securenow 5.14.0 → 5.15.0

package/SKILL-CLI.md

@@ -0,0 +1,395 @@
+# SecureNow CLI — Agent Skill
+
+Use the `securenow` CLI to perform security DevOps from the terminal: manage apps, investigate threats, control the firewall, analyze traces, handle false positives, and run instrumented Node.js processes. Every command supports `--json` for machine-readable output.
+
+## Installation
+
+```bash
+# Install globally (recommended for CLI usage)
+npm install -g securenow
+
+# Or install per-project and use via npx
+npm install securenow
+npx securenow <command>
+```
+
+### Authenticate
+
+```bash
+securenow login             # opens browser OAuth; stores JWT in ~/.securenow/credentials.json
+securenow login --token <JWT>   # headless / CI login (get token from dashboard Settings)
+securenow whoami             # verify session
+```
+
+### Integrate With Your App
+
+The CLI can also instrument any Node.js app at launch — no code changes:
+
+```bash
+# Express, Fastify, NestJS, Koa, Hapi, raw Node.js
+securenow run src/index.js
+
+# Or via the Node preload flag
+node -r securenow/register src/index.js
+```
+
+For Next.js, run the interactive scaffolding:
+
+```bash
+securenow init --key snk_live_...
+```
+
+This auto-detects your framework and creates the necessary `instrumentation.ts`, `next.config.js` changes, and writes your API key to `.env.local`.
+
+### Install This Skill in Cursor
+
+Save this file as `.cursor/skills/securenow-cli/SKILL.md` in your project. Your AI agent will auto-discover it whenever you ask about CLI commands, security investigations, or firewall management.
+
+## Configuration
+
+Config lives in `~/.securenow/`:
+
+| File | Content |
+|------|---------|
+| `config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
+| `credentials.json` | `token`, `email`, `expiresAt` |
+
+```bash
+securenow config set apiUrl https://api.securenow.ai
+securenow config set defaultApp my-app-key
+securenow config get                     # show all
+securenow config get defaultApp          # show one
+securenow config path                    # print file paths
+```
+
+Environment overrides: `SECURENOW_API_URL`, `SECURENOW_APP_URL`, `SECURENOW_APP` (default app key).
+
+## Global Flags
+
+| Flag | Short | Effect |
+|------|-------|--------|
+| `--json` | `-j` | JSON output (pipe-friendly) |
+| `--help` | | Show help for any command |
+| `--verbose` | `-v` | Verbose output |
+| `--force` | `-f` | Skip confirmations |
+| `--yes` | `-y` | Auto-confirm prompts |
+
+Debug mode: `SECURENOW_DEBUG=1 securenow <cmd>` prints stack traces on errors.
+
+---
+
+## Command Reference
+
+### Run — Instrument Any Node.js App
+
+```bash
+securenow run <script>                       # auto-detect CJS/ESM, inject OTel preload
+securenow run --watch src/index.js           # pass Node flags through
+securenow run --inspect src/server.js --port 3000
+securenow src/index.js                       # shorthand — auto-detected as "run"
+```
+
+Spawns `node --require securenow/register [--import otel/hook.mjs] <script>`. ESM detection uses nearest `package.json` `"type"` field or `.mjs`/`.cjs` extension.
+
+### Authentication
+
+```bash
+securenow login                   # browser-based OAuth (starts local callback server)
+securenow login --token <JWT>     # headless / CI login
+securenow logout                  # clear ~/.securenow/credentials.json
+securenow whoami                  # show email, user ID, API URL, expiry, default app
+```
+
+### Applications
+
+```bash
+securenow apps                               # list all apps (default subcommand)
+securenow apps list                          # same as above
+securenow apps create <name> [--hosts h1,h2] [--instance <id>]   # interactive instance picker
+securenow apps info <id>                     # show app details
+securenow apps delete <id> [--force]         # delete an app
+securenow apps default <app-key>             # set default app for all commands
+securenow apps discover [appId] [--domain example.com]  # discover subdomains, add as apps
+securenow apps scan [--yes]                  # scan all app domains for new subdomains
+```
+
+### Init — Project Setup
+
+```bash
+securenow init [--key <API_KEY>]
+```
+
+Auto-detects framework (Next.js, Nuxt, Express, Fastify, Koa, Hapi, Node) from `package.json`. Then:
+- **Next.js**: creates `instrumentation.ts/js`, suggests `withSecureNow()` in `next.config`
+- **Nuxt**: tells you to add `securenow/nuxt` to modules
+- **Node/Express/etc.**: suggests adding `-r securenow/register` to start script
+- Writes `SECURENOW_API_KEY` to `.env.local` or `.env` if `--key` provided
+
+### Dashboard & Status
+
+```bash
+securenow status [--app <key>]               # dashboard overview
+securenow analytics [--app <key>]            # response analytics
+```
+
+---
+
+### Traces
+
+```bash
+securenow traces [--app <key>] [--limit N] [--start ISO] [--end ISO]
+securenow traces list --app my-app --limit 50
+securenow traces show <traceId>              # full trace detail with spans
+securenow traces analyze <traceId>           # AI-powered trace analysis
+```
+
+### Logs
+
+```bash
+securenow logs [--app <key>] [--limit N] [--minutes M] [--level error|warn|info]
+securenow logs list --app my-app --minutes 30 --level error
+securenow logs trace <traceId>               # logs correlated to a specific trace
+```
+
+### Issues
+
+```bash
+securenow issues [--app <key>] [--status open|resolved]
+securenow issues list --status open
+securenow issues show <id>                   # full issue details
+securenow issues resolve <id>                # mark as resolved
+```
+
+### Notifications
+
+```bash
+securenow notifications [--limit N] [--page P]
+securenow notifications list --limit 20
+securenow notifications read <id>            # mark one as read
+securenow notifications read-all             # mark all as read
+securenow notifications unread               # unread count
+```
+
+### Alerts
+
+```bash
+securenow alerts                             # list alert rules (default)
+securenow alerts rules                       # list alert rules
+securenow alerts channels                    # list alert channels (Slack, email, etc.)
+securenow alerts history [--limit N]         # past triggered alerts
+```
+
+---
+
+### IP Intelligence
+
+```bash
+securenow ip <ip-address>                    # lookup (geo, ASN, threat score, reputation)
+securenow ip lookup <ip-address>             # same as above
+securenow ip traces <ip-address>             # traces originating from this IP
+```
+
+### Forensics — Natural Language Security Queries
+
+```bash
+securenow forensics "show me all SQL injection attempts in the last 24h"
+securenow forensics query "top 10 IPs by blocked requests" --app my-app
+securenow forensics chat --app my-app        # interactive forensics chat session
+securenow forensics library                  # view saved/template queries
+```
+
+### API Map
+
+```bash
+securenow api-map                            # list discovered API endpoints
+securenow api-map list                       # same
+securenow api-map stats                      # endpoint statistics
+```
+
+---
+
+### Firewall
+
+```bash
+securenow firewall                           # show status (default)
+securenow firewall status                    # layers, sync time, blocked count, API key info
+securenow firewall test-ip <ip>              # check if IP would be blocked
+```
+
+### Blocklist — Block Malicious IPs
+
+```bash
+securenow blocklist                          # list blocked IPs
+securenow blocklist list
+securenow blocklist add <ip> [--reason "Brute force"]
+securenow blocklist remove <id>
+securenow blocklist stats                    # block counts, top reasons
+```
+
+### Allowlist — Restrict to Known IPs
+
+```bash
+securenow allowlist                          # list allowed IPs
+securenow allowlist list
+securenow allowlist add <ip> [--label "Office"] [--reason "Corporate VPN"]
+securenow allowlist remove <id>
+securenow allowlist stats
+```
+
+### Trusted Proxies
+
+```bash
+securenow trusted                            # list trusted IPs
+securenow trusted list
+securenow trusted add <ip> [--label "CloudFlare edge"]
+securenow trusted remove <id>
+```
+
+---
+
+### False Positive Management
+
+The `fp` command manages exclusion rules that prevent known-safe traffic from triggering security alerts.
+
+```bash
+securenow fp                                 # list all exclusion rules
+securenow fp list
+securenow fp show <id>                       # rule details
+securenow fp delete <id> [--yes]
+
+# Create exclusion rules
+securenow fp create \
+  --conditions '[{"field":"http.target","op":"starts_with","value":"/api/health"}]' \
+  --match-mode all \
+  --rule-scope any_rule \
+  --reason "Health check endpoint"
+
+# Shorthand safe-value presets
+securenow fp create \
+  --path /api/events \
+  --method POST \
+  --path-safe standard \
+  --ua-safe standard \
+  --headers-safe standard \
+  --query-keys page,limit \
+  --headers-keys host,content-type \
+  --reason "Event webhook"
+
+# Edit an existing rule
+securenow fp edit <id> [--active true|false] [--conditions '[...]']
+
+# Test conditions against a request body
+securenow fp test-body '{"user":"admin"}' --conditions '[{"field":"body.user","op":"eq","value":"admin"}]'
+securenow fp test-body @request.json --conditions '[...]'
+
+# Dry-run conditions against the last 3 days of live traces
+securenow fp dry-run --conditions '[{"field":"http.target","op":"starts_with","value":"/api/webhook"}]'
+
+# AI-generate exclusion conditions from a description
+securenow fp ai-fill --description "Stripe webhook POST to /api/stripe/webhook" \
+  --context '{"method":"POST","path":"/api/stripe/webhook"}'
+
+# Mark an IP as false positive on a specific notification
+securenow fp mark <notification-id> <ip> \
+  [--conditions '[...]'] \
+  [--reason "Known partner IP"] \
+  [--rule-scope this_rule|specific_rules|all_existing|any_rule] \
+  [--target-rules id1,id2]
+```
+
+**Condition fields:** `http.target`, `http.method`, `http.url`, `http.user_agent`, `http.request.header.*`, `body.*`, `http.status_code`, `net.peer.ip`, and more.
+
+**Operators:** `eq`, `neq`, `contains`, `not_contains`, `starts_with`, `ends_with`, `regex`, `in`, `not_in`, `exists`, `not_exists`, `gt`, `lt`, `gte`, `lte`.
+
+**Match modes:** `all` (AND logic), `any` (OR logic).
+
+**Rule scopes:** `this_rule` (single alert rule), `specific_rules` (comma-separated IDs via `--target-rules`), `all_existing` (all current rules), `any_rule` (all current and future rules).
+
+**Safe-value presets:** `standard` or `strict`. These auto-generate conditions that whitelist common safe patterns for paths, query strings, user-agents, and headers.
+
+---
+
+### Instances
+
+```bash
+securenow instances                          # list ClickHouse instances
+securenow instances list
+securenow instances test <id>                # test connection
+```
+
+---
+
+## Workflow Examples for Agentic AI
+
+### Investigate a Security Alert
+
+```bash
+securenow notifications list --limit 5 --json
+securenow issues show <issue-id> --json
+securenow ip <attacker-ip> --json
+securenow ip traces <attacker-ip> --json
+securenow traces show <trace-id> --json
+securenow traces analyze <trace-id> --json
+# Decision: block the IP
+securenow blocklist add <attacker-ip> --reason "Automated: SQL injection from issue #<id>"
+```
+
+### Triage and Suppress a False Positive
+
+```bash
+securenow notifications list --json
+# Identify a false positive notification
+securenow fp ai-fill --description "Stripe webhook calls to /api/stripe/webhook"
+# Review the suggested conditions, then create the rule
+securenow fp create --conditions '<ai-suggested-conditions>' --rule-scope any_rule --reason "Stripe webhook"
+# Or directly mark the notification's IP as FP
+securenow fp mark <notification-id> <ip> --rule-scope this_rule --reason "Known Stripe IP"
+```
+
+### Onboard a New Application
+
+```bash
+securenow apps create my-new-app --hosts api.example.com,app.example.com
+securenow apps default my-new-app
+securenow init --key snk_live_abc123...
+securenow run src/index.js
+securenow status --json
+```
+
+### Security Posture Check
+
+```bash
+securenow status --json
+securenow firewall status --json
+securenow blocklist stats --json
+securenow api-map stats --json
+securenow issues list --status open --json
+securenow forensics "summarize all attacks in the last 7 days"
+```
+
+### Discover Attack Surface
+
+```bash
+securenow apps discover --domain example.com
+securenow apps scan --yes
+securenow api-map list --json
+securenow api-map stats --json
+```
+
+---
+
+## Output Parsing
+
+All commands support `--json` for structured output. When piping to other tools or parsing programmatically, always use `--json`. Table output is the default for human readability.
+
+## Error Handling
+
+| Exit code / Error | Meaning | Recovery |
+|------------------|---------|----------|
+| `Session expired` | JWT expired | `securenow login` |
+| `Not logged in` | No token in `~/.securenow/credentials.json` | `securenow login` |
+| `Access denied (403)` | Insufficient plan or permissions | Upgrade plan or check user role |
+| `Cannot connect` | API unreachable | Check `SECURENOW_API_URL` or network |
+| `Unknown command` | Typo or unrecognized command | `securenow help` |
+
+Set `SECURENOW_DEBUG=1` for full stack traces on any error.

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');

package/docs/FIREWALL-GUIDE.md

@@ -29,7 +29,14 @@ Internet Traffic
       Your App
 ```
 
-All layers share the same in-memory blocklist, synced every 60 seconds from the SecureNow API. Layer 1 (HTTP) is always active. Layers 2–4 are opt-in via environment variables.
+All layers share the same in-memory blocklist, synced from the SecureNow API using a version-based protocol. Layer 1 (HTTP) is always active. Layers 2-4 are opt-in via environment variables.
+
+**Sync protocol:**
+- A lightweight version check runs every 10 seconds (uses ETag/304 -- no data transferred when unchanged)
+- Full blocklist sync only when the version changes, or every 5 minutes as a safety net
+- Changes propagate to all running instances in 10-15 seconds
+- Exponential backoff with jitter when the API is temporarily unreachable
+- Automatic localhost fallback when API is co-located (ECONNREFUSED triggers retry on `http://localhost:4000`)
 
 ---
 
@@ -69,9 +76,18 @@ That's it. The firewall auto-activates when `SECURENOW_API_KEY` is present. You'
 [securenow] Firewall: Layer 3 (iptables)       disabled (set SECURENOW_FIREWALL_IPTABLES=1)
 [securenow] Firewall: Layer 4 (Cloud WAF)      disabled (set SECURENOW_FIREWALL_CLOUD=cloudflare|aws|gcp)
 [securenow] Firewall: synced 142 blocked IPs (138 exact + 4 CIDR ranges)
-[securenow] Firewall: next sync in 60s
 ```
 
+### Firewall-Only Mode (No Tracing)
+
+If you only need IP blocking without OpenTelemetry tracing:
+
+```bash
+node -r securenow/firewall-only app.js
+```
+
+This loads only the firewall with zero OTel dependencies. No `serverExternalPackages`, no `instrumentation.js`, no tracing overhead. Set `SECURENOW_API_KEY` in your environment and you're done.
+
 ---
 
 ## Layers In Detail
@@ -176,12 +192,13 @@ SECURENOW_FIREWALL_CLOUD_DRY_RUN=1
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `SECURENOW_API_KEY` | *(required)* | API key with `firewall:read` scope |
-| `SECURENOW_API_URL` | `https://api.securenow.ai` | API base URL |
+| `SECURENOW_API_URL` | `https://api.securenow.ai` | API base URL. Auto-fallback to `http://localhost:4000` on ECONNREFUSED. |
 | `SECURENOW_FIREWALL_ENABLED` | `1` | Master kill-switch (`0` to disable) |
-| `SECURENOW_FIREWALL_SYNC_INTERVAL` | `60` | Seconds between blocklist refreshes |
+| `SECURENOW_FIREWALL_VERSION_INTERVAL` | `10` | Seconds between version checks (lightweight ETag-based) |
+| `SECURENOW_FIREWALL_SYNC_INTERVAL` | `300` | Full blocklist refresh interval in seconds (safety net) |
 | `SECURENOW_FIREWALL_FAIL_MODE` | `open` | `open` = allow when list unavailable; `closed` = block all |
 | `SECURENOW_FIREWALL_STATUS_CODE` | `403` | HTTP status code for blocked requests (Layer 1) |
-| `SECURENOW_FIREWALL_LOG` | `1` | Log blocked requests to console |
+| `SECURENOW_FIREWALL_LOG` | `1` | Log blocked requests to console (`0` to silence) |
 | `SECURENOW_FIREWALL_TCP` | `0` | Enable Layer 2 TCP blocking |
 | `SECURENOW_FIREWALL_IPTABLES` | `0` | Enable Layer 3 iptables/nftables blocking |
 | `SECURENOW_FIREWALL_CLOUD` | *(none)* | Cloud WAF provider: `cloudflare`, `aws`, or `gcp` |
@@ -216,16 +233,24 @@ SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
 SECURENOW_API_KEY=snk_live_abc123...
 ```
 
-Works automatically with `instrumentation.ts`:
+```javascript
+// next.config.js
+const { withSecureNow } = require('securenow/nextjs-webpack-config');
+module.exports = withSecureNow({ /* your config */ });
+```
 
 ```typescript
+// instrumentation.ts
 export async function register() {
   if (process.env.NEXT_RUNTIME === 'nodejs') {
-    await import('securenow/register');
+    const { registerSecureNow } = require('securenow/nextjs');
+    registerSecureNow();
   }
 }
 ```
 
+The firewall initializes independently from OpenTelemetry -- it works even if tracing setup encounters an error.
+
 ### PM2 Cluster
 
 ```javascript
@@ -294,7 +319,7 @@ npx securenow blocklist remove <id>
 npx securenow blocklist stats
 ```
 
-Changes take effect on the next sync interval (default 60 seconds).
+Changes take effect on the next version check (default every 10 seconds). Trusted IP changes also trigger immediate cache invalidation on the API side.
 
 ---
 
@@ -366,11 +391,9 @@ npx securenow firewall test-ip 1.2.3.4
 
 **Check 2:** Are you behind a proxy? The firewall needs to see the real client IP. Set `SECURENOW_TRUSTED_PROXIES` to your proxy's IP.
 
-**Check 3:** Is the sync interval too long? Reduce it:
+**Check 3:** Wait 10-15 seconds for version-based propagation. The version check interval defaults to 10 seconds.
 
-```bash
-SECURENOW_FIREWALL_SYNC_INTERVAL=10
-```
+**Check 4:** Using PM2? Make sure `node_args: '-r securenow/register'` is in your `ecosystem.config.cjs`. Without it, PM2 restarts skip the SDK entirely.
 
 ### iptables Layer Not Working
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.14.0",
+  "version": "5.15.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -131,7 +131,9 @@
     "docs/",
     "README.md",
     "NPM_README.md",
-    "CONSUMING-APPS-GUIDE.md"
+    "CONSUMING-APPS-GUIDE.md",
+    "SKILL-CLI.md",
+    "SKILL-API.md"
   ],
   "dependencies": {
     "@opentelemetry/api": "1.7.0",