Skip to main content

Architecture Overview

Prisma AIRS CLI is a multi-capability CLI tool and library for Palo Alto Prisma AIRS. Each subsystem has a single responsibility and communicates through typed interfaces — the CLI layer orchestrates user interaction while service layers handle AIRS API communication.

Module Structure

src/
├── cli/ Commands, interactive prompts, terminal rendering
├── config/ Zod-validated config schema + cascade loader
├── core/ Prompt loader, efficacy metrics, AIRS constraints
├── airs/ Scanner, Runtime, Management, Red Team, Prompt Sets, Model Security
├── backup/ Backup/restore envelope + file I/O
└── index.ts Library re-exports

Capability Domains

Prisma AIRS CLI provides four capability domains, each backed by dedicated service and CLI layers:

DomainCLI CommandsService Layer
Guardrail Optimizationruntime topics create, runtime topics apply, runtime topics eval, runtime topics revertPrompt loader + Scanner + Management
Runtime Securityruntime scan, runtime bulk-scan, runtime profiles, runtime topics, runtime api-keys, runtime customer-apps, runtime deployment-profiles, runtime dlp, runtime scan-logsSdkRuntimeService (sync + async scan) + SdkManagementService (config CRUD)
AI Red Teamingredteam scan, redteam targets, redteam prompt-sets, redteam prompts, redteam propertiesSdkRedTeamService + SdkPromptSetService
Model Securitymodel-security groups, model-security rules, model-security scans, model-security labelsSdkModelSecurityService

Guardrail Optimization Data Flow

The guardrail workflow uses atomic CLI commands orchestrated by an external agent (see AGENTS.md):

Runtime Security Data Flow

Modules at a Glance

ModuleWhat it does
cli/Commander CLI with 3 top-level command groups (runtime, redteam, model-security), Inquirer prompts, and Chalk terminal output
config/Zod schema with coercion and defaults; cascade loader merges CLI flags, env vars, config file, and defaults
core/CSV prompt loader, metric computation (TPR/TNR/F1), and AIRS constraint validation
airs/Scanner (sync scan + batched concurrency), Runtime (sync + async bulk scan with polling), Management (topic CRUD, profile CRUD, API keys, customer apps, deployment/DLP profiles, scan logs), Red Team (scan CRUD/polling/reports), Prompt Sets (custom prompt set management), Model Security (groups/rules/scans)
backup/Backup/restore envelope, file I/O, and filename sanitization

Tech Stack

CategoryTechnology
LanguageTypeScript ESM, Node 20+
Package Managerpnpm
AIRS SDK@cdot65/prisma-airs-sdk
CLICommander.js + Inquirer + Chalk
TestingVitest + MSW (fully offline)
Lint / FormatBiome