refactor: nest guardrail commands under runtime topics/profiles

CLAUDE.md

@@ -13,7 +13,7 @@ Daystrom is a CLI and library providing full operational coverage over **Palo Al
 pnpm install               # Install deps
 pnpm run build             # tsc compile to dist/
 pnpm run dev               # Run CLI via tsx (any subcommand)
-pnpm run generate          # Interactive guardrail generation loop
+pnpm run generate          # Interactive guardrail generation loop (deprecated alias)
 
 # Test
 pnpm test                  # All tests (vitest run)
@@ -41,15 +41,15 @@ TypeScript ESM, Node 20+, pnpm. LangChain.js w/ structured output (Zod). `@cdot6
 
 ```
 src/
-├── cli/                   # CLI entry, 8 command groups, interactive prompts, renderer
-│   ├── index.ts           # Commander program — registers generate/resume/report/list/runtime/audit/redteam/model-security
+├── cli/                   # CLI entry, 3 top-level groups + deprecated aliases, prompts, renderer
+│   ├── index.ts           # Commander program — registers runtime/redteam/model-security + deprecated top-level aliases
 │   ├── commands/
-│   │   ├── generate.ts    # Main loop orchestration, wires all services
-│   │   ├── resume.ts      # Resume paused/failed run from disk
-│   │   ├── report.ts      # View run results by ID
-│   │   ├── list.ts        # List all saved runs
-│   │   ├── runtime.ts     # Runtime scanning (scan, bulk-scan, resume-poll) + config management (profiles, topics, api-keys, customer-apps, deployment-profiles, dlp-profiles, scan-logs)
-│   │   ├── audit.ts       # Profile-level multi-topic evaluation
+│   │   ├── generate.ts    # Main loop orchestration, wires all services (registered under runtime topics)
+│   │   ├── resume.ts      # Resume paused/failed run from disk (registered under runtime topics)
+│   │   ├── report.ts      # View run results by ID (registered under runtime topics)
+│   │   ├── list.ts        # List all saved runs (registered as "runs" under runtime topics)
+│   │   ├── runtime.ts     # Runtime scanning + config management + guardrail generation (topics) + audit (profiles)
+│   │   ├── audit.ts       # Profile-level multi-topic evaluation (registered under runtime profiles)
 │   │   ├── redteam.ts     # Red team operations (scan, targets CRUD, prompt-sets CRUD, prompts CRUD, properties)
 │   │   └── modelsecurity.ts # Model security operations (groups, rules, rule-instances, scans, labels, pypi-auth)
 │   ├── bulk-scan-state.ts # Save/load bulk scan IDs for resume after poll failure
@@ -172,13 +172,14 @@ tests/
 - Bulk scan IDs are saved to `~/.daystrom/bulk-scans/` before polling — survives rate limit crashes
 - CLI: `daystrom runtime resume-poll <stateFile> [--output <file>]` — resume polling from saved scan IDs
 - CLI config management subcommand groups (all via `ManagementClient` OAuth2):
-  - `daystrom runtime profiles {list,get,create,update,delete}` — security profile CRUD (supports `--force --updated-by`)
-  - `daystrom runtime topics {list,get,create,update,delete}` — custom topic CRUD (supports `--force --updated-by`)
+  - `daystrom runtime profiles {list,create,update,delete,audit}` — security profile CRUD + profile audit (supports `--force --updated-by`)
+  - `daystrom runtime topics {list,create,update,delete,generate,resume,report,runs}` — custom topic CRUD + guardrail generation (supports `--force --updated-by`)
   - `daystrom runtime api-keys {list,create,regenerate,delete}` — API key management (`regenerate` takes `--interval`/`--unit`)
   - `daystrom runtime customer-apps {list,get,update,delete}` — customer app CRUD
   - `daystrom runtime deployment-profiles {list}` — deployment profile listing (`--unactivated` filter)
   - `daystrom runtime dlp-profiles {list}` — DLP profile listing
   - `daystrom runtime scan-logs {query}` — scan log querying (`--interval`/`--unit hours`/`--filter`)
+- Deprecated top-level aliases (`generate`, `resume`, `report`, `list`, `audit`) still work with deprecation warnings
 
 ### Red Team (`src/airs/redteam.ts`, `src/airs/promptsets.ts`)
 - `SdkRedTeamService` wraps `RedTeamClient` for scan CRUD, polling, reports, **target CRUD**

README.md

@@ -20,19 +20,20 @@ Requires **Node.js >= 20**.
 
 ```bash
 cp .env.example .env   # add your API keys
-daystrom generate       # interactive guardrail generation
+daystrom runtime topics generate   # interactive guardrail generation
 ```
 
 ## Commands
 
 | Command | Description |
 |---------|-------------|
-| `generate` | LLM-driven guardrail generation with iterative refinement |
-| `resume` | Resume a paused or failed generation run |
-| `report` | View results for a saved run (terminal, JSON, HTML) |
-| `list` | List all saved runs |
-| `runtime` | Prompt scanning + config management (profiles, topics, API keys, apps, scan logs) |
-| `audit` | Multi-topic profile evaluation with conflict detection |
+| `runtime scan` | Single prompt scanning against AIRS profiles |
+| `runtime bulk-scan` | Batch prompt scanning with CSV output |
+| `runtime topics` | Custom topic CRUD + guardrail generation (`generate`, `resume`, `report`, `runs`) |
+| `runtime profiles` | Security profile CRUD + multi-topic `audit` |
+| `runtime api-keys` | API key management |
+| `runtime customer-apps` | Customer app CRUD |
+| `runtime scan-logs` | Scan log querying |
 | `redteam` | Adversarial scanning — targets, prompt sets, scans, reports |
 | `model-security` | ML model supply chain security — groups, rules, scans, labels |
 

docs/features/guardrail-generation.md

@@ -17,20 +17,29 @@ Daystrom's guardrail generation capability uses an LLM-driven feedback loop to c
 
 ## CLI Usage
 
+Guardrail generation lives under `daystrom runtime topics`:
+
 ```bash
 # Interactive mode — prompts for all inputs
-daystrom generate
+daystrom runtime topics generate
 
 # Non-interactive with all options
-daystrom generate \
-  --topic-name "weapons-discussion" \
-  --description "Block discussions about weapons manufacturing" \
+daystrom runtime topics generate \
+  --topic "Block discussions about weapons manufacturing" \
   --intent block \
   --profile my-security-profile \
-  --target-coverage 0.9 \
+  --target-coverage 90 \
   --max-iterations 5
+
+# Resume, report, list runs
+daystrom runtime topics resume <runId>
+daystrom runtime topics report <runId>
+daystrom runtime topics runs
 ```
 
+!!! note "Backward compatibility"
+    Top-level aliases (`daystrom generate`, `daystrom resume`, etc.) still work but print a deprecation warning. Use the `runtime topics` paths going forward.
+
 ## Key Concepts
 
 - **Intent**: `block` (detect violating prompts) or `allow` (detect benign prompts that should pass through)

docs/features/runtime-security.md

@@ -157,26 +157,40 @@ prompt,action,category,triggered,scan_id,report_id
 
 Daystrom exposes full CRUD over AIRS runtime configuration resources via `daystrom runtime` subcommand groups. All config management commands require Management API credentials (`PANW_MGMT_CLIENT_ID`, `PANW_MGMT_CLIENT_SECRET`, `PANW_MGMT_TSG_ID`).
 
-### Security Profiles
+### Security Profiles & Profile Audit
 
 ```bash
+# CRUD
 daystrom runtime profiles list
 daystrom runtime profiles create --config profile.json
 daystrom runtime profiles update <profileId> --config profile.json
 daystrom runtime profiles delete <profileId>
 daystrom runtime profiles delete <profileId> --force --updated-by user@example.com
+
+# Audit all topics in a profile
+daystrom runtime profiles audit <profileName>
+daystrom runtime profiles audit <profileName> --format html --output audit.html
 ```
 
-### Custom Topics
+### Custom Topics & Guardrail Generation
 
 ```bash
+# CRUD
 daystrom runtime topics list
 daystrom runtime topics create --config topic.json
 daystrom runtime topics update <topicId> --config topic.json
 daystrom runtime topics delete <topicId>
 daystrom runtime topics delete <topicId> --force --updated-by user@example.com
+
+# Guardrail generation (LLM-driven iterative refinement)
+daystrom runtime topics generate
+daystrom runtime topics resume <runId>
+daystrom runtime topics report <runId>
+daystrom runtime topics runs
 ```
 
+See [Guardrail Generation](guardrail-generation.md) for details on the generation loop.
+
 ### API Keys
 
 ```bash