Skip to content

feat: add support for linked Security Profile API keys, additional tests #1398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 6, 2025
Merged

feat: add support for linked Security Profile API keys, additional tests #1398

merged 2 commits into from
Nov 6, 2025

Conversation

@jroberts2600
Copy link
Contributor

@jroberts2600 jroberts2600 commented Oct 29, 2025

Description

This PR enhances the PANW Prisma AIRS guardrail plugin with additional error handling, comprehensive test coverage, and support for additional configuration parameters.

Key Changes:

  • Implemented test suite with proper HTTP mocking for deterministic, reliable tests
  • Added support for profile_id, app_name, and timeout parameters in the manifest
  • Made profile_name optional to support profiles linked directly to API keys in Strata Cloud Manager
  • Ensured proper environment variable isolation in tests to prevent side effects

Motivation

  • Missing support for AIRS features like linked Security Profiles to API keys and custom application names
  • Additional tracking parameters (app_name, profile_id) enable better observability in Prisma AIRS

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

How Has This Been Tested?

  • Unit Tests
  • Integration Tests
  • Manual Testing

Screenshots (if applicable)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Related Issues

N/A

@matter-code-review
Copy link
Contributor

matter-code-review bot commented Oct 29, 2025
edited
Loading

Code Quality new feature

Description

Summary By MatterAI MatterAI logo

🔄 What Changed

Added support for Portkey's x-portkey-trace-id header as the AIRS tr_id (AI Session ID) in the PANW Prisma AIRS plugin. Implemented fallback logic using crypto.randomUUID() or timestamp-based ID generation if the header is missing. Enhanced test coverage with a dedicated unit test to validate trace ID propagation.

🔍 Impact of the Change

Enables consistent AI session tracking across Portkey and PANW Prisma AIRS by propagating trace context. Ensures observability and auditability of AI interactions. Improves debugging and monitoring capabilities through stable session correlation.

📁 Total Files Changed

File ChangeLog
Trace ID Support intercept.ts Extract x-portkey-trace-id from request headers and use as tr_id; fallback to generated ID
Test Suite panw.airs.test.ts Added test to verify tr_id is correctly set from header value

🧪 Test Added/Recommended

Added

  • Test validating tr_id is populated from x-portkey-trace-id header when present
  • Verification that the generated payload contains the correct trace ID

🔒 Security Vulnerabilities

No security vulnerabilities detected. Trace ID extraction is read-only and does not introduce injection risks.

⏳ Estimated code review effort

LOW (~7 minutes)

Tip

Quality Recommendations

  1. Ensure crypto.randomUUID() fallback is only used in secure contexts (HTTPS) to prevent entropy issues

  2. Add type safety for headers to avoid implicit any on ctx.request.headers

♫ Tanka Poem

Trace flows through code,
UUIDs guard the session path.
Headers light the way,
No lost calls in transit's maze,
Logs bloom with context today. 🌐🔍

Sequence Diagram

sequenceDiagram
    participant U as User
    participant P as Portkey Gateway
    participant A as PANW Prisma AIRS

    Note over U,P: Trace ID Propagation

    U->>P: Request with x-portkey-trace-id
    P->>P: Extract traceId from headers
    P->>P: Build payload with tr_id
    P->>A: POST /airs/analyze {tr_id, metadata}
    A-->>P: {action: 'allow'}
    P-->>U: Response

    alt Missing trace header
        U->>P: Request without x-portkey-trace-id
        P->>P: Generate fallback traceId
        P->>A: POST /airs/analyze {tr_id}
        A-->>P: {action: 'allow'}
        P-->>U: Response
    end
Loading

@matter-code-review
Copy link
Contributor

matter-code-review bot commented Oct 29, 2025

✅ Reviewed the changes: Review of PANW Prisma AIRS Guardrail enhancements for API key handling, profile parameters, and test coverage.

@narengogi narengogi requested a review from b4s36t4 October 31, 2025 08:10
narengogi
narengogi requested changes Oct 31, 2025
View reviewed changes
Copy link
Collaborator

@narengogi narengogi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good minor change

plugins/panw-prisma-airs/manifest.json Outdated
}
]
},
"timeout": {
Copy link
Collaborator

@narengogi narengogi Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you do not need to add this parameter, the gateway uses the x-portkey-timeout header as the parameter for timeout and is provided in the parameters object

Copy link
Contributor Author

@jroberts2600 jroberts2600 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you! now updated.

@jroberts2600
Remove timeout parameter from PANW Prisma AIRS plugin
8851aee 
- Remove timeout parameter from manifest.json, update tests and intercept.ts to reflect
@jroberts2600 jroberts2600 force-pushed the feature/panw-prisma-airs-enhancements branch from 3a46e44 to 8851aee Compare October 31, 2025 14:27
@matter-code-review
Copy link
Contributor

matter-code-review bot commented Oct 31, 2025

✅ Reviewed the changes: This PR introduces support for linked Security Profile API keys and enhances test coverage. Key areas for improvement include type safety and test reliability.

@jroberts2600
feat: use Portkey trace ID as AIRS AI Session ID for multi-turn conve…
0e2aa41 
…rsation tracking

- Extract x-portkey-trace-id from request headers and use as tr_id in AIRS API calls
- Enables correlation between Portkey logs and Prism AIRS AI Session IDs
- Add test to verify trace ID extraction works correctly
@matter-code-review
Copy link
Contributor

matter-code-review bot commented Nov 3, 2025

✅ Reviewed the changes: Review of trace ID generation and test coverage for PANW Prisma AIRS integration

@VisargD VisargD merged commit 235dfd4 into Portkey-AI:main Nov 6, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@narengogi narengogi narengogi approved these changes

+1 more reviewer

@b4s36t4 b4s36t4 b4s36t4 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jroberts2600 @narengogi @b4s36t4 @VisargD