securenow 5.18.0 → 6.0.0

package/cli/fp.js

@@ -1,638 +0,0 @@
-'use strict';
-
-const fs = require('fs');
-const path = require('path');
-const { api, requireAuth } = require('./client');
-const ui = require('./ui');
-
-// ── Helpers ──
-
-function parseConditions(flags) {
-  if (!flags.conditions) return null;
-  try {
-    const parsed = JSON.parse(flags.conditions);
-    if (!Array.isArray(parsed)) throw new Error();
-    return parsed;
-  } catch {
-    ui.error('--conditions must be a valid JSON array, e.g. \'[{"field":"path","operator":"equals","value":"/api/event"}]\'');
-    process.exit(1);
-  }
-}
-
-function readBody(args, flags) {
-  const raw = args[0] || flags.body;
-  if (!raw && !process.stdin.isTTY) {
-    try {
-      return fs.readFileSync(0, 'utf8');
-    } catch { return null; }
-  }
-  if (!raw) return null;
-  if (raw.startsWith('@')) {
-    const filePath = path.resolve(raw.slice(1));
-    if (!fs.existsSync(filePath)) {
-      ui.error(`File not found: ${filePath}`);
-      process.exit(1);
-    }
-    return fs.readFileSync(filePath, 'utf8');
-  }
-  return raw;
-}
-
-function conditionsSummary(conditions, matchMode) {
-  if (!conditions || !conditions.length) return ui.c.dim('(none)');
-  const mode = matchMode === 'any' ? ' OR ' : ' AND ';
-  return conditions.map(c => `${c.field} ${c.operator} "${ui.truncate(c.value || '', 30)}"`).join(mode);
-}
-
-function printConditions(conditions, matchMode) {
-  if (!conditions?.length) { console.log(ui.c.dim('  No conditions')); return; }
-  const modeLabel = matchMode === 'any' ? ui.c.yellow('ANY (OR)') : ui.c.cyan('ALL (AND)');
-  console.log(`  Match mode: ${modeLabel}\n`);
-  conditions.forEach((c, i) => {
-    const prefix = i > 0 ? `  ${matchMode === 'any' ? 'OR ' : 'AND'}` : '    ';
-    console.log(`${prefix} ${ui.c.bold(c.field)} ${ui.c.cyan(c.operator)} ${ui.c.dim('"')}${c.value || ''}${ui.c.dim('"')}`);
-  });
-}
-
-// ── List ──
-
-async function list(args, flags) {
-  requireAuth();
-  const s = ui.spinner('Fetching exclusion rules');
-  try {
-    const data = await api.get('/false-positives');
-    const exclusions = data.exclusions || [];
-    s.stop(`Found ${exclusions.length} exclusion rule${exclusions.length !== 1 ? 's' : ''}`);
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    if (!exclusions.length) {
-      ui.info('No exclusion rules found. Create one with: securenow fp create');
-      console.log('');
-      return;
-    }
-
-    const rows = exclusions.map(e => {
-      const scope = e.type === 'global' ? ui.c.cyan('All Rules') : `Rule: ${ui.truncate(e.ruleName || '?', 18)}`;
-      return [
-        ui.c.dim(ui.truncate(e._id, 12)),
-        scope,
-        ui.truncate(conditionsSummary(e.conditions, e.matchMode), 40),
-        (e.matchMode || 'all').toUpperCase(),
-        ui.statusBadge(e.isActive !== false ? 'enabled' : 'disabled'),
-        ui.truncate(e.reason || '', 20),
-        ui.timeAgo(e.createdAt),
-      ];
-    });
-    ui.table(['ID', 'Scope', 'Conditions', 'Mode', 'Status', 'Reason', 'Created'], rows);
-    console.log('');
-  } catch (err) {
-    s.fail('Failed to fetch exclusion rules');
-    throw err;
-  }
-}
-
-// ── Show ──
-
-async function show(args, flags) {
-  requireAuth();
-  const id = args[0];
-  if (!id) {
-    ui.error('Exclusion ID required. Usage: securenow fp show <id>');
-    process.exit(1);
-  }
-
-  const s = ui.spinner('Fetching exclusion details');
-  try {
-    const [data, countData] = await Promise.all([
-      api.get(`/false-positives/exclusions/${id}`),
-      api.get(`/false-positives/result-count/${id}`).catch(() => null),
-    ]);
-
-    const excl = data.exclusion;
-    if (!excl) {
-      s.fail(`Exclusion ${id} not found`);
-      process.exit(1);
-    }
-
-    s.stop('Exclusion loaded');
-
-    if (flags.json) { ui.json({ exclusion: excl, scope: data.scope, resultCount: countData }); return; }
-
-    console.log('');
-    ui.heading(`Exclusion Rule: ${excl._id}`);
-    console.log('');
-    ui.keyValue([
-      ['ID', excl._id],
-      ['Active', excl.isActive !== false ? ui.c.green('Yes') : ui.c.red('No')],
-      ['Match Mode', (excl.matchMode || 'all').toUpperCase()],
-      ['Reason', excl.reason || ui.c.dim('—')],
-      ['Scope', data.scope === 'rule' ? `Rule: ${excl._ruleName || excl._ruleId}` : 'Global'],
-      ['Created', excl.createdAt ? new Date(excl.createdAt).toLocaleString() : '—'],
-    ]);
-
-    if (countData) {
-      console.log('');
-      ui.keyValue([
-        ['Matched IPs', String(countData.matchCount ?? '—')],
-      ]);
-    }
-
-    console.log('');
-    ui.subheading('Conditions');
-    console.log('');
-    printConditions(excl.conditions, excl.matchMode);
-
-    if (excl.pathPattern) {
-      console.log(`\n  ${ui.c.bold('Path Pattern')}: ${excl.pathPattern}`);
-    }
-    console.log('');
-  } catch (err) {
-    if (err.statusCode === 404 || err.status === 404) {
-      s.fail(`Exclusion ${id} not found`);
-      process.exit(1);
-    }
-    s.fail('Failed to fetch exclusion');
-    throw err;
-  }
-}
-
-// ── Create ──
-
-async function create(args, flags) {
-  requireAuth();
-  let conditions = parseConditions(flags);
-
-  if (!conditions) {
-    conditions = [];
-    if (flags.path) {
-      conditions.push({ field: 'path', operator: flags['path-op'] || 'equals', value: flags.path });
-    }
-    if (flags.method) {
-      conditions.push({ field: 'method', operator: 'equals', value: flags.method.toUpperCase() });
-    }
-    if (flags['body-operator'] && flags['body-value']) {
-      conditions.push({ field: 'request_body', operator: flags['body-operator'], value: flags['body-value'] });
-    }
-    if (flags['path-safe']) {
-      conditions.push({ field: 'path', operator: 'path_safe_values', value: flags['path-safe'] === true ? 'standard' : flags['path-safe'] });
-    }
-    if (flags['query-safe']) {
-      conditions.push({ field: 'path', operator: 'query_safe_values', value: flags['query-safe'] === true ? 'standard' : flags['query-safe'] });
-    }
-    if (flags['query-keys']) {
-      conditions.push({ field: 'path', operator: 'query_has_only_keys', value: flags['query-keys'] });
-    }
-    if (flags['ua-safe']) {
-      conditions.push({ field: 'user_agent', operator: 'ua_safe_values', value: flags['ua-safe'] === true ? 'standard' : flags['ua-safe'] });
-    }
-    if (flags['headers-safe']) {
-      conditions.push({ field: 'request_headers', operator: 'headers_safe_values', value: flags['headers-safe'] === true ? 'standard' : flags['headers-safe'] });
-    }
-    if (flags['headers-keys']) {
-      conditions.push({ field: 'request_headers', operator: 'headers_has_only_keys', value: flags['headers-keys'] });
-    }
-    if (!conditions.length) {
-      ui.error('At least one condition is required.');
-      ui.info('Use --conditions \'[...]\' or --path, --method, --body-operator, --path-safe, --ua-safe, --headers-safe, etc.');
-      process.exit(1);
-    }
-  }
-
-  const body = {
-    conditions,
-    matchMode: flags['match-mode'] || 'all',
-  };
-  if (flags.reason) body.reason = flags.reason;
-
-  const scopeParams = parseRuleScope(flags);
-  const effectiveScope = scopeParams.ruleScope || 'any_rule';
-
-  if (effectiveScope === 'this_rule') {
-    ui.error('--rule-scope this_rule requires a notification context. Use "securenow fp mark" or --rule-scope specific_rules with --target-rules.');
-    process.exit(1);
-  }
-
-  body.ruleScope = effectiveScope;
-  if (scopeParams.targetRuleIds) body.targetRuleIds = scopeParams.targetRuleIds;
-
-  const s = ui.spinner('Creating exclusion rule');
-  try {
-    const data = await api.post('/false-positives/exclusions', body);
-
-    s.stop('Exclusion rule created');
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    if (effectiveScope === 'any_rule') {
-      ui.success(`Created global exclusion: ${data.exclusion?._id || '(unknown ID)'}`);
-    } else {
-      const ruleCount = data.rules?.length || 0;
-      ui.success(`Created exclusion on ${ruleCount} rule${ruleCount !== 1 ? 's' : ''}`);
-      if (data.rules) {
-        data.rules.forEach(r => {
-          console.log(`    ${ui.c.dim('•')} ${r.ruleName || r.ruleId}`);
-        });
-      }
-    }
-    console.log('');
-    ui.keyValue([['Scope', scopeLabel(effectiveScope)]]);
-    console.log('');
-    printConditions(conditions, body.matchMode);
-    if (flags.reason) console.log(`\n  Reason: ${flags.reason}`);
-    console.log('');
-  } catch (err) {
-    s.fail('Failed to create exclusion rule');
-    throw err;
-  }
-}
-
-// ── Edit ──
-
-async function edit(args, flags) {
-  requireAuth();
-  const id = args[0];
-  if (!id) {
-    ui.error('Exclusion ID required. Usage: securenow fp edit <id> [--active true/false] [--reason "..."]');
-    process.exit(1);
-  }
-
-  const body = {};
-  if (flags.active != null) body.isActive = flags.active === 'true' || flags.active === true;
-  if (flags.reason) body.reason = flags.reason;
-  if (flags['match-mode']) body.matchMode = flags['match-mode'];
-  const conditions = parseConditions(flags);
-  if (conditions) body.conditions = conditions;
-
-  if (!Object.keys(body).length) {
-    ui.error('Nothing to update. Use --active, --reason, --match-mode, or --conditions.');
-    process.exit(1);
-  }
-
-  const s = ui.spinner(`Updating exclusion ${id}`);
-  try {
-    const data = await api.put(`/false-positives/exclusions/${id}`, body);
-    s.stop('Exclusion updated');
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    ui.success(`Updated exclusion: ${id}`);
-    if (data.exclusion) {
-      ui.keyValue([
-        ['Active', data.exclusion.isActive !== false ? ui.c.green('Yes') : ui.c.red('No')],
-        ['Match Mode', (data.exclusion.matchMode || 'all').toUpperCase()],
-        ['Reason', data.exclusion.reason || ui.c.dim('—')],
-      ]);
-    }
-    console.log('');
-  } catch (err) {
-    s.fail('Failed to update exclusion');
-    throw err;
-  }
-}
-
-// ── Delete ──
-
-async function remove(args, flags) {
-  requireAuth();
-  const id = args[0];
-  if (!id) {
-    ui.error('Exclusion ID required. Usage: securenow fp delete <id>');
-    process.exit(1);
-  }
-
-  if (!flags.force && !flags.yes) {
-    const ok = await ui.confirm(`Delete exclusion ${id}?`);
-    if (!ok) { ui.info('Cancelled'); return; }
-  }
-
-  const s = ui.spinner(`Deleting exclusion ${id}`);
-  try {
-    await api.delete(`/false-positives/exclusions/${id}`);
-    s.stop('Exclusion deleted');
-  } catch (err) {
-    s.fail('Failed to delete exclusion');
-    throw err;
-  }
-}
-
-// ── Test Body ──
-
-async function testBody(args, flags) {
-  requireAuth();
-  const bodyStr = readBody(args, flags);
-  if (!bodyStr) {
-    ui.error('Request body is required. Pass as argument, --body, @filepath, or pipe via stdin.');
-    ui.info('Example: securenow fp test-body \'{"key":"value"}\' --conditions \'[...]\'');
-    process.exit(1);
-  }
-
-  const conditions = parseConditions(flags);
-  if (!conditions || !conditions.length) {
-    ui.error('--conditions is required with at least one request_body condition.');
-    process.exit(1);
-  }
-
-  const s = ui.spinner('Testing body against conditions');
-  try {
-    const data = await api.post('/false-positives/test-body', { body: bodyStr, conditions });
-    s.stop('Test complete');
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    const verdict = data.allPassed
-      ? ui.c.green('✓ ALL PASSED — this body would be excluded (false positive)')
-      : ui.c.red('✗ FAILED — this body would still trigger alerts');
-    console.log(`  ${verdict}`);
-    console.log(`  Detected format: ${ui.c.cyan(data.detectedFormat || 'unknown')}`);
-    console.log('');
-
-    if (data.results) {
-      const rows = data.results.map(r => {
-        const status = r.passed ? ui.c.green('✓ pass') : ui.c.red('✗ fail');
-        const detail = r.details?.error
-          || (r.details?.threats?.length ? `threats: ${r.details.threats.map(t => t.attacks?.join(',')).join('; ')}` : '')
-          || (r.details?.extraKeys?.length ? `extra keys: ${r.details.extraKeys.join(', ')}` : '')
-          || '';
-        return [
-          status,
-          r.condition?.operator || '—',
-          ui.truncate(r.condition?.value || '', 40),
-          ui.truncate(detail, 40),
-        ];
-      });
-      ui.table(['Result', 'Operator', 'Value', 'Details'], rows);
-    }
-    console.log('');
-
-    if (!data.allPassed) process.exit(2);
-  } catch (err) {
-    s.fail('Body test failed');
-    throw err;
-  }
-}
-
-// ── Dry Run ──
-
-async function dryRun(args, flags) {
-  requireAuth();
-  const conditions = parseConditions(flags);
-  if (!conditions || !conditions.length) {
-    ui.error('--conditions is required.');
-    ui.info('Example: securenow fp dry-run --conditions \'[{"field":"path","operator":"equals","value":"/api/event"},{"field":"method","operator":"equals","value":"POST"}]\'');
-    process.exit(1);
-  }
-
-  const body = { conditions, matchMode: flags['match-mode'] || 'all' };
-  const s = ui.spinner('Running dry-run against live traces (last 3 days)');
-  try {
-    const data = await api.post('/false-positives/dry-run', body);
-    s.stop('Dry-run complete');
-
-    if (flags.json) { ui.json(data); return; }
-
-    const total = data.totalTraces || 0;
-    const matched = data.matchedCount || 0;
-    const unmatched = data.unmatchedCount || 0;
-    const pct = total > 0 ? Math.round((matched / total) * 100) : 0;
-
-    console.log('');
-    ui.heading('Dry-Run Results');
-    console.log('');
-    ui.keyValue([
-      ['Total Traces', String(total)],
-      ['Would Be Excluded', `${ui.c.green(String(matched))} (${pct}%)`],
-      ['Would Still Alert', `${unmatched > 0 ? ui.c.red(String(unmatched)) : ui.c.green('0')} (${100 - pct}%)`],
-    ]);
-
-    if (data.queryLimitHit) {
-      console.log(`\n  ${ui.c.yellow('!')} Query limit reached (5,000 spans). Results are a sample.`);
-    }
-
-    if (data.sqlPreFiltered?.length) {
-      console.log(`\n  ${ui.c.dim('Pre-filtered in DB:')} ${data.sqlPreFiltered.join(' + ')}`);
-    }
-
-    // Aggregated body keys
-    if (data.aggregatedBodyKeys?.length) {
-      const keyCond = conditions.find(c =>
-        c.field === 'request_body' && (c.operator === 'json_has_only_keys' || c.operator === 'body_has_only_fields')
-      );
-      if (keyCond) {
-        const expected = new Set((keyCond.value || '').split(',').map(k => k.trim()).filter(Boolean));
-        const extra = data.aggregatedBodyKeys.filter(k => !expected.has(k));
-        if (extra.length) {
-          console.log('');
-          ui.subheading(`Keys in bodies NOT in allowlist (${extra.length})`);
-          console.log('');
-          extra.forEach(k => console.log(`    ${ui.c.yellow('+')} ${k}`));
-          console.log(`\n  ${ui.c.dim('Copy all keys:')} ${data.aggregatedBodyKeys.join(',')}`);
-        }
-      }
-    }
-
-    // Unmatched traces
-    if (data.unmatchedTraces?.length) {
-      console.log('');
-      ui.subheading(`Unmatched Traces (showing ${data.unmatchedTraces.length} of ${unmatched})`);
-      console.log('');
-      const rows = data.unmatchedTraces.map(t => [
-        ui.c.dim(ui.truncate(t.traceId, 16)),
-        t.method || '—',
-        ui.truncate(t.path || '', 30),
-        t.statusCode || '—',
-        ui.truncate((t.failedConditions || []).join(', '), 35),
-      ]);
-      ui.table(['Trace ID', 'Method', 'Path', 'Status', 'Failed Conditions'], rows);
-    }
-
-    if (total > 0 && unmatched === 0) {
-      console.log(`\n  ${ui.c.green('✓')} All ${total} traces match — they would all be excluded.`);
-    }
-    console.log('');
-
-    if (unmatched > 0) process.exit(2);
-  } catch (err) {
-    s.fail('Dry-run failed');
-    throw err;
-  }
-}
-
-// ── AI Fill ──
-
-async function aiFill(args, flags) {
-  requireAuth();
-  const description = args.join(' ') || flags.description;
-  let httpContext = null;
-
-  if (flags.context) {
-    try {
-      httpContext = JSON.parse(flags.context);
-    } catch {
-      ui.error('--context must be valid JSON, e.g. \'{"method":"POST","url":"/api/event","requestBody":"..."}\'');
-      process.exit(1);
-    }
-  }
-
-  if (!description && !httpContext) {
-    ui.error('Provide a --description or --context for AI to generate conditions.');
-    ui.info('Example: securenow fp ai-fill --description "view_cart events from /api/event"');
-    process.exit(1);
-  }
-
-  const body = {};
-  if (description) body.description = description;
-  if (httpContext) body.httpContext = httpContext;
-
-  const s = ui.spinner('Generating conditions with AI');
-  try {
-    const data = await api.post('/false-positives/ai-fill', body);
-    s.stop('AI suggestion ready');
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    ui.heading('AI-Generated Exclusion');
-    console.log('');
-
-    if (data.reason) {
-      console.log(`  ${ui.c.bold('Reason:')} ${data.reason}`);
-      console.log('');
-    }
-
-    console.log(`  ${ui.c.bold('Match Mode:')} ${(data.matchMode || 'all').toUpperCase()}`);
-    console.log('');
-
-    ui.subheading('Conditions');
-    console.log('');
-    printConditions(data.conditions, data.matchMode);
-
-    console.log('');
-    ui.subheading('Use with create');
-    const condStr = JSON.stringify(data.conditions);
-    console.log(`\n  securenow fp create --conditions '${condStr}'${data.reason ? ` --reason "${data.reason}"` : ''}`);
-    console.log('');
-  } catch (err) {
-    s.fail('AI generation failed');
-    throw err;
-  }
-}
-
-// ── Mark False Positive ──
-
-const VALID_RULE_SCOPES = ['this_rule', 'specific_rules', 'all_existing', 'any_rule'];
-
-function parseRuleScope(flags) {
-  const scope = flags['rule-scope'];
-  if (!scope) return {};
-  if (!VALID_RULE_SCOPES.includes(scope)) {
-    ui.error(`--rule-scope must be one of: ${VALID_RULE_SCOPES.join(', ')}`);
-    process.exit(1);
-  }
-  const result = { ruleScope: scope };
-  if (scope === 'specific_rules') {
-    const raw = flags['target-rules'];
-    if (!raw) {
-      ui.error('--target-rules is required when --rule-scope is specific_rules (comma-separated rule IDs)');
-      process.exit(1);
-    }
-    result.targetRuleIds = raw.split(',').map(id => id.trim()).filter(Boolean);
-    if (!result.targetRuleIds.length) {
-      ui.error('--target-rules must contain at least one rule ID');
-      process.exit(1);
-    }
-  }
-  return result;
-}
-
-function scopeLabel(scope) {
-  switch (scope) {
-    case 'this_rule': return 'This rule only';
-    case 'specific_rules': return 'Specific rules';
-    case 'all_existing': return 'All existing rules';
-    case 'any_rule': return 'Any rule (incl. future)';
-    default: return scope || 'This rule only';
-  }
-}
-
-async function mark(args, flags) {
-  requireAuth();
-  const notifId = args[0];
-  const ip = args[1];
-
-  if (!notifId || !ip) {
-    ui.error('Usage: securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule]');
-    process.exit(1);
-  }
-
-  const body = {};
-  const conditions = parseConditions(flags);
-  if (conditions) body.conditions = conditions;
-  if (flags['match-mode']) body.matchMode = flags['match-mode'];
-  if (flags.reason) body.reason = flags.reason;
-  body.createExclusion = flags['create-exclusion'] !== 'false' && flags['create-exclusion'] !== false;
-  body.applyToExisting = flags['apply-existing'] !== 'false' && flags['apply-existing'] !== false;
-
-  const scopeParams = parseRuleScope(flags);
-  Object.assign(body, scopeParams);
-
-  const s = ui.spinner(`Marking ${ip} as false positive`);
-  try {
-    const data = await api.post(`/notifications/${encodeURIComponent(notifId)}/ips/${encodeURIComponent(ip)}/false-positive`, body);
-    s.stop('Marked as false positive');
-
-    if (flags.json) { ui.json(data); return; }
-
-    console.log('');
-    ui.success(`IP ${ip} marked as false positive`);
-    console.log('');
-    ui.keyValue([
-      ['Notification', notifId],
-      ['IP', ip],
-      ['Rule Scope', scopeLabel(data.ruleScope)],
-      ['IPs Dismissed (same notif)', String(data.bulkCount ?? 0)],
-      ['Cross-Notification Matches', String(data.crossNotifCount ?? 0)],
-      ['Exclusion Rule Created', data.exclusionCreated ? ui.c.green('Yes') : ui.c.dim('No')],
-    ]);
-
-    if (data.exclusionCreated?.rules?.length > 0) {
-      console.log('');
-      ui.subheading(`Exclusion added to ${data.exclusionCreated.rules.length} rule${data.exclusionCreated.rules.length !== 1 ? 's' : ''}`);
-      console.log('');
-      data.exclusionCreated.rules.forEach(r => {
-        console.log(`    ${ui.c.dim('•')} ${r.ruleName} ${ui.c.dim(`(${r.ruleId})`)}`);
-      });
-    }
-
-    if (data.crossNotifDetails?.length) {
-      console.log('');
-      ui.subheading('Affected Notifications');
-      console.log('');
-      const rows = data.crossNotifDetails.map(d => [
-        ui.truncate(d.title || d.notificationId, 40),
-        String(d.dismissedCount),
-      ]);
-      ui.table(['Notification', 'Dismissed'], rows);
-    }
-    console.log('');
-  } catch (err) {
-    s.fail('Failed to mark as false positive');
-    throw err;
-  }
-}
-
-module.exports = {
-  list,
-  show,
-  create,
-  edit,
-  remove,
-  testBody,
-  dryRun,
-  aiFill,
-  mark,
-};