full-cli-sweep.md
• #65 chore: bump to v2.6.1

v2.6.0

What's Changed

Backup/Restore restructured

• Commands moved from airs backup targets / airs restore targets to airs redteam targets backup / airs redteam targets restore

Full-field backup

• Backup now captures all target fields: routing tuple (connection_type, api_endpoint_type, response_mode), auth config, network broker UUID, extra_info, session_supported
• Null values stripped from backup output for clean files

Restore routing defaults

• Restore supplies default routing fields (CUSTOM/PUBLIC/REST) for targets with null routing values
• Update path fetches existing target to preserve routing fields the API requires

Paginated target list

• listTargets now paginates through all results (API defaults to 10 per page)

SDK upgrade

• Upgraded @cdot65/prisma-airs-sdk to v0.7.1
• Fixed target create/restore 422 errors with strict schemas
• Removed WEBSOCKET provider, scaffold targets default to APPLICATION type
• Legacy backup field names (background/metadata) auto-normalized on restore

v2.4.0

New

• Profile cleanup — airs runtime profiles cleanup deletes old profile revisions, keeping only the latest revision per profile name. Supports --force to skip confirmation, --updated-by <email> (defaults to git user.email), and --output json.

Full Changelog

v2.3.0...v2.4.0