|
| 1 | +# AGENTS.md |
| 2 | + |
| 3 | +This file provides guidance to AI agents when working with code in this |
| 4 | +repository. |
| 5 | + |
| 6 | +## Commands |
| 7 | + |
| 8 | +Dependencies are managed with Poetry. Prefix commands with `poetry run` (or |
| 9 | +activate the venv). |
| 10 | + |
| 11 | +- `poetry install` — set up the dev environment |
| 12 | +- `poetry run make test` — run pytest |
| 13 | +- `poetry run pytest tests/test_firewall.py::TestClass::test_name` — run a |
| 14 | + single test |
| 15 | +- `poetry run make lint` — flake8 over `panos` and `tests` |
| 16 | +- `poetry run make check-format` / `make format` — check / apply black + isort |
| 17 | +- `poetry run make bandit` — security scan |
| 18 | +- `poetry run make test-all` — run the full tox matrix |
| 19 | + |
| 20 | +## Architecture |
| 21 | + |
| 22 | +`pan-os-python` is an object-oriented SDK that mirrors the PAN-OS configuration |
| 23 | +tree. Users build a tree of objects rooted at a device, then call CRUD methods |
| 24 | +that translate to XML API calls against a firewall or Panorama. |
| 25 | + |
| 26 | +Core abstractions live in `panos/base.py`: |
| 27 | + |
| 28 | +- `PanObject` — base node. Every config object has an `XPATH`, optional `SUFFIX` |
| 29 | + (`ENTRY`/`MEMBER`), a `ROOT` (DEVICE / VSYS / PANORAMA / …), and a |
| 30 | + `CHILDTYPES` tuple declaring which classes may be added under it. `add()` / |
| 31 | + `remove()` / `find()` build and traverse the tree; `xpath()` is composed by |
| 32 | + walking parents up to the `PanDevice` at the root. |
| 33 | +- `VersionedPanObject` — subclass used for almost all real config objects. |
| 34 | + Parameters are declared via `_setup()` using `VersionedParamPath` entries, |
| 35 | + each with per-PAN-OS-version XML paths. The object renders different XML |
| 36 | + depending on the connected device's version. |
| 37 | +- `VsysOperations` — mixin behavior for objects that live inside a vsys and need |
| 38 | + import/export handling. |
| 39 | +- `PanDevice` — base for `firewall.Firewall` and `panorama.Panorama`. Owns the |
| 40 | + `pan.xapi` connection, version detection, HA state, commit/op helpers, and is |
| 41 | + always the root of the tree. |
| 42 | + |
| 43 | +Module layout follows the PAN-OS config hierarchy: `device.py`, `network.py`, |
| 44 | +`objects.py`, `policies.py`, `ha.py`, `panorama.py`, `predefined.py`, |
| 45 | +`plugins.py`, `userid.py`, `updater.py`, `errors.py`. Adding a new config node |
| 46 | +usually means subclassing `VersionedPanObject` (or `VsysOperations`) in the |
| 47 | +right module, defining `_setup()`, and adding it to the parent's `CHILDTYPES`. |
| 48 | + |
| 49 | +Tests under `tests/` are mostly offline unit tests that mock `pan.xapi`; |
| 50 | +`tests/live/` and `test_integration.py` hit real devices and aren't run by |
| 51 | +default. |
| 52 | + |
| 53 | +## Releases & commit style |
| 54 | + |
| 55 | +This repo uses semantic-release driven by Conventional Commits (`feat:`, `fix:`, |
| 56 | +`chore:`, …). Commit messages determine version bumps and changelog entries — |
| 57 | +keep the prefix correct. |
0 commit comments