Skip to content

feat(management): add dashboard.applicationsOverview for dashboard apps enumeration#177

Merged
cdot65 merged 1 commit into
cdot65:mainfrom
scthornton:feat/dashboard-applications-overview
Jun 4, 2026
Merged

feat(management): add dashboard.applicationsOverview for dashboard apps enumeration#177
cdot65 merged 1 commit into
cdot65:mainfrom
scthornton:feat/dashboard-applications-overview

Conversation

@scthornton

@scthornton scthornton commented May 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds mgmt.dashboard.applicationsOverview() to enumerate the dashboard's apps view. This is the canonical apps-list source for the SCM "AI Security > Runtime > API Applications" panel, and is needed because the existing customerApps.list() enumeration is at the wrong granularity for per-bucket reporting.

This is the SDK half of cdot65/prisma-airs-cli#240. The CLI-side change to use this new endpoint will follow in a separate PR.

Why this is needed

The dashboard buckets traffic by the literal metadata.app_name value scan payloads sent. A single registered customer-app (customer_apps.customer_appId) can therefore appear in the dashboard as multiple buckets, one per distinct scan-payload name, when an integration overrides app_name in scan metadata. LiteLLM's panw_prisma_airs guardrail does this by default; Portkey and Kong wrappers commonly do too.

Concrete example from a live tenant on 2026-05-29: 5 customer_apps entries but 20 dashboard buckets returned by applicationsoverview. CustomerApp 5e16929a-... alone had 8 distinct buckets (chatbot, Claude Code, LiteLLM, Portkey, kong-airs-demo, ...) each with its own real token_stats. The current CLI that enumerates from customerApps.list() was emitting one row per customer_app and silently dropping every other bucket.

API behavior (verified live 2026-05-29)

GET /v1/mgmt/dashboard/v2/apps/applicationsoverview

Query param Accepts
time_interval 1, 7, 30, 60. Others return HTTP 400.
time_unit 'days', 'day', 'hour'. Note this endpoint accepts the singular forms (unlike application which is 'days'-only).
limit Any positive int. SCM UI uses 25.
offset 0-based pagination offset.

Valid live-tested combinations: (7, days), (30, days), (60, days), (1, day), (1, hour). All others return 400. The SDK defaults to (30, days) to match the existing dashboard methods, but the wider enum is reflected in the type signature so callers can use the shorter windows.

Response:

{
  items: [{
    id: string,                  // registered customer_appId UUID
    name: string,                // scan-payload metadata.app_name literal
    cloud: string,
    source: string,              // 'api', etc.
    created_at: string,
    sessions: [{ bucket_number, date, total, violated }],
    sessions_total: number,
    sessions_violated: number,
  }],
  pagination: { limit, skip, total_items },
}

The id field matches customer_apps.customer_appId. The name field is the literal scan-payload value. Together they form the lookup key the existing dashboard.application(query) and dashboard.applicationViolationBreakdown(query) methods expect.

What this PR adds

  • MGMT_DASHBOARD_APPLICATIONS_OVERVIEW_PATH constant
  • DashboardApplicationsOverviewSchema + DashboardApplicationsOverview type (plus the per-item, sessions-bucket, and pagination schemas)
  • DashboardClient.applicationsOverview(query?) method
  • DashboardApplicationsOverviewQuery input type with narrowed enums
  • 5 new unit tests:
    • GET with defaults (verifies path + default params)
    • Same item ids with distinct names produce distinct buckets (the data-model assertion)
    • Caller-supplied timeInterval / timeUnit / limit / offset
    • Singular (1, hour) time window
    • Empty items array tolerance
  • Changeset (minor)
  • JSDoc cross-references between DashboardAppQuery.appName and applicationsOverview so callers can navigate the relationship

Existing application and applicationViolationBreakdown methods are unchanged.

Verification

  • Build clean (npm run build)
  • Lint clean (npm run lint)
  • Typecheck clean (npm run typecheck)
  • Preflight: 0 unacknowledged drift (npm run preflight)
  • All 1279 tests pass (npm test), including 10 dashboard tests (5 existing + 5 new)
  • Live-tested against my own tenant (api.sase.paloaltonetworks.com) on 2026-05-29

Follow-ups (not in this PR)

Two adjacent endpoints the SCM UI uses on the same page, wrapped here for future SDK work if useful:

  • dashboard/v2/apps/topapplicationsviolations - top-N apps by violation count, per-detector totals
  • dashboard/v2/apps/applicationsviolationstrend - violation time-series

Neither is needed for the cdot65/prisma-airs-cli#240 fix.

@scthornton
feat(management): add dashboard.applicationsOverview for dashboard ap…
f986231 
…ps enumeration

The dashboard buckets traffic by the literal metadata.app_name value scan
payloads sent. A single registered customer-app (customer_apps.customer_appId)
can therefore appear as multiple dashboard buckets, one per distinct
scan-payload name, when integrations override app_name in scan metadata
(LiteLLM's panw_prisma_airs guardrail does this by default).

The customer-apps endpoint lists registered customer applications and is the
wrong enumeration source for per-bucket reporting. applicationsoverview is
what the SCM UI's API Applications view uses to populate its list, and is
the canonical source for enumerating dashboard buckets.

Adds:
- MGMT_DASHBOARD_APPLICATIONS_OVERVIEW_PATH constant
- DashboardApplicationsOverview schema + types
- DashboardClient.applicationsOverview() method
- DashboardApplicationsOverviewQuery type
- 5 new unit tests covering defaults, custom windows, singular time_unit
  values (day/hour), and empty-items tolerance

API behavior verified live 2026-05-29 and reflected in type signatures:
- timeInterval: 1 | 7 | 30 | 60 (other values return HTTP 400)
- timeUnit: 'days' | 'day' | 'hour' (wider than the per-app application
  endpoint, which only accepts 'days')
- limit/offset pagination, SCM UI uses limit=25

Also clarifies DashboardAppQuery.appName JSDoc to point at applicationsOverview
as the canonical enumeration source.

Closes cdot65/prisma-airs-cli#240 (SDK half).
@scthornton scthornton mentioned this pull request May 29, 2026
Merged
@cdot65 cdot65 merged commit 71f4291 into cdot65:main Jun 4, 2026
4 checks passed
@cdot65 cdot65 mentioned this pull request Jun 4, 2026
Merged
cdot65 added a commit that referenced this pull request Jun 4, 2026
@cdot65
chore(release): v0.12.0 (#178)
dd67e33 
- feat(management): add dashboard.applicationsOverview for dashboard apps enumeration (#177)
cdot65 added a commit to cdot65/prisma-airs-cli that referenced this pull request Jun 4, 2026
@scthornton @cdot65
fix(runtime): consumption command enumerates dashboard buckets, not c…
805f07d 
…ustomer-apps (#241)

* fix(runtime): consumption command enumerates dashboard buckets, not customer-apps

The SCM dashboard buckets traffic by the literal scan-payload metadata.app_name
value, not by the SCM-registered customer-app name. A single registered
customer-app can therefore have multiple dashboard buckets, one per distinct
name an integration has sent. The previous implementation enumerated from
customerApps.list and silently dropped every bucket whose name didn't exactly
match an SCM-registered app_name.

Switch to dashboard.applicationsOverview (new in @cdot65/prisma-airs-sdk
0.12.0). This is the canonical apps-list source for the dashboard and is what
the SCM UI itself uses. The dashboard's bucket id is the registered
customer_appId UUID and its name is the scan-payload value; both flow through
directly to the existing dashboard.application and
dashboard.applicationViolationBreakdown calls.

Concrete impact in a tenant we tested live: 5 customer-apps entries vs 20
dashboard buckets surfaced. A single customer-app 5e16929a-... had 8 distinct
buckets (chatbot, Claude Code, LiteLLM, Portkey, kong-airs-demo, ...) all with
real distinct token_stats. The CLI was previously showing only the first.

Changes:
- getCustomerAppConsumption(name) looks up (appId, appName) from
  dashboard.applicationsOverview instead of customer_apps.list. Single-app
  mode now accepts the names shown in the SCM AI Applications view (the
  scan-payload app_name).
- runtime customer-apps consumption (no args) enumerates from
  applicationsOverview and emits one record per dashboard bucket.
- New service method listConsumptionApps(opts?) exposes the dashboard
  enumeration as ConsumptionAppListEntry[].
- Improved 'not found' error: lists first 5 available names + total count
  + explanation of the scan-payload-vs-SCM-name distinction.
- 5 new unit tests + 4 updated tests cover the new lookup path and the
  multiple-buckets-per-customer-app data model.

Live-verified against tenant 2026-05-29: all previously hidden buckets now
surface correctly with their actual token_stats.

Closes #240. Requires @cdot65/prisma-airs-sdk 0.12.0 (cdot65/prisma-airs-sdk#177).

* chore(deps): bump @cdot65/prisma-airs-sdk ^0.11.0 -> ^0.12.0

applicationsOverview now published; regen listConsumptionApps API docs. Unblocks typecheck/docs-build.

* docs(runtime): refresh consumption examples for dashboard-bucket behavior

All-apps now enumerates dashboard buckets; not-found error lists SCM app names + scan-payload note. Regen customer-apps.md.

* feat(runtime): describe consumption appName arg in --help and docs

Was blank; now explains it's the scan-payload metadata.app_name (SCM AI Applications view name).

---------

Co-authored-by: Calvin Remsburg <calvin@cdot.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scthornton @cdot65