Installation¶

Get Daystrom running in under 5 minutes. Choose between npm (recommended) or Docker.

Prerequisites¶

Before you begin, make sure you have:

Node.js 20+ (LTS recommended) — check with node -v
Prisma AIRS access — scan API key + management API OAuth2 credentials
LLM provider credentials — at least one supported provider (see options)

Install from npm¶

npm install -g @cdot65/daystrom

Verify the installation:

daystrom --version
daystrom --help

Try without installing

Run Daystrom once without a global install:

npx @cdot65/daystrom generate

Set Up Credentials¶

Daystrom needs credentials for both the LLM provider and AIRS APIs. The fastest way is an .env file or shell exports.

macOS / LinuxWindows (PowerShell)Windows (cmd)

export ANTHROPIC_API_KEY=sk-ant-...
export PANW_AI_SEC_API_KEY=your-scan-api-key
export PANW_MGMT_CLIENT_ID=your-client-id
export PANW_MGMT_CLIENT_SECRET=your-client-secret
export PANW_MGMT_TSG_ID=your-tsg-id

$env:ANTHROPIC_API_KEY = "sk-ant-..."
$env:PANW_AI_SEC_API_KEY = "your-scan-api-key"
$env:PANW_MGMT_CLIENT_ID = "your-client-id"
$env:PANW_MGMT_CLIENT_SECRET = "your-client-secret"
$env:PANW_MGMT_TSG_ID = "your-tsg-id"

Windows path length

If you encounter ENAMETOOLONG errors, enable long paths:

# Run as Administrator
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" `
  -Name "LongPathsEnabled" -Value 1 -PropertyType DWORD -Force

set ANTHROPIC_API_KEY=sk-ant-...
set PANW_AI_SEC_API_KEY=your-scan-api-key
set PANW_MGMT_CLIENT_ID=your-client-id
set PANW_MGMT_CLIENT_SECRET=your-client-secret
set PANW_MGMT_TSG_ID=your-tsg-id

All five credential values are required for a functional run. The LLM key depends on your chosen provider — see the provider table for alternatives to ANTHROPIC_API_KEY.

Docker¶

No Node.js required — just Docker. The multi-arch image supports both amd64 (Intel) and arm64 (Apple Silicon, Graviton).

First, create a .env file with your credentials:

.env

ANTHROPIC_API_KEY=sk-ant-...
PANW_AI_SEC_API_KEY=your-scan-api-key
PANW_MGMT_CLIENT_ID=your-client-id
PANW_MGMT_CLIENT_SECRET=your-client-secret
PANW_MGMT_TSG_ID=your-tsg-id

Then run Daystrom:

docker run --rm --env-file .env \
  -v ~/.daystrom:/root/.daystrom \
  ghcr.io/cdot65/daystrom generate \
  --profile my-security-profile \
  --topic "Block phishing attempts" \
  --intent block

The -v mount persists run state and learnings between containers.

Shell alias

Add to your .bashrc / .zshrc for convenience:

alias daystrom='docker run --rm --env-file .env -v ~/.daystrom:/root/.daystrom ghcr.io/cdot65/daystrom'

Then use daystrom generate, daystrom list, etc.

Where Data Lives¶

Daystrom stores everything under ~/.daystrom/:

Path	What's in it
`~/.daystrom/config.json`	Your persistent settings
`~/.daystrom/runs/`	Saved run states (one JSON per run)
`~/.daystrom/memory/`	Cross-run learnings (one JSON per topic category)

On Windows, ~ resolves to %USERPROFILE% (typically C:\Users\<username>).

Install from Source¶

For development or contributing:

git clone git@github.com:cdot65/daystrom.git
cd daystrom
pnpm install
cp .env.example .env

Requires pnpm >= 8 (corepack enable to install).

DevelopmentProduction

Run directly via tsx — no build step needed:

pnpm run generate

Compile TypeScript, then run the output:

pnpm run build
node dist/cli/index.js generate

Verify everything works:

pnpm test          # All tests (no AIRS creds needed)
pnpm run lint      # Lint check
pnpm tsc --noEmit  # Type check