securenow 5.15.0 → 5.16.0

package/NPM_README.md

@@ -148,7 +148,10 @@ npx securenow login
 # Or use a token for CI/headless environments
 npx securenow login --token <YOUR_JWT>
 
-# Check who you're logged in as
+# Log in for this project only (per-project credentials)
+npx securenow login --local
+
+# Check who you're logged in as (shows auth source)
 npx securenow whoami
 ```
 
@@ -241,6 +244,9 @@ npx securenow notifications read-all
 ```bash
 # View alert rules, channels, and history
 npx securenow alerts rules
+npx securenow alerts rules show <rule-id>
+npx securenow alerts rules update <rule-id> --applications-all
+npx securenow alerts rules update <rule-id> --apps key1,key2
 npx securenow alerts channels
 npx securenow alerts history --limit 20
 ```
@@ -324,12 +330,15 @@ npx securenow config set format json
 npx securenow config path
 ```
 
-Config files are stored in `~/.securenow/`:
+Config files are stored in `~/.securenow/` (global) or `.securenow/` in the project root (per-project):
 
 | File | Description |
 |------|-------------|
-| `config.json` | API URL, default app, output format |
-| `credentials.json` | Auth token (file permissions: 0600) |
+| `~/.securenow/config.json` | API URL, default app, output format |
+| `~/.securenow/credentials.json` | Auth token — global (file permissions: 0600) |
+| `.securenow/credentials.json` | Auth token — project-local (use `login --local`) |
+
+**Resolution order:** `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ### Global Flags
 
@@ -345,14 +354,37 @@ Every command supports these flags:
 
 | Variable | Description |
 |----------|-------------|
+| `SECURENOW_TOKEN` | JWT token — overrides all file-based credentials |
 | `SECURENOW_API_URL` | Override the API base URL |
 | `SECURENOW_DEBUG` | Show stack traces on errors |
 | `NO_COLOR` | Disable colored output |
 
+### Multi-Project Sessions
+
+Use `--local` to maintain separate logins per project on the same machine:
+
+```bash
+# In project A — log in as user-a@company.com
+cd ~/projects/project-a
+npx securenow login --local
+
+# In project B — log in as user-b@company.com
+cd ~/projects/project-b
+npx securenow login --local
+
+# Each project uses its own credentials independently
+npx securenow whoami   # Shows auth source: project (.securenow/)
+```
+
+You can also use the `SECURENOW_TOKEN` env var for per-terminal sessions without touching any files.
+
 ### CI/CD Integration
 
 ```bash
-# Authenticate with a token in CI
+# Authenticate with a token in CI (env var — no file needed)
+SECURENOW_TOKEN=$MY_SECRET npx securenow issues --json
+
+# Or use login with explicit token
 npx securenow login --token $SECURENOW_TOKEN
 
 # Use --json for machine-readable output
@@ -372,9 +404,9 @@ fi
 | Category | Command | Description |
 |----------|---------|-------------|
 | **Setup** | `init` | Auto-scaffold instrumentation for your framework |
-| **Auth** | `login` | Authenticate via browser or `--token` |
-| | `logout` | Clear credentials |
-| | `whoami` | Show session info |
+| **Auth** | `login` | Authenticate via browser, `--token`, or `--local` |
+| | `logout` | Clear credentials (`--local` for project only) |
+| | `whoami` | Show session info and auth source |
 | **Apps** | `apps` | List applications |
 | | `apps create <name>` | Create application |
 | | `apps info <id>` | Application details |
@@ -394,7 +426,9 @@ fi
 | | `notifications unread` | Unread count |
 | | `notifications read <id>` | Mark read |
 | | `notifications read-all` | Mark all read |
-| | `alerts rules` | Alert rules |
+| | `alerts rules` | List rules (status, apps, schedule) |
+| | `alerts rules show <id>` | Rule detail |
+| | `alerts rules update <id> --applications-all` / `--apps k1,k2` | Application scope |
 | | `alerts channels` | Alert channels |
 | | `alerts history` | Alert history |
 | **Investigate** | `ip <addr>` | IP intelligence |

package/README.md

@@ -264,8 +264,10 @@ Most users won't need this — just add `-r securenow/register` to your existing
 |---------|-------------|
 | `securenow login` | Log in via browser (opens OAuth flow) |
 | `securenow login --token <TOKEN>` | Log in with a token (for CI/headless) |
+| `securenow login --local` | Log in and save credentials to the current project only |
 | `securenow logout` | Clear stored credentials |
-| `securenow whoami` | Show current session info |
+| `securenow logout --local` | Clear project-local credentials only |
+| `securenow whoami` | Show current session info (including auth source) |
 
 ### Applications
 
@@ -300,7 +302,10 @@ Most users won't need this — just add `-r securenow/register` to your existing
 | `securenow notifications unread` | Show unread count |
 | `securenow notifications read <id>` | Mark notification as read |
 | `securenow notifications read-all` | Mark all as read |
-| `securenow alerts rules` | List alert rules |
+| `securenow alerts rules` | List alert rules (status, applications, schedule) |
+| `securenow alerts rules show <id>` | Show one rule (includes all-apps vs explicit apps) |
+| `securenow alerts rules update <id> --applications-all` | Set rule to all current & future apps |
+| `securenow alerts rules update <id> --apps k1,k2` | Scope rule to specific app keys |
 | `securenow alerts channels` | List alert channels |
 | `securenow alerts history` | View alert history |
 
@@ -353,15 +358,19 @@ Most users won't need this — just add `-r securenow/register` to your existing
 | `--json` | Output as JSON (works on every command) |
 | `--help` | Show help for any command |
 | `--app <key>` | Specify app key (or set default with `config set defaultApp`) |
+| `--local` | Save/clear credentials per-project (login/logout only) |
 
 ### Configuration
 
-Credentials and settings are stored in `~/.securenow/`:
+Credentials and settings are stored in `~/.securenow/` (global) or `.securenow/` (per-project):
 
 | File | Purpose |
 |------|---------|
 | `~/.securenow/config.json` | API URL, default app, preferences |
-| `~/.securenow/credentials.json` | Auth token (restricted permissions) |
+| `~/.securenow/credentials.json` | Auth token — global (restricted permissions) |
+| `.securenow/credentials.json` | Auth token — project-local (use `login --local`) |
+
+**Credential resolution order:** `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 Override the API URL with `securenow config set apiUrl <url>` or the `SECURENOW_API_URL` environment variable.
 

package/SKILL-CLI.md

@@ -18,9 +18,12 @@ npx securenow <command>
 ```bash
 securenow login             # opens browser OAuth; stores JWT in ~/.securenow/credentials.json
 securenow login --token <JWT>   # headless / CI login (get token from dashboard Settings)
-securenow whoami             # verify session
+securenow login --local     # save credentials to this project only (.securenow/)
+securenow whoami             # verify session (shows auth source)
 ```
 
+**Per-project credentials:** Use `--local` to keep separate logins in different project directories on the same machine. Credentials resolve in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
+
 ### Integrate With Your App
 
 The CLI can also instrument any Node.js app at launch — no code changes:
@@ -47,22 +50,25 @@ Save this file as `.cursor/skills/securenow-cli/SKILL.md` in your project. Your
 
 ## Configuration
 
-Config lives in `~/.securenow/`:
+Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-project):
 
 | File | Content |
 |------|---------|
-| `config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
-| `credentials.json` | `token`, `email`, `expiresAt` |
+| `~/.securenow/config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
+| `~/.securenow/credentials.json` | `token`, `email`, `expiresAt` (global) |
+| `.securenow/credentials.json` | `token`, `email`, `expiresAt` (project-local, use `login --local`) |
+
+**Credential resolution order:** `SECURENOW_TOKEN` env var → `.securenow/credentials.json` (project) → `~/.securenow/credentials.json` (global).
 
 ```bash
 securenow config set apiUrl https://api.securenow.ai
 securenow config set defaultApp my-app-key
 securenow config get                     # show all
 securenow config get defaultApp          # show one
-securenow config path                    # print file paths
+securenow config path                    # print file paths + active auth source
 ```
 
-Environment overrides: `SECURENOW_API_URL`, `SECURENOW_APP_URL`, `SECURENOW_APP` (default app key).
+Environment overrides: `SECURENOW_TOKEN` (JWT), `SECURENOW_API_URL`, `SECURENOW_APP_URL`, `SECURENOW_APP` (default app key).
 
 ## Global Flags
 
@@ -94,10 +100,12 @@ Spawns `node --require securenow/register [--import otel/hook.mjs] <script>`. ES
 ### Authentication
 
 ```bash
-securenow login                   # browser-based OAuth (starts local callback server)
+securenow login                   # browser-based OAuth (stores in global ~/.securenow/)
 securenow login --token <JWT>     # headless / CI login
-securenow logout                  # clear ~/.securenow/credentials.json
-securenow whoami                  # show email, user ID, API URL, expiry, default app
+securenow login --local           # save credentials to project .securenow/ (per-project session)
+securenow logout                  # clear active credentials (local if present, else global)
+securenow logout --local          # clear project-local credentials only
+securenow whoami                  # show email, user ID, API URL, auth source, expiry, default app
 ```
 
 ### Applications
@@ -174,7 +182,10 @@ securenow notifications unread               # unread count
 
 ```bash
 securenow alerts                             # list alert rules (default)
-securenow alerts rules                       # list alert rules
+securenow alerts rules                       # list alert rules (columns: Status, Applications, Schedule)
+securenow alerts rules show <id>            # one rule; JSON: --json
+securenow alerts rules update <id> --applications-all   # all current & future apps
+securenow alerts rules update <id> --apps key1,key2     # explicit app keys only
 securenow alerts channels                    # list alert channels (Slack, email, etc.)
 securenow alerts history [--limit N]         # past triggered alerts
 ```
@@ -386,8 +397,8 @@ All commands support `--json` for structured output. When piping to other tools
 
 | Exit code / Error | Meaning | Recovery |
 |------------------|---------|----------|
-| `Session expired` | JWT expired | `securenow login` |
-| `Not logged in` | No token in `~/.securenow/credentials.json` | `securenow login` |
+| `Session expired` | JWT expired | `securenow login` (or `login --local`) |
+| `Not logged in` | No token found | `securenow login` or set `SECURENOW_TOKEN` env var |
 | `Access denied (403)` | Insufficient plan or permissions | Upgrade plan or check user role |
 | `Cannot connect` | API unreachable | Check `SECURENOW_API_URL` or network |
 | `Unknown command` | Typo or unrecognized command | `securenow help` |

package/cli/auth.js

@@ -120,6 +120,8 @@ async function loginWithToken(token) {
 }
 
 async function login(args, flags) {
+  const local = !!flags.local;
+
   if (flags.token) {
     const token = flags.token;
     await loginWithToken(token);
@@ -127,9 +129,11 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp);
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -143,9 +147,11 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp);
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -165,14 +171,16 @@ async function login(args, flags) {
   }
 }
 
-async function logout() {
+async function logout(args, flags) {
+  const local = flags ? flags.local : undefined;
   const creds = config.loadCredentials();
-  config.clearCredentials();
+  config.clearCredentials({ local });
   if (creds.email) {
     ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
   } else {
     ui.success('Logged out');
   }
+  if (local) ui.info('Cleared project-local credentials');
 }
 
 async function whoami() {
@@ -192,6 +200,7 @@ async function whoami() {
     ['Email', creds.email || payload?.email || 'unknown'],
     ['User ID', payload?.sub || 'unknown'],
     ['API', config.getApiUrl()],
+    ['Auth Source', config.getAuthSource()],
   ];
   if (creds.expiresAt) {
     const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));

package/cli/config.js

@@ -8,6 +8,10 @@ const CONFIG_DIR = path.join(os.homedir(), '.securenow');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
 
+const LOCAL_CONFIG_DIR = path.join(process.cwd(), '.securenow');
+const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
+const LOCAL_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'credentials.json');
+
 const DEFAULTS = {
   apiUrl: 'https://api.securenow.ai',
   appUrl: 'https://app.securenow.ai',
@@ -15,9 +19,9 @@ const DEFAULTS = {
   output: 'table',
 };
 
-function ensureDir() {
-  if (!fs.existsSync(CONFIG_DIR)) {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+function ensureDir(dir) {
+  if (!fs.existsSync(dir || CONFIG_DIR)) {
+    fs.mkdirSync(dir || CONFIG_DIR, { recursive: true, mode: 0o700 });
   }
 }
 
@@ -30,7 +34,7 @@ function loadJSON(filepath) {
 }
 
 function saveJSON(filepath, data) {
-  ensureDir();
+  ensureDir(path.dirname(filepath));
   fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
   if (process.platform === 'win32') {
     try {
@@ -40,8 +44,25 @@ function saveJSON(filepath, data) {
   }
 }
 
+function hasLocalCredentials() {
+  return fs.existsSync(LOCAL_CREDENTIALS_FILE);
+}
+
+function resolveCredentialsFile() {
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return LOCAL_CREDENTIALS_FILE;
+  return CREDENTIALS_FILE;
+}
+
+function getAuthSource() {
+  if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return 'project (.securenow/)';
+  return 'global (~/.securenow/)';
+}
+
 function loadConfig() {
-  return { ...DEFAULTS, ...loadJSON(CONFIG_FILE) };
+  const global = loadJSON(CONFIG_FILE);
+  const local = fs.existsSync(LOCAL_CONFIG_FILE) ? loadJSON(LOCAL_CONFIG_FILE) : {};
+  return { ...DEFAULTS, ...global, ...local };
 }
 
 function saveConfig(config) {
@@ -59,20 +80,29 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  return loadJSON(CREDENTIALS_FILE);
+  return loadJSON(resolveCredentialsFile());
 }
 
-function saveCredentials(creds) {
-  saveJSON(CREDENTIALS_FILE, creds);
+function saveCredentials(creds, { local = false } = {}) {
+  const targetFile = local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  saveJSON(targetFile, creds);
 }
 
-function clearCredentials() {
+function clearCredentials({ local } = {}) {
   try {
-    fs.unlinkSync(CREDENTIALS_FILE);
+    if (local === true) {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    } else if (local === false || !hasLocalCredentials()) {
+      fs.unlinkSync(CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    }
   } catch {}
 }
 
 function getToken() {
+  if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
+
   const creds = loadCredentials();
   if (!creds.token) return null;
 
@@ -82,8 +112,23 @@ function getToken() {
   return creds.token;
 }
 
-function setAuth(token, email, expiresAt) {
-  saveCredentials({ token, email, expiresAt });
+function setAuth(token, email, expiresAt, { local = false } = {}) {
+  saveCredentials({ token, email, expiresAt }, { local });
+}
+
+function ensureLocalGitignore() {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  const entry = '.securenow/';
+  try {
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      if (!content.split('\n').some(line => line.trim() === entry)) {
+        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      }
+    } else {
+      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+    }
+  } catch {}
 }
 
 function getApiUrl() {
@@ -102,6 +147,8 @@ module.exports = {
   CONFIG_DIR,
   CONFIG_FILE,
   CREDENTIALS_FILE,
+  LOCAL_CONFIG_DIR,
+  LOCAL_CREDENTIALS_FILE,
   loadConfig,
   saveConfig,
   getConfigValue,
@@ -111,6 +158,9 @@ module.exports = {
   clearCredentials,
   getToken,
   setAuth,
+  getAuthSource,
+  hasLocalCredentials,
+  ensureLocalGitignore,
   getApiUrl,
   getAppUrl,
   getDefaultApp,

package/cli/security.js

@@ -10,6 +10,39 @@ function resolveApp(flags) {
 
 // ── Alert Rules ──
 
+function formatRuleApplicationsCell(rule) {
+  if (rule.applicationsAll) {
+    return ui.c.cyan('all apps');
+  }
+  const keys = rule.applications || [];
+  if (keys.length === 0) return ui.c.dim('—');
+  const joined = keys.join(', ');
+  return joined.length > 48 ? `${joined.slice(0, 45)}…` : joined;
+}
+
+function ruleStatusBadge(rule) {
+  const st = rule.status || (rule.enabled !== false ? 'Active' : 'Disabled');
+  if (st === 'Active') return ui.statusBadge('active');
+  if (st === 'Disabled') return ui.statusBadge('disabled');
+  if (st === 'Paused') return ui.statusBadge('paused');
+  return st;
+}
+
+/** Dispatch: list | show <id> | update <id> ... */
+async function alertRulesRoute(args, flags) {
+  const sub = args[0];
+  if (sub === 'show') {
+    return alertRuleShow(args.slice(1), flags);
+  }
+  if (sub === 'update') {
+    return alertRuleUpdate(args.slice(1), flags);
+  }
+  if (sub === 'list') {
+    return alertRulesList(args.slice(1), flags);
+  }
+  return alertRulesList(args, flags);
+}
+
 async function alertRulesList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching alert rules');
@@ -21,15 +54,16 @@ async function alertRulesList(args, flags) {
     if (flags.json) { ui.json(rules); return; }
 
     console.log('');
-    const rows = rules.map(r => [
+    const rows = rules.map((r) => [
       ui.c.dim(ui.truncate(r._id, 12)),
-      r.name || r.type || '—',
-      ui.statusBadge(r.enabled !== false ? 'enabled' : 'disabled'),
-      r.severity ? ui.statusBadge(r.severity) : '—',
-      r.type || '—',
-      r.serviceName || ui.c.dim('all'),
+      r.name || '—',
+      ruleStatusBadge(r),
+      formatRuleApplicationsCell(r),
+      r.schedule?.enabled === false ? ui.c.dim('off') : (r.schedule?.description || r.schedule?.cronExpression || '—'),
     ]);
-    ui.table(['ID', 'Name', 'Status', 'Severity', 'Type', 'App'], rows);
+    ui.table(['ID', 'Name', 'Status', 'Applications', 'Schedule'], rows);
+    console.log('');
+    console.log(ui.c.dim('  Applications: "all apps" = all current & future active apps.  show <id>  ·  update <id> --applications-all  ·  --apps k1,k2'));
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch alert rules');
@@ -37,6 +71,105 @@ async function alertRulesList(args, flags) {
   }
 }
 
+async function alertRuleShow(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules show <rule-id>');
+    process.exit(1);
+  }
+  const s = ui.spinner('Fetching alert rule');
+  try {
+    const data = await api.get(`/alert-rules/${id}`);
+    const r = data.alertRule;
+    s.stop('');
+
+    if (flags.json) {
+      ui.json(r);
+      return;
+    }
+
+    console.log('');
+    ui.heading(r.name || 'Alert rule');
+    console.log('');
+    const appLine = r.applicationsAll
+      ? 'All applications (current & future)'
+      : (r.applications && r.applications.length > 0 ? r.applications.join(', ') : '—');
+    ui.keyValue([
+      ['ID', r._id || r.id || id],
+      ['Status', r.status || '—'],
+      ['System rule', r.isSystem ? 'yes' : 'no'],
+      ['Applications', appLine],
+      ['Schedule', r.schedule?.enabled === false ? 'disabled' : (r.schedule?.description || r.schedule?.cronExpression || '—')],
+      ['Throttle', r.throttle?.enabled ? `${r.throttle.minutes} min` : 'off'],
+      ['Query', r.queryMappingId?.name || '—'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch alert rule');
+    throw err;
+  }
+}
+
+async function alertRuleUpdate(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules update <rule-id> (--applications-all | --apps <k1,k2>)');
+    process.exit(1);
+  }
+
+  const hasAll =
+    flags['applications-all'] === true ||
+    flags['applications-all'] === 'true';
+  const hasNoAll =
+    flags['no-applications-all'] === true ||
+    flags['no-applications-all'] === 'true';
+  const appsStr = flags.apps;
+
+  if (hasAll && hasNoAll) {
+    ui.error('Use only one of --applications-all or --no-applications-all');
+    process.exit(1);
+  }
+  if (hasAll && appsStr) {
+    ui.error('Cannot combine --applications-all with --apps');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (hasAll) {
+    body.applicationsAll = true;
+    body.applications = [];
+  } else if (hasNoAll || appsStr) {
+    body.applicationsAll = false;
+    if (!appsStr) {
+      ui.error('Pass --apps key1,key2 when using --no-applications-all, or omit --no-applications-all and use --apps only');
+      process.exit(1);
+    }
+    body.applications = String(appsStr)
+      .split(',')
+      .map((x) => x.trim())
+      .filter(Boolean);
+    if (body.applications.length === 0) {
+      ui.error('No application keys parsed from --apps');
+      process.exit(1);
+    }
+  } else {
+    ui.error('Nothing to update. Use --applications-all or --apps key1,key2');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Updating alert rule');
+  try {
+    await api.put(`/alert-rules/${id}`, body);
+    s.stop('Updated');
+    ui.success('Alert rule updated');
+  } catch (err) {
+    s.fail('Failed to update alert rule');
+    throw err;
+  }
+}
+
 // ── Alert Channels ──
 
 async function alertChannelsList(args, flags) {
@@ -901,7 +1034,10 @@ async function analytics(args, flags) {
 }
 
 module.exports = {
+  alertRulesRoute,
   alertRulesList,
+  alertRuleShow,
+  alertRuleUpdate,
   alertChannelsList,
   alertHistoryList,
   blocklistList,

package/cli/ui.js

@@ -302,6 +302,7 @@ function statusBadge(status) {
     trusted: c.green('■ trusted'),
     enabled: c.green('● enabled'),
     disabled: c.dim('○ disabled'),
+    paused: c.yellow('◆ paused'),
     critical: c.red('▲ critical'),
     high: c.red('▲ high'),
     medium: c.yellow('▲ medium'),

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');
@@ -47,14 +47,15 @@ const COMMANDS = {
   },
   login: {
     desc: 'Authenticate with SecureNow',
-    usage: 'securenow login [--token <TOKEN>]',
-    flags: { token: 'Authenticate with a token directly' },
+    usage: 'securenow login [--token <TOKEN>] [--local]',
+    flags: { token: 'Authenticate with a token directly', local: 'Save credentials to this project only (.securenow/)' },
     run: (a, f) => require('./cli/auth').login(a, f),
   },
   logout: {
     desc: 'Clear stored credentials',
-    usage: 'securenow logout',
-    run: () => require('./cli/auth').logout(),
+    usage: 'securenow logout [--local]',
+    flags: { local: 'Clear project-local credentials only' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
   },
   whoami: {
     desc: 'Show current session info',
@@ -119,7 +120,16 @@ const COMMANDS = {
     desc: 'Manage alerting',
     usage: 'securenow alerts <subcommand> [options]',
     sub: {
-      rules: { desc: 'List alert rules', run: (a, f) => require('./cli/security').alertRulesList(a, f) },
+      rules: {
+        desc: 'List, show, or update alert rules',
+        flags: {
+          json: 'Output as JSON',
+          'applications-all': 'With update: scope rule to all apps',
+          'no-applications-all': 'With update: scope to explicit --apps list',
+          apps: 'Comma-separated app keys (with update)',
+        },
+        run: (a, f) => require('./cli/security').alertRulesRoute(a, f),
+      },
       channels: { desc: 'List alert channels', run: (a, f) => require('./cli/security').alertChannelsList(a, f) },
       history: { desc: 'View alert history', flags: { limit: 'Max results' }, run: (a, f) => require('./cli/security').alertHistoryList(a, f) },
     },
@@ -267,8 +277,12 @@ const COMMANDS = {
         desc: 'Show config file path',
         run: () => {
           const conf = require('./cli/config');
-          console.log(`Config:      ${conf.CONFIG_FILE}`);
-          console.log(`Credentials: ${conf.CREDENTIALS_FILE}`);
+          console.log(`Config:         ${conf.CONFIG_FILE}`);
+          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
+          if (conf.hasLocalCredentials()) {
+            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
+          }
+          console.log(`Auth source:    ${conf.getAuthSource()}`);
         },
       },
     },

package/docs/ALL-FRAMEWORKS-QUICKSTART.md

@@ -764,10 +764,14 @@ The SecureNow CLI is your terminal command center. Below is every command organi
 
 | Command | What It Does |
 |---------|-------------|
-| `securenow login` | Opens browser to authenticate |
+| `securenow login` | Opens browser to authenticate (global session) |
 | `securenow login --token <T>` | Authenticate with a token (for CI/CD or headless servers) |
+| `securenow login --local` | Save credentials to this project only (per-project session) |
 | `securenow logout` | Clear stored credentials |
-| `securenow whoami` | Show current session (email, API URL, expiry, default app) |
+| `securenow logout --local` | Clear project-local credentials only |
+| `securenow whoami` | Show current session (email, API URL, auth source, expiry, default app) |
+
+**Per-project credentials:** Use `--local` to maintain separate logins for different projects on the same machine. The CLI resolves credentials in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ### App Management
 
@@ -805,6 +809,9 @@ The SecureNow CLI is your terminal command center. Below is every command organi
 | `securenow issues show <id>` | Full issue detail + AI analysis |
 | `securenow issues resolve <id>` | Mark issue as resolved |
 | `securenow alerts rules` | List alert rules |
+| `securenow alerts rules show <id>` | One rule (all-apps vs explicit keys) |
+| `securenow alerts rules update <id> --applications-all` | All current & future apps |
+| `securenow alerts rules update <id> --apps k1,k2` | Explicit app keys only |
 | `securenow alerts channels` | List alert channels (email, webhook, Slack) |
 | `securenow alerts history --limit 50` | View past triggered alerts |
 | `securenow notifications` | List notifications |
@@ -1171,6 +1178,11 @@ Configure alert rules and channels from the [dashboard](https://app.securenow.ai
 # List your alert rules
 npx securenow alerts rules
 
+# Show one rule / set application scope (all apps vs explicit keys)
+npx securenow alerts rules show <rule-id>
+npx securenow alerts rules update <rule-id> --applications-all
+npx securenow alerts rules update <rule-id> --apps key1,key2
+
 # List alert channels (email, Slack, webhook)
 npx securenow alerts channels
 
@@ -1305,9 +1317,15 @@ Or re-authenticate with a token:
 npx securenow login --token <YOUR_TOKEN>
 ```
 
+Or set the env var directly:
+
+```bash
+SECURENOW_TOKEN=<YOUR_JWT> npx securenow whoami
+```
+
 ### CLI says "Session expired"
 
-Tokens expire after a set period. Re-run `securenow login` to get a fresh session.
+Tokens expire after a set period. Re-run `securenow login` to get a fresh session. Use `securenow whoami` to check which credential source is active.
 
 ---
 

package/docs/API-KEYS-GUIDE.md

@@ -87,6 +87,8 @@ Restrict an API key to specific applications. When set, the key can only access
 
 Leave empty to allow access to all applications on your account.
 
+**Alert rules:** Keys that are scoped to specific applications **cannot** create or update alert rules with **`applicationsAll: true`** (“all applications”). Use explicit app keys on each rule instead. Unscoped keys may use all-apps mode.
+
 ---
 
 ## IP Allowlisting
@@ -126,7 +128,7 @@ The firewall SDK reads this automatically on startup.
 ### In CI/CD
 
 ```yaml
-# GitHub Actions example
+# GitHub Actions example — SDK firewall key
 env:
   SECURENOW_API_KEY: ${{ secrets.SECURENOW_API_KEY }}
 
@@ -137,6 +139,22 @@ steps:
       echo "$ISSUES" | jq '.issues | length'
 ```
 
+### CLI Authentication in CI/CD
+
+For CLI commands in CI, use the `SECURENOW_TOKEN` env var to skip file-based login:
+
+```yaml
+# GitHub Actions example — CLI auth via env var
+env:
+  SECURENOW_TOKEN: ${{ secrets.SECURENOW_CLI_TOKEN }}
+
+steps:
+  - run: npx securenow issues --json --status open
+  - run: npx securenow forensics "critical attacks in last 24h" --json
+```
+
+The `SECURENOW_TOKEN` env var takes priority over any stored credentials.
+
 ---
 
 ## Key Management

package/firewall.js

@@ -395,6 +395,7 @@ p{font-size:.9rem;line-height:1.7;color:#a1a1aa;margin-bottom:.5rem}
 .contact a{color:#f87171;text-decoration:none;font-weight:500}
 .contact a:hover{text-decoration:underline}
 .footer{margin-top:2rem;font-size:.7rem;color:#3f3f46}
+.powered{margin-top:1.5rem;font-size:.75rem;color:#52525b}.powered a{color:#a1a1aa;text-decoration:none;font-weight:600;transition:color .2s}.powered a:hover{color:#f87171;text-decoration:underline}
 </style>
 </head>
 <body>
@@ -408,6 +409,7 @@ p{font-size:.9rem;line-height:1.7;color:#a1a1aa;margin-bottom:.5rem}
 <div class="divider"></div>
 <p class="contact">If you believe this is a mistake, please contact us at<br><a href="mailto:contact@securenow.ai?subject=Blocked%20IP%20Appeal%20-%20${encodeURIComponent(maskedIp)}&body=IP:%20${encodeURIComponent(maskedIp)}%0ATimestamp:%20${encodeURIComponent(new Date().toISOString())}%0A%0APlease%20describe%20why%20you%20believe%20this%20block%20is%20incorrect:">contact@securenow.ai</a><br>Include your IP address and the time of this incident.</p>
 <p class="footer">Ref: ${maskedIp} &mdash; ${new Date().toISOString()} &mdash; HTTP 403</p>
+<p class="powered">Protected by <a href="https://securenow.ai" rel="dofollow" target="_blank">SecureNow</a></p>
 </div>
 </body>
 </html>`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.15.0",
+  "version": "5.16.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",