securenow 5.10.2 → 5.11.1

package/CONSUMING-APPS-GUIDE.md

@@ -400,8 +400,38 @@ OTEL_LOG_LEVEL=debug                     # Enable debug output
 
 ---
 
+---
+
+## Firewall — Automatic IP Blocking
+
+If you use the SecureNow blocklist to block malicious IPs, the firewall module can enforce that blocklist directly in your app with zero code changes.
+
+### Enable It
+
+Add your API key to `.env`:
+
+```bash
+SECURENOW_API_KEY=snk_live_abc123...
+```
+
+The firewall activates automatically on startup and syncs the blocklist every 60 seconds:
+
+```
+[securenow] Firewall: ENABLED
+[securenow] Firewall: Layer 1 (HTTP 403)      active
+[securenow] Firewall: synced 142 blocked IPs
+```
+
+Blocked IPs get a 403 Forbidden response. No code changes needed — works with Express, Next.js, Fastify, and all Node.js frameworks.
+
+See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for advanced layers (TCP blocking, iptables, Cloud WAF).
+
+---
+
 ## Complete Documentation
 
+- [Firewall Guide](./docs/FIREWALL-GUIDE.md)
+- [API Keys Guide](./docs/API-KEYS-GUIDE.md)
 - [Logging Quick Start](./docs/LOGGING-QUICKSTART.md)
 - [Logging Complete Guide](./docs/LOGGING-GUIDE.md)
 - [All Examples](./examples/)

package/NPM_README.md

@@ -8,6 +8,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - 📋 Automatic logging with console instrumentation
 - 🔐 Built-in sensitive data redaction
 - 🎯 Request body capture for debugging
+- 🛡️ Multi-layer firewall — auto-blocks IPs from your SecureNow blocklist
 - 🔧 Fully configurable via environment variables
 - 🖥️ Single `-r securenow/register` flag — works for both CJS and ESM apps
 - 🟢 Native Nuxt 3 module (`securenow/nuxt`)
@@ -27,6 +28,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
   - [NestJS](#nestjs)
   - [Koa](#koa)
   - [Hapi](#hapi)
+- [Firewall — Automatic IP Blocking](#firewall--automatic-ip-blocking)
 - [Environment Variables Reference](#environment-variables-reference)
 - [Logging Setup](#logging-setup)
 - [Request Body Capture](#request-body-capture)
@@ -373,6 +375,8 @@ fi
 | | `forensics library` | Saved queries |
 | | `api-map` | API endpoints |
 | | `api-map stats` | API stats |
+| **Firewall** | `firewall status` | Firewall status and API key info |
+| | `firewall test-ip <ip>` | Check if an IP would be blocked |
 | **Remediate** | `blocklist` | Blocked IPs |
 | | `blocklist add <ip>` | Block IP |
 | | `blocklist remove <id>` | Unblock IP |
@@ -862,6 +866,49 @@ export default defineNuxtConfig({
 
 ---
 
+## Firewall — Automatic IP Blocking
+
+SecureNow can automatically block IPs from your blocklist at the application layer. No code changes — just set an API key and the firewall activates.
+
+### Enable the Firewall
+
+```bash
+# Add to your .env
+SECURENOW_API_KEY=snk_live_abc123...
+```
+
+That's it. On startup, you'll see:
+
+```
+[securenow] Firewall: ENABLED
+[securenow] Firewall: Layer 1 (HTTP 403)      active
+[securenow] Firewall: synced 142 blocked IPs (138 exact + 4 CIDR ranges)
+```
+
+### Blocking Layers
+
+The firewall supports four layers — Layer 1 is always on, the rest are opt-in:
+
+| Layer | Env Var | Description |
+|-------|---------|-------------|
+| **Layer 1: HTTP** | *(always on)* | Returns 403 Forbidden. Works with proxy headers. |
+| **Layer 2: TCP** | `SECURENOW_FIREWALL_TCP=1` | `socket.destroy()` — zero bytes sent back |
+| **Layer 3: iptables** | `SECURENOW_FIREWALL_IPTABLES=1` | Kernel-level DROP (Linux, requires root) |
+| **Layer 4: Cloud WAF** | `SECURENOW_FIREWALL_CLOUD=cloudflare` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
+
+### Get an API Key
+
+```bash
+npx securenow login
+npx securenow firewall status
+```
+
+Or create one from the dashboard with the `firewall:read` scope.
+
+See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for the full reference.
+
+---
+
 ## Environment Variables Reference
 
 ### Required Variables
@@ -915,6 +962,22 @@ export default defineNuxtConfig({
 
 **Example:** `SECURENOW_DISABLE_INSTRUMENTATIONS=fs,dns` disables filesystem and DNS instrumentations.
 
+#### Firewall
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `SECURENOW_API_KEY` | API key with `firewall:read` scope. Enables the firewall when set. | - |
+| `SECURENOW_API_URL` | SecureNow API base URL. | `https://api.securenow.ai` |
+| `SECURENOW_FIREWALL_ENABLED` | Master kill-switch. Set to `0` to disable. | `1` |
+| `SECURENOW_FIREWALL_SYNC_INTERVAL` | Blocklist refresh interval in seconds. | `60` |
+| `SECURENOW_FIREWALL_FAIL_MODE` | `open` (allow when unavailable) or `closed` (block all). | `open` |
+| `SECURENOW_FIREWALL_TCP` | Enable Layer 2 TCP blocking. | `0` |
+| `SECURENOW_FIREWALL_IPTABLES` | Enable Layer 3 iptables blocking. | `0` |
+| `SECURENOW_FIREWALL_CLOUD` | Cloud WAF provider: `cloudflare`, `aws`, or `gcp`. | - |
+| `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs. | - |
+
+See [Firewall Guide](./docs/FIREWALL-GUIDE.md) for complete details on all layers.
+
 #### Debugging
 
 | Variable | Description | Default |
@@ -1574,6 +1637,8 @@ No code changes needed!
 - **Automatic redaction** of sensitive fields (passwords, tokens, keys)
 - **Configurable** sensitive field patterns
 - **No data stored** locally - everything sent to your OTLP backend
+- **Multi-layer firewall** — blocks IPs at HTTP, TCP, OS, and cloud-edge levels
+- **API keys** with granular scopes, IP allowlisting, and SHA-256 hashing
 - **Open source** - audit the code yourself
 
 ---

package/README.md

@@ -121,6 +121,10 @@ npx securenow ip 1.2.3.4
 npx securenow forensics "show top attacking IPs in the last hour"
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
 
+# Firewall — automatic IP blocking
+npx securenow firewall status
+npx securenow firewall test-ip 1.2.3.4
+
 # Full dashboard overview
 npx securenow status
 ```
@@ -223,6 +227,8 @@ SecureNow automatically instruments:
 - **[Logging Quick Start](./docs/LOGGING-QUICKSTART.md)** - Add logging in 2 minutes
 
 ### Complete Guides
+- **[Firewall Guide](./docs/FIREWALL-GUIDE.md)** - Automatic multi-layer IP blocking
+- **[API Keys Guide](./docs/API-KEYS-GUIDE.md)** - API key management and scopes
 - **[Next.js Complete Guide](./docs/NEXTJS-GUIDE.md)** - Full Next.js integration guide
 - **[Nuxt 3 Complete Guide](./docs/NUXT-GUIDE.md)** - Full Nuxt 3 integration guide
 - **[Logging Complete Guide](./docs/LOGGING-GUIDE.md)** - Full logging setup for all frameworks
@@ -303,6 +309,13 @@ Most users won't need this — just add `-r securenow/register` to your existing
 | `securenow api-map` | View discovered API endpoints |
 | `securenow api-map stats` | API map statistics |
 
+### Firewall
+
+| Command | Description |
+|---------|-------------|
+| `securenow firewall status` | Show firewall status, active layers, and API key info |
+| `securenow firewall test-ip <ip>` | Check if an IP would be blocked by the current blocklist |
+
 ### Remediation
 
 | Command | Description |

package/cidr.js

@@ -0,0 +1,83 @@
+'use strict';
+
+/**
+ * Bitmask-based CIDR matching. No regex on user input — prevents ReDoS.
+ * All operations use unsigned 32-bit integers for IPv4 addresses.
+ */
+
+function ipToInt(ip) {
+  const parts = ip.split('.');
+  if (parts.length !== 4) return null;
+  let result = 0;
+  for (let i = 0; i < 4; i++) {
+    const n = parseInt(parts[i], 10);
+    if (isNaN(n) || n < 0 || n > 255) return null;
+    result = (result << 8) + n;
+  }
+  return result >>> 0;
+}
+
+function parseCidr(cidr) {
+  const slash = cidr.indexOf('/');
+  if (slash === -1) return null;
+  const ip = cidr.slice(0, slash);
+  const bits = parseInt(cidr.slice(slash + 1), 10);
+  if (isNaN(bits) || bits < 0 || bits > 32) return null;
+  const network = ipToInt(ip);
+  if (network === null) return null;
+  const mask = bits === 0 ? 0 : (~((1 << (32 - bits)) - 1)) >>> 0;
+  return { network: (network & mask) >>> 0, mask };
+}
+
+function matchesCidr(ipInt, cidrEntry) {
+  return ((ipInt & cidrEntry.mask) >>> 0) === cidrEntry.network;
+}
+
+/**
+ * Create a matcher from a list of IPs and CIDRs.
+ * Returns { isBlocked(ip), stats() }.
+ * Exact IPs use a Set for O(1) lookup; CIDRs use array scan (typically < 100 entries).
+ */
+function createMatcher(ipList) {
+  const exactSet = new Set();
+  const cidrRanges = [];
+
+  for (const entry of ipList) {
+    const trimmed = (entry || '').trim();
+    if (!trimmed) continue;
+
+    if (trimmed.includes('/')) {
+      const parsed = parseCidr(trimmed);
+      if (parsed) cidrRanges.push(parsed);
+    } else {
+      const normalized = trimmed.replace(/^::ffff:/, '');
+      exactSet.add(normalized);
+    }
+  }
+
+  function isBlocked(ip) {
+    if (!ip) return false;
+    const normalized = ip.replace(/^::ffff:/, '');
+
+    if (exactSet.has(normalized)) return true;
+
+    if (cidrRanges.length > 0) {
+      const ipInt = ipToInt(normalized);
+      if (ipInt !== null) {
+        for (const cidr of cidrRanges) {
+          if (matchesCidr(ipInt, cidr)) return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  function stats() {
+    return { exact: exactSet.size, cidr: cidrRanges.length, total: exactSet.size + cidrRanges.length };
+  }
+
+  return { isBlocked, stats };
+}
+
+module.exports = { ipToInt, parseCidr, matchesCidr, createMatcher };

package/cli/auth.js

@@ -1,208 +1,208 @@
-'use strict';
-
-const http = require('http');
-const { execFileSync } = require('child_process');
-const config = require('./config');
-const { api, CLIError } = require('./client');
-const ui = require('./ui');
-
-function openBrowser(url) {
-  try {
-    const platform = process.platform;
-    if (platform === 'darwin') execFileSync('open', [url], { stdio: 'ignore' });
-    else if (platform === 'win32') execFileSync('rundll32', ['url.dll,FileProtocolHandler', url], { stdio: 'ignore' });
-    else execFileSync('xdg-open', [url], { stdio: 'ignore' });
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function decodeJwtPayload(token) {
-  try {
-    const parts = token.split('.');
-    if (parts.length !== 3) return null;
-    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
-    return JSON.parse(payload);
-  } catch {
-    try {
-      const parts = token.split('.');
-      const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
-      const padded = base64 + '='.repeat((4 - base64.length % 4) % 4);
-      const payload = Buffer.from(padded, 'base64').toString('utf8');
-      return JSON.parse(payload);
-    } catch {
-      return null;
-    }
-  }
-}
-
-async function loginWithBrowser() {
-  const appUrl = config.getAppUrl();
-
-  return new Promise((resolve, reject) => {
-    const server = http.createServer((req, res) => {
-      const url = new URL(req.url, `http://localhost`);
-
-      if (url.pathname === '/callback') {
-        const token = url.searchParams.get('token');
-        const error = url.searchParams.get('error');
-
-        res.writeHead(200, { 'Content-Type': 'text/html' });
-
-        if (error) {
-          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Authentication Failed</h2><p>You can close this window.</p></body></html>');
-          server.close();
-          reject(new CLIError(`Authentication failed: ${error}`));
-          return;
-        }
-
-        if (token) {
-          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2 style="color:#22c55e">✓ Logged in to SecureNow</h2><p>You can close this window and return to the terminal.</p></body></html>');
-          server.close();
-          resolve(token);
-          return;
-        }
-
-        res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Something went wrong</h2><p>No token received. Please try again.</p></body></html>');
-        server.close();
-        reject(new CLIError('No token received in callback'));
-        return;
-      }
-
-      res.writeHead(404);
-      res.end();
-    });
-
-    server.listen(0, '127.0.0.1', () => {
-      const port = server.address().port;
-      const authUrl = `${appUrl}/cli/auth?callback=http://localhost:${port}/callback`;
-
-      console.log('');
-      ui.info('Opening browser for authentication...');
-      console.log('');
-
-      const opened = openBrowser(authUrl);
-      if (!opened) {
-        console.log('  Open this URL in your browser to log in:\n');
-        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
-      } else {
-        console.log(`  If the browser didn't open, visit:`);
-        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
-      }
-
-      console.log(ui.c.dim('  Waiting for authentication...'));
-
-      const timeout = setTimeout(() => {
-        server.close();
-        reject(new CLIError('Login timed out after 5 minutes. Try `securenow login --token <TOKEN>` instead.'));
-      }, 5 * 60 * 1000);
-
-      server.on('close', () => clearTimeout(timeout));
-    });
-
-    server.on('error', (err) => {
-      reject(new CLIError(`Failed to start local server: ${err.message}`));
-    });
-  });
-}
-
-async function loginWithToken(token) {
-  const s = ui.spinner('Validating token');
-  try {
-    await api.get('/applications', { token });
-    s.stop('Token is valid');
-    return token;
-  } catch (err) {
-    s.fail('Token validation failed');
-    throw new CLIError(`Invalid token: ${err.message}`);
-  }
-}
-
-async function login(args, flags) {
-  if (flags.token) {
-    const token = flags.token;
-    await loginWithToken(token);
-    const payload = decodeJwtPayload(token);
-    const email = payload?.email || 'unknown';
-    const exp = payload?.exp ? payload.exp * 1000 : null;
-
-    config.setAuth(token, email, exp);
-    console.log('');
-    ui.success(`Logged in as ${ui.c.bold(email)}`);
-    if (exp) {
-      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
-      ui.info(`Session expires in ${days} days`);
-    }
-    return;
-  }
-
-  try {
-    const token = await loginWithBrowser();
-    const payload = decodeJwtPayload(token);
-    const email = payload?.email || 'unknown';
-    const exp = payload?.exp ? payload.exp * 1000 : null;
-
-    config.setAuth(token, email, exp);
-    console.log('');
-    ui.success(`Logged in as ${ui.c.bold(email)}`);
-    if (exp) {
-      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
-      ui.info(`Session expires in ${days} days`);
-    }
-  } catch (err) {
-    if (err.message.includes('timed out')) {
-      console.log('');
-      ui.warn('Browser login timed out. You can also login with a token:');
-      console.log('');
-      console.log(`  1. Go to ${ui.c.cyan(config.getAppUrl() + '/dashboard/settings')}`);
-      console.log(`  2. Copy your CLI token`);
-      console.log(`  3. Run: ${ui.c.bold('securenow login --token <YOUR_TOKEN>')}`);
-      console.log('');
-    } else {
-      throw err;
-    }
-  }
-}
-
-async function logout() {
-  const creds = config.loadCredentials();
-  config.clearCredentials();
-  if (creds.email) {
-    ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
-  } else {
-    ui.success('Logged out');
-  }
-}
-
-async function whoami() {
-  const creds = config.loadCredentials();
-  const token = config.getToken();
-
-  if (!token) {
-    ui.error('Not logged in. Run `securenow login` to authenticate.');
-    process.exit(1);
-  }
-
-  const payload = decodeJwtPayload(token);
-
-  ui.heading('Current Session');
-  console.log('');
-  const pairs = [
-    ['Email', creds.email || payload?.email || 'unknown'],
-    ['User ID', payload?.sub || 'unknown'],
-    ['API', config.getApiUrl()],
-  ];
-  if (creds.expiresAt) {
-    const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
-    pairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
-  }
-  const defaultApp = config.getDefaultApp();
-  if (defaultApp) {
-    pairs.push(['Default App', defaultApp]);
-  }
-  ui.keyValue(pairs);
-  console.log('');
-}
-
-module.exports = { login, logout, whoami };
+'use strict';
+
+const http = require('http');
+const { execFileSync } = require('child_process');
+const config = require('./config');
+const { api, CLIError } = require('./client');
+const ui = require('./ui');
+
+function openBrowser(url) {
+  try {
+    const platform = process.platform;
+    if (platform === 'darwin') execFileSync('open', [url], { stdio: 'ignore' });
+    else if (platform === 'win32') execFileSync('rundll32', ['url.dll,FileProtocolHandler', url], { stdio: 'ignore' });
+    else execFileSync('xdg-open', [url], { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+    return JSON.parse(payload);
+  } catch {
+    try {
+      const parts = token.split('.');
+      const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+      const padded = base64 + '='.repeat((4 - base64.length % 4) % 4);
+      const payload = Buffer.from(padded, 'base64').toString('utf8');
+      return JSON.parse(payload);
+    } catch {
+      return null;
+    }
+  }
+}
+
+async function loginWithBrowser() {
+  const appUrl = config.getAppUrl();
+
+  return new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost`);
+
+      if (url.pathname === '/callback') {
+        const token = url.searchParams.get('token');
+        const error = url.searchParams.get('error');
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+
+        if (error) {
+          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Authentication Failed</h2><p>You can close this window.</p></body></html>');
+          server.close();
+          reject(new CLIError(`Authentication failed: ${error}`));
+          return;
+        }
+
+        if (token) {
+          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2 style="color:#22c55e">✓ Logged in to SecureNow</h2><p>You can close this window and return to the terminal.</p></body></html>');
+          server.close();
+          resolve(token);
+          return;
+        }
+
+        res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Something went wrong</h2><p>No token received. Please try again.</p></body></html>');
+        server.close();
+        reject(new CLIError('No token received in callback'));
+        return;
+      }
+
+      res.writeHead(404);
+      res.end();
+    });
+
+    server.listen(0, '127.0.0.1', () => {
+      const port = server.address().port;
+      const authUrl = `${appUrl}/cli/auth?callback=http://localhost:${port}/callback`;
+
+      console.log('');
+      ui.info('Opening browser for authentication...');
+      console.log('');
+
+      const opened = openBrowser(authUrl);
+      if (!opened) {
+        console.log('  Open this URL in your browser to log in:\n');
+        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
+      } else {
+        console.log(`  If the browser didn't open, visit:`);
+        console.log(`  ${ui.c.underline(ui.c.cyan(authUrl))}\n`);
+      }
+
+      console.log(ui.c.dim('  Waiting for authentication...'));
+
+      const timeout = setTimeout(() => {
+        server.close();
+        reject(new CLIError('Login timed out after 5 minutes. Try `securenow login --token <TOKEN>` instead.'));
+      }, 5 * 60 * 1000);
+
+      server.on('close', () => clearTimeout(timeout));
+    });
+
+    server.on('error', (err) => {
+      reject(new CLIError(`Failed to start local server: ${err.message}`));
+    });
+  });
+}
+
+async function loginWithToken(token) {
+  const s = ui.spinner('Validating token');
+  try {
+    await api.get('/applications', { token });
+    s.stop('Token is valid');
+    return token;
+  } catch (err) {
+    s.fail('Token validation failed');
+    throw new CLIError(`Invalid token: ${err.message}`);
+  }
+}
+
+async function login(args, flags) {
+  if (flags.token) {
+    const token = flags.token;
+    await loginWithToken(token);
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+
+    config.setAuth(token, email, exp);
+    console.log('');
+    ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (exp) {
+      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
+      ui.info(`Session expires in ${days} days`);
+    }
+    return;
+  }
+
+  try {
+    const token = await loginWithBrowser();
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+
+    config.setAuth(token, email, exp);
+    console.log('');
+    ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (exp) {
+      const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
+      ui.info(`Session expires in ${days} days`);
+    }
+  } catch (err) {
+    if (err.message.includes('timed out')) {
+      console.log('');
+      ui.warn('Browser login timed out. You can also login with a token:');
+      console.log('');
+      console.log(`  1. Go to ${ui.c.cyan(config.getAppUrl() + '/dashboard/settings')}`);
+      console.log(`  2. Copy your CLI token`);
+      console.log(`  3. Run: ${ui.c.bold('securenow login --token <YOUR_TOKEN>')}`);
+      console.log('');
+    } else {
+      throw err;
+    }
+  }
+}
+
+async function logout() {
+  const creds = config.loadCredentials();
+  config.clearCredentials();
+  if (creds.email) {
+    ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
+  } else {
+    ui.success('Logged out');
+  }
+}
+
+async function whoami() {
+  const creds = config.loadCredentials();
+  const token = config.getToken();
+
+  if (!token) {
+    ui.error('Not logged in. Run `securenow login` to authenticate.');
+    process.exit(1);
+  }
+
+  const payload = decodeJwtPayload(token);
+
+  ui.heading('Current Session');
+  console.log('');
+  const pairs = [
+    ['Email', creds.email || payload?.email || 'unknown'],
+    ['User ID', payload?.sub || 'unknown'],
+    ['API', config.getApiUrl()],
+  ];
+  if (creds.expiresAt) {
+    const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
+    pairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
+  }
+  const defaultApp = config.getDefaultApp();
+  if (defaultApp) {
+    pairs.push(['Default App', defaultApp]);
+  }
+  ui.keyValue(pairs);
+  console.log('');
+}
+
+module.exports = { login, logout, whoami };