Overview
During E2E testing (#134-#139), several CLI commands fail due to pan-scm-sdk limitations. The CLI code is correct, but the underlying SDK either has unimplemented features or model/API contract mismatches. These require fixes in pan-scm-sdk before the CLI can function.
Current SDK version: pan-scm-sdk==0.3.39
Limitation 1: Auto-Tag Action — SDK module entirely commented out
Severity: Complete feature block — all CRUD operations fail.
Affected commands:
scm show object auto-tag-action --folder Texas
scm set object auto-tag-action ...
scm delete object auto-tag-action ...
scm backup object auto-tag-action ...
Error:
module 'scm.config.objects.auto_tag_actions' has no attribute 'AutoTagActions'
Root cause: In pan-scm-sdk==0.3.39, the file scm/config/objects/auto_tag_actions.py has its entire implementation commented out (lines 1-352 are all # commented). The SDK client's service_imports registry at scm/client.py:481-484 maps auto_tag_action to AutoTagActions class, but the import fails because the class doesn't exist (commented out).
SDK file: .venv/lib/python3.12/site-packages/scm/config/objects/auto_tag_actions.py
SDK registry: .venv/lib/python3.12/site-packages/scm/client.py lines 481-484:
"auto_tag_action": (
"scm.config.objects.auto_tag_actions",
"AutoTagActions",
),
CLI code path: src/scm_cli/utils/sdk_client.py lines 5382-5540 — all methods (create_auto_tag_action, delete_auto_tag_action, get_auto_tag_action, list_auto_tag_actions) call self.client.auto_tag_action.* which triggers the lazy import and fails.
CLI workaround applied: PR #149 added AttributeError handling in _handle_api_exception() so the CLI shows a user-friendly message instead of crashing.
SDK fix needed: Uncomment the AutoTagActions class implementation in scm/config/objects/auto_tag_actions.py and verify it works against the current API.
Limitation 2: Decryption Rule — SDK model requires action field API doesn't return
Severity: Complete feature block — list and show operations fail. Create/delete may also fail.
Affected commands:
scm show security decryption-rule --folder Texas
scm backup security decryption-rule --folder Texas
Error:
ValidationError: 1 validation error for DecryptionRuleResponseModel
action
Field required [type=missing]
Root cause: The SDK's DecryptionRuleResponseModel defines action as a required field (required=True, no default). However, the SCM API returns decryption rules without the action field populated. When the SDK tries to deserialize the API response into the Pydantic model, validation fails.
SDK model location: scm/models/security/decryption_rules.py — DecryptionRuleResponseModel class, action field defined as:
action: DecryptionRuleAction # required=True, no default
CLI code paths affected (all in src/scm_cli/utils/sdk_client.py):
get_decryption_rule() line 9680: self.client.decryption_rule.fetch()
list_decryption_rules() line 9738: self.client.decryption_rule.list()
create_decryption_rule() line 9569: self.client.decryption_rule.fetch() (existence check)
delete_decryption_rule() line 9626: self.client.decryption_rule.fetch() (lookup before delete)
move_decryption_rule() line 9776: self.client.decryption_rule.fetch() (lookup before move)
CLI workaround applied: PR #149 added ValidationError handling in _handle_api_exception() so the CLI shows a message about SDK model mismatch instead of an unhandled Pydantic traceback.
SDK fix needed: Make action optional in DecryptionRuleResponseModel with a default value:
action: Optional[DecryptionRuleAction] = None
# or
action: DecryptionRuleAction = DecryptionRuleAction.NO_DECRYPT
Limitation 3: Insights API — 5 of 6 endpoints not implemented in SDK
Severity: Feature block — 5 insights subcommands fail. Only alerts works.
Affected commands:
scm insights mobile-users --list
scm insights locations --list
scm insights remote-networks --list
scm insights service-connections --list
scm insights tunnels --list
Working command:
scm insights alerts --list # This one works
Error (same for all 5):
Error: Insights API not yet available in pan-scm-sdk
Root cause: The CLI's insights commands check for SDK support and the SDK does not expose service objects for these 5 insights endpoints. The alerts endpoint works because it was implemented, but the other 5 were not.
CLI code path: src/scm_cli/commands/insights.py — each subcommand handler checks if the SDK client has the corresponding insights service method and raises the "not yet available" error if missing.
SDK fix needed: Implement the following insights API services in pan-scm-sdk:
mobile_users — endpoint for GlobalProtect/Prisma Access mobile user insights
locations — endpoint for deployment location insights
remote_networks — endpoint for remote network tunnel/status insights
service_connections — endpoint for service connection insights
tunnels — endpoint for IPsec/GRE tunnel status insights
Each service needs:
- A response model in
scm/models/insights/
- A service class in
scm/config/insights/
- Registration in the SDK client's
service_imports dictionary
- Support for list/filter operations matching the SCM Insights API
Summary Table
| # |
Feature |
SDK Issue |
Severity |
CLI Workaround? |
| 1 |
Auto-Tag Action |
Module commented out |
Full block |
Yes — graceful error message |
| 2 |
Decryption Rule |
Model requires field API omits |
Full block |
Yes — graceful error message |
| 3 |
Insights (5 endpoints) |
Not implemented |
Full block |
Yes — "not yet available" message |
Impact
These 3 SDK limitations affect 7 E2E test failures across issues #134, #136, and #139. All other failures are API-side (tracked in #153).
Action Items
Overview
During E2E testing (#134-#139), several CLI commands fail due to pan-scm-sdk limitations. The CLI code is correct, but the underlying SDK either has unimplemented features or model/API contract mismatches. These require fixes in pan-scm-sdk before the CLI can function.
Current SDK version:
pan-scm-sdk==0.3.39Limitation 1: Auto-Tag Action — SDK module entirely commented out
Severity: Complete feature block — all CRUD operations fail.
Affected commands:
scm show object auto-tag-action --folder Texas scm set object auto-tag-action ... scm delete object auto-tag-action ... scm backup object auto-tag-action ...Error:
Root cause: In
pan-scm-sdk==0.3.39, the filescm/config/objects/auto_tag_actions.pyhas its entire implementation commented out (lines 1-352 are all#commented). The SDK client'sservice_importsregistry atscm/client.py:481-484mapsauto_tag_actiontoAutoTagActionsclass, but the import fails because the class doesn't exist (commented out).SDK file:
.venv/lib/python3.12/site-packages/scm/config/objects/auto_tag_actions.pySDK registry:
.venv/lib/python3.12/site-packages/scm/client.pylines 481-484:CLI code path:
src/scm_cli/utils/sdk_client.pylines 5382-5540 — all methods (create_auto_tag_action,delete_auto_tag_action,get_auto_tag_action,list_auto_tag_actions) callself.client.auto_tag_action.*which triggers the lazy import and fails.CLI workaround applied: PR #149 added
AttributeErrorhandling in_handle_api_exception()so the CLI shows a user-friendly message instead of crashing.SDK fix needed: Uncomment the
AutoTagActionsclass implementation inscm/config/objects/auto_tag_actions.pyand verify it works against the current API.Limitation 2: Decryption Rule — SDK model requires
actionfield API doesn't returnSeverity: Complete feature block — list and show operations fail. Create/delete may also fail.
Affected commands:
Error:
Root cause: The SDK's
DecryptionRuleResponseModeldefinesactionas a required field (required=True, no default). However, the SCM API returns decryption rules without theactionfield populated. When the SDK tries to deserialize the API response into the Pydantic model, validation fails.SDK model location:
scm/models/security/decryption_rules.py—DecryptionRuleResponseModelclass,actionfield defined as:CLI code paths affected (all in
src/scm_cli/utils/sdk_client.py):get_decryption_rule()line 9680:self.client.decryption_rule.fetch()list_decryption_rules()line 9738:self.client.decryption_rule.list()create_decryption_rule()line 9569:self.client.decryption_rule.fetch()(existence check)delete_decryption_rule()line 9626:self.client.decryption_rule.fetch()(lookup before delete)move_decryption_rule()line 9776:self.client.decryption_rule.fetch()(lookup before move)CLI workaround applied: PR #149 added
ValidationErrorhandling in_handle_api_exception()so the CLI shows a message about SDK model mismatch instead of an unhandled Pydantic traceback.SDK fix needed: Make
actionoptional inDecryptionRuleResponseModelwith a default value:Limitation 3: Insights API — 5 of 6 endpoints not implemented in SDK
Severity: Feature block — 5 insights subcommands fail. Only
alertsworks.Affected commands:
Working command:
scm insights alerts --list # This one worksError (same for all 5):
Root cause: The CLI's insights commands check for SDK support and the SDK does not expose service objects for these 5 insights endpoints. The
alertsendpoint works because it was implemented, but the other 5 were not.CLI code path:
src/scm_cli/commands/insights.py— each subcommand handler checks if the SDK client has the corresponding insights service method and raises the "not yet available" error if missing.SDK fix needed: Implement the following insights API services in pan-scm-sdk:
mobile_users— endpoint for GlobalProtect/Prisma Access mobile user insightslocations— endpoint for deployment location insightsremote_networks— endpoint for remote network tunnel/status insightsservice_connections— endpoint for service connection insightstunnels— endpoint for IPsec/GRE tunnel status insightsEach service needs:
scm/models/insights/scm/config/insights/service_importsdictionarySummary Table
Impact
These 3 SDK limitations affect 7 E2E test failures across issues #134, #136, and #139. All other failures are API-side (tracked in #153).
Action Items
pan-scm-sdkversion pin when fixes are released