securenow 5.18.0 → 6.0.1

package/cli.js

@@ -1,459 +1,499 @@
 #!/usr/bin/env node
 'use strict';
 
-const ui = require('./cli/ui');
+/**
+ * SecureNow CLI
+ * 
+ * Usage: npx securenow init [options]
+ */
 
-// ── Argument Parser ──
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const http = require('http');
+const https = require('https');
+const crypto = require('crypto');
+const readline = require('readline');
+const { exec } = require('child_process');
 
-function parseArgs(argv) {
-  const positional = [];
-  const flags = {};
+const APP_URL = (process.env.SECURENOW_APP_URL || 'https://app.securenow.ai').replace(/\/$/, '');
+const API_URL = (process.env.SECURENOW_API_URL || 'https://api.securenow.ai').replace(/\/$/, '');
+const CONFIG_DIR = path.join(os.homedir(), '.securenow');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 
-  for (let i = 0; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg.startsWith('--')) {
-      const eqIdx = arg.indexOf('=');
-      if (eqIdx !== -1) {
-        flags[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);
-      } else {
-        const next = argv[i + 1];
-        if (next && !next.startsWith('-')) {
-          flags[arg.slice(2)] = next;
-          i++;
-        } else {
-          flags[arg.slice(2)] = true;
-        }
-      }
-    } else if (arg.startsWith('-') && arg.length === 2) {
-      const shortMap = { f: 'force', y: 'yes', v: 'verbose', j: 'json' };
-      const long = shortMap[arg[1]] || arg[1];
-      flags[long] = true;
-    } else {
-      positional.push(arg);
-    }
-  }
+const commands = {
+  init: initCommand,
+  login: loginCommand,
+  logout: logoutCommand,
+  status: statusCommand,
+  apps: appsCommand,
+  help: helpCommand,
+  version: versionCommand,
+};
+
+// Templates
+const templates = {
+  typescript: `import { registerSecureNow } from 'securenow/nextjs';
 
-  return { positional, flags };
+export function register() {
+  registerSecureNow();
 }
 
-// ── Command Registry ──
-
-const COMMANDS = {
-  init: {
-    desc: 'Set up SecureNow in the current project (instrumentation, config, env)',
-    usage: 'securenow init [--key <API_KEY>]',
-    flags: { key: 'API key to write to .env', 'api-key': 'Alias for --key' },
-    run: (a, f) => require('./cli/init').init(a, f),
-  },
-  login: {
-    desc: 'Authenticate with SecureNow',
-    usage: 'securenow login [--token <TOKEN>] [--local]',
-    flags: { token: 'Authenticate with a token directly', local: 'Save credentials to this project only (.securenow/)' },
-    run: (a, f) => require('./cli/auth').login(a, f),
-  },
-  logout: {
-    desc: 'Clear stored credentials',
-    usage: 'securenow logout [--local]',
-    flags: { local: 'Clear project-local credentials only' },
-    run: (a, f) => require('./cli/auth').logout(a, f),
-  },
-  whoami: {
-    desc: 'Show current session info',
-    usage: 'securenow whoami',
-    run: () => require('./cli/auth').whoami(),
-  },
-  apps: {
-    desc: 'Manage applications',
-    usage: 'securenow apps <subcommand> [options]',
-    sub: {
-      list: { desc: 'List all applications', run: (a, f) => require('./cli/apps').list(a, f) },
-      create: { desc: 'Create a new application (interactive instance picker)', usage: 'securenow apps create <name> [--hosts host1,host2] [--instance <id>]', run: (a, f) => require('./cli/apps').create(a, f) },
-      info: { desc: 'Show application details', usage: 'securenow apps info <id>', run: (a, f) => require('./cli/apps').info(a, f) },
-      delete: { desc: 'Delete an application', usage: 'securenow apps delete <id> [--force]', run: (a, f) => require('./cli/apps').remove(a, f) },
-      default: { desc: 'Set default application', usage: 'securenow apps default <key>', run: (a, f) => require('./cli/apps').setDefault(a, f) },
-      discover: { desc: 'Discover subdomains and add as apps', usage: 'securenow apps discover [appId] [--domain example.com]', run: (a, f) => require('./cli/apps').discover(a, f) },
-      scan: { desc: 'Scan all app domains for new subdomains', usage: 'securenow apps scan [--yes]', run: (a, f) => require('./cli/apps').scan(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  traces: {
-    desc: 'View and analyze traces',
-    usage: 'securenow traces <subcommand> [options]',
-    sub: {
-      list: { desc: 'List recent traces', flags: { app: 'App key', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
-      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
-      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  logs: {
-    desc: 'View application logs',
-    usage: 'securenow logs [options]',
-    sub: {
-      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
-      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  notifications: {
-    desc: 'Manage notifications',
-    usage: 'securenow notifications <subcommand> [options]',
-    sub: {
-      list: { desc: 'List notifications', flags: { limit: 'Max results', page: 'Page number' }, run: (a, f) => require('./cli/monitor').notificationsList(a, f) },
-      read: { desc: 'Mark notification as read', usage: 'securenow notifications read <id>', run: (a, f) => require('./cli/monitor').notificationsRead(a, f) },
-      'read-all': { desc: 'Mark all as read', run: () => require('./cli/monitor').notificationsReadAll() },
-      unread: { desc: 'Show unread count', run: () => require('./cli/monitor').notificationsUnread() },
-    },
-    defaultSub: 'list',
-  },
-  alerts: {
-    desc: 'Manage alerting',
-    usage: 'securenow alerts <subcommand> [options]',
-    sub: {
-      rules: {
-        desc: 'List, show, or update alert rules',
-        flags: {
-          json: 'Output as JSON',
-          'applications-all': 'With update: scope rule to all apps',
-          'no-applications-all': 'With update: scope to explicit --apps list',
-          apps: 'Comma-separated app keys (with update)',
-        },
-        run: (a, f) => require('./cli/security').alertRulesRoute(a, f),
-      },
-      channels: { desc: 'List alert channels', run: (a, f) => require('./cli/security').alertChannelsList(a, f) },
-      history: { desc: 'View alert history', flags: { limit: 'Max results' }, run: (a, f) => require('./cli/security').alertHistoryList(a, f) },
-    },
-    defaultSub: 'rules',
-  },
-  fp: {
-    desc: 'Manage false-positive exclusion rules',
-    usage: 'securenow fp <subcommand> [options]',
-    flags: { json: 'Output as JSON', conditions: 'JSON array of conditions', 'match-mode': 'Match mode: all (AND) or any (OR)', 'rule-scope': 'Scope: this_rule | specific_rules | all_existing | any_rule', 'target-rules': 'Comma-separated rule IDs (when --rule-scope specific_rules)', 'path-safe': 'Add path_safe_values condition (standard|strict)', 'query-safe': 'Add query_safe_values condition (standard|strict)', 'query-keys': 'Allowed query param names (comma-separated)', 'ua-safe': 'Add ua_safe_values condition (standard|strict)', 'headers-safe': 'Add headers_safe_values condition (standard|strict)', 'headers-keys': 'Allowed header names (comma-separated)' },
-    sub: {
-      list: { desc: 'List all exclusion rules', run: (a, f) => require('./cli/fp').list(a, f) },
-      show: { desc: 'Show exclusion rule details', usage: 'securenow fp show <id>', run: (a, f) => require('./cli/fp').show(a, f) },
-      create: { desc: 'Create an exclusion rule', usage: 'securenow fp create [--conditions \'[...]\'] [--path /api/event] [--method POST] [--path-safe standard] [--ua-safe standard] [--headers-safe standard] [--query-keys page,limit] [--headers-keys host,content-type] [--reason "..."] [--rule-scope any_rule|specific_rules|all_existing] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').create(a, f) },
-      edit: { desc: 'Edit an exclusion rule', usage: 'securenow fp edit <id> [--active true/false] [--conditions \'[...]\']', run: (a, f) => require('./cli/fp').edit(a, f) },
-      delete: { desc: 'Delete an exclusion rule', usage: 'securenow fp delete <id> [--yes]', run: (a, f) => require('./cli/fp').remove(a, f) },
-      'test-body': { desc: 'Test a request body against conditions', usage: 'securenow fp test-body <body|@file> --conditions \'[...]\'', run: (a, f) => require('./cli/fp').testBody(a, f) },
-      'dry-run': { desc: 'Dry-run conditions against live traces (last 3 days)', usage: 'securenow fp dry-run --conditions \'[...]\'', run: (a, f) => require('./cli/fp').dryRun(a, f) },
-      'ai-fill': { desc: 'AI-generate exclusion conditions', usage: 'securenow fp ai-fill [--description "..."] [--context \'{"method":"POST",...}\']', run: (a, f) => require('./cli/fp').aiFill(a, f) },
-      mark: { desc: 'Mark an IP as false positive on a notification', usage: 'securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').mark(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  firewall: {
-    desc: 'Firewall status and IP testing',
-    usage: 'securenow firewall <subcommand> [options]',
-    sub: {
-      status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
-    },
-    defaultSub: 'status',
-  },
-  blocklist: {
-    desc: 'Manage IP blocklist',
-    usage: 'securenow blocklist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
-      remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
-      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  allowlist: {
-    desc: 'Manage IP allowlist (only allow listed IPs)',
-    usage: 'securenow allowlist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
-      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
-      remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
-      stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  trusted: {
-    desc: 'Manage trusted IPs',
-    usage: 'securenow trusted <subcommand> [options]',
-    sub: {
-      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
-      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
-      remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  ip: {
-    desc: 'IP intelligence lookup',
-    usage: 'securenow ip <ip-address>',
-    sub: {
-      lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
-      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip>', run: (a, f) => require('./cli/security').ipTraces(a, f) },
-    },
-    defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
-  },
-  forensics: {
-    desc: 'Run forensic queries (natural language → SQL)',
-    usage: 'securenow forensics <query> [--app <key>]',
-    sub: {
-      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
-      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key>', flags: { app: 'App key to chat with' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
-      library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
-    },
-    defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
-  },
-  'api-map': {
-    desc: 'View API map',
-    usage: 'securenow api-map [stats]',
-    sub: {
-      list: { desc: 'List discovered API endpoints', run: (a, f) => require('./cli/security').apiMapList(a, f) },
-      stats: { desc: 'API map statistics', run: (a, f) => require('./cli/security').apiMapStats(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  instances: {
-    desc: 'Manage ClickHouse instances',
-    usage: 'securenow instances <subcommand> [options]',
-    sub: {
-      list: { desc: 'List instances', run: (a, f) => require('./cli/security').instancesList(a, f) },
-      test: { desc: 'Test instance connection', usage: 'securenow instances test <id>', run: (a, f) => require('./cli/security').instancesTest(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  analytics: {
-    desc: 'View response analytics',
-    usage: 'securenow analytics [--app <key>]',
-    run: (a, f) => require('./cli/security').analytics(a, f),
-  },
-  status: {
-    desc: 'Dashboard overview',
-    usage: 'securenow status [--app <key>]',
-    run: (a, f) => require('./cli/monitor').status(a, f),
-  },
-  config: {
-    desc: 'Manage CLI configuration',
-    usage: 'securenow config <set|get> [key] [value]',
-    sub: {
-      set: {
-        desc: 'Set a config value',
-        usage: 'securenow config set <key> <value>',
-        run: (a) => {
-          const conf = require('./cli/config');
-          const [key, ...rest] = a;
-          const value = rest.join(' ');
-          if (!key || !value) { ui.error('Usage: securenow config set <key> <value>'); process.exit(1); }
-          conf.setConfigValue(key, value);
-          ui.success(`${key} = ${value}`);
-        },
-      },
-      get: {
-        desc: 'Get a config value',
-        usage: 'securenow config get [key]',
-        run: (a) => {
-          const conf = require('./cli/config');
-          const key = a[0];
-          if (key) {
-            const val = conf.getConfigValue(key);
-            console.log(val != null ? val : ui.c.dim('(not set)'));
-          } else {
-            const all = conf.loadConfig();
-            console.log('');
-            ui.keyValue(Object.entries(all).map(([k, v]) => [k, v != null ? String(v) : ui.c.dim('(not set)')]));
-            console.log('');
-          }
-        },
-      },
-      path: {
-        desc: 'Show config file path',
-        run: () => {
-          const conf = require('./cli/config');
-          console.log(`Config:         ${conf.CONFIG_FILE}`);
-          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
-          if (conf.hasLocalCredentials()) {
-            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
-          }
-          console.log(`Auth source:    ${conf.getAuthSource()}`);
-        },
-      },
-    },
-  },
-  init: {
-    desc: 'Initialize SecureNow instrumentation',
-    usage: 'securenow init [--ts|--js] [--src|--root] [--force]',
-    flags: { typescript: 'Force TypeScript', javascript: 'Force JavaScript', src: 'Create in src/', root: 'Create in root', force: 'Overwrite existing' },
-    run: (a, f) => require('./cli/init').init(a, f),
-  },
-  run: {
-    desc: 'Run a Node.js app with automatic OTel instrumentation',
-    usage: 'securenow run [node-flags] <script> [app-args]',
-    flags: { watch: 'Enable Node.js watch mode', inspect: 'Enable Node.js inspector' },
-    rawArgv: true,
-    run: (rawArgs) => require('./cli/run').run(rawArgs),
-  },
-  version: {
-    desc: 'Show CLI version',
-    run: () => {
-      try {
-        const pkg = require('./package.json');
-        console.log(`securenow v${pkg.version}`);
-      } catch {
-        console.log('securenow (version unknown)');
-      }
-    },
-  },
+/**
+ * Configuration via .env.local:
+ * 
+ * Required:
+ *   SECURENOW_APPID=my-nextjs-app
+ * 
+ * Optional:
+ *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
+ *   OTEL_LOG_LEVEL=info
+ */
+`,
+  javascript: `const { registerSecureNow } = require('securenow/nextjs');
+
+export function register() {
+  registerSecureNow();
+}
+
+/**
+ * Configuration via .env.local:
+ * 
+ * Required:
+ *   SECURENOW_APPID=my-nextjs-app
+ * 
+ * Optional:
+ *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
+ *   OTEL_LOG_LEVEL=info
+ */
+`,
+  env: `# SecureNow Configuration
+# Required: Your application identifier
+SECURENOW_APPID=my-nextjs-app
+
+# Optional: Your SigNoz/OpenTelemetry collector endpoint
+# Default: https://freetrial.securenow.ai:4318
+SECURENOW_INSTANCE=http://your-signoz-server:4318
+
+# Optional: API key or authentication headers
+# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"
+
+# Optional: Log level (debug|info|warn|error)
+# OTEL_LOG_LEVEL=info
+`,
 };
 
-// ── Help System ──
+function initCommand(args) {
+  const flags = parseFlags(args);
+  const cwd = process.cwd();
+  
+  console.log('\n🚀 SecureNow Setup\n');
+  
+  // Check if Next.js project
+  const isNextJs = isNextJsProject(cwd);
+  if (!isNextJs && !flags.force) {
+    console.log('⚠️  This doesn\'t appear to be a Next.js project.');
+    console.log('   If you want to proceed anyway, use: npx securenow init --force\n');
+    process.exit(1);
+  }
+  
+  // Determine TypeScript or JavaScript
+  const useTypeScript = flags.typescript || 
+                        (!flags.javascript && fs.existsSync(path.join(cwd, 'tsconfig.json')));
+  
+  // Determine if using src folder
+  const useSrc = flags.src || 
+                 (!flags.root && fs.existsSync(path.join(cwd, 'src')));
+  
+  // Construct file paths
+  const fileName = useTypeScript ? 'instrumentation.ts' : 'instrumentation.js';
+  const filePath = useSrc 
+    ? path.join(cwd, 'src', fileName)
+    : path.join(cwd, fileName);
+  
+  // Check if file already exists
+  if (fs.existsSync(filePath) && !flags.force) {
+    console.log(`❌ ${useSrc ? 'src/' : ''}${fileName} already exists`);
+    console.log('   Use --force to overwrite\n');
+    process.exit(1);
+  }
+  
+  // Create instrumentation file
+  try {
+    const template = useTypeScript ? templates.typescript : templates.javascript;
+    
+    // Ensure src directory exists if needed
+    if (useSrc) {
+      fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
+    }
+    
+    fs.writeFileSync(filePath, template, 'utf8');
+    console.log(`✅ Created ${useSrc ? 'src/' : ''}${fileName}`);
+  } catch (error) {
+    console.error(`❌ Failed to create instrumentation file: ${error.message}\n`);
+    process.exit(1);
+  }
+  
+  // Create .env.local if it doesn't exist
+  const envPath = path.join(cwd, '.env.local');
+  if (!fs.existsSync(envPath) || flags.force) {
+    try {
+      fs.writeFileSync(envPath, templates.env, 'utf8');
+      console.log('✅ Created .env.local template');
+    } catch (error) {
+      console.warn(`⚠️  Could not create .env.local: ${error.message}`);
+    }
+  } else {
+    console.log('ℹ️  .env.local already exists (skipped)');
+  }
+  
+  // Success message
+  console.log('\n┌─────────────────────────────────────────────────┐');
+  console.log('│  🎉 Setup Complete!                             │');
+  console.log('│                                                 │');
+  console.log('│  Next steps:                                    │');
+  console.log('│                                                 │');
+  console.log('│  1. Edit .env.local and configure:             │');
+  console.log('│     SECURENOW_APPID=your-app-name              │');
+  console.log('│     SECURENOW_INSTANCE=http://signoz:4318      │');
+  console.log('│                                                 │');
+  console.log('│  2. Start your Next.js app: npm run dev        │');
+  console.log('│                                                 │');
+  console.log('│  3. Check SigNoz dashboard for traces!         │');
+  console.log('│                                                 │');
+  console.log('│  📚 Documentation:                              │');
+  console.log('│     node_modules/securenow/NEXTJS-GUIDE.md     │');
+  console.log('└─────────────────────────────────────────────────┘\n');
+}
+
+// ─── Auth / config ──────────────────────────────────────────────
 
-function showBanner() {
-  console.log('');
-  console.log(`  ${ui.c.bold(ui.c.cyan('SecureNow CLI'))} ${ui.c.dim('— Security observability from the terminal')}`);
-  console.log('');
+function loadConfig() {
+  try {
+    if (!fs.existsSync(CONFIG_FILE)) return {};
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+  } catch {
+    return {};
+  }
 }
 
-function showHelp(commandName) {
-  if (commandName && COMMANDS[commandName]) {
-    const cmd = COMMANDS[commandName];
-    showBanner();
-    console.log(`  ${ui.c.bold(commandName)} — ${cmd.desc}`);
-    console.log('');
-    if (cmd.usage) {
-      console.log(`  ${ui.c.bold('USAGE')}`);
-      console.log(`    ${cmd.usage}`);
-      console.log('');
-    }
-    if (cmd.sub) {
-      console.log(`  ${ui.c.bold('SUBCOMMANDS')}`);
-      const entries = Object.entries(cmd.sub);
-      const maxLen = entries.reduce((m, [k]) => Math.max(m, k.length), 0);
-      for (const [name, sub] of entries) {
-        console.log(`    ${ui.c.cyan(name.padEnd(maxLen + 2))} ${sub.desc}`);
-      }
-      console.log('');
+function saveConfig(cfg) {
+  try {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+    try { fs.chmodSync(CONFIG_FILE, 0o600); } catch {}
+  } catch (err) {
+    console.error(`❌ Could not write ${CONFIG_FILE}: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function openBrowser(url) {
+  const cmd =
+    process.platform === 'darwin' ? `open "${url}"` :
+    process.platform === 'win32' ? `start "" "${url}"` :
+    `xdg-open "${url}"`;
+  exec(cmd, () => {});
+}
+
+function loginCommand(args) {
+  const flags = parseFlags(args);
+  const state = crypto.randomBytes(16).toString('hex');
+
+  const server = http.createServer((req, res) => {
+    const url = new URL(req.url, 'http://127.0.0.1');
+    if (url.pathname !== '/callback') {
+      res.writeHead(404); res.end();
+      return;
     }
-    if (cmd.flags) {
-      console.log(`  ${ui.c.bold('FLAGS')}`);
-      for (const [flag, desc] of Object.entries(cmd.flags)) {
-        console.log(`    --${ui.c.cyan(flag.padEnd(16))} ${desc}`);
-      }
-      console.log('');
+    const token = url.searchParams.get('token');
+    const gotState = url.searchParams.get('state');
+    if (!token || gotState !== state) {
+      res.writeHead(400, { 'Content-Type': 'text/html' });
+      res.end('<h1>Auth failed</h1><p>You can close this tab and try again.</p>');
+      return;
     }
-    console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
-    console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
-    console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help`);
-    console.log('');
-    return;
+    saveConfig({ token, savedAt: new Date().toISOString() });
+    res.writeHead(200, { 'Content-Type': 'text/html' });
+    res.end('<h1>✅ Logged in to SecureNow</h1><p>You can close this tab and return to your terminal.</p>');
+    console.log('\n✅ Logged in. Token saved to', CONFIG_FILE, '\n');
+    setTimeout(() => { server.close(); process.exit(0); }, 200);
+  });
+
+  server.listen(0, '127.0.0.1', () => {
+    const port = server.address().port;
+    const callback = `http://127.0.0.1:${port}/callback`;
+    const authUrl = `${APP_URL}/cli/auth?callback=${encodeURIComponent(callback)}&state=${state}${flags.force ? '&force_login=1' : ''}`;
+    console.log('\n🔐 SecureNow Login\n');
+    console.log('Opening browser to authenticate...');
+    console.log('If it doesn\'t open, paste this URL:\n  ' + authUrl + '\n');
+    openBrowser(authUrl);
+  });
+
+  setTimeout(() => {
+    console.error('\n⏱  Login timed out after 5 minutes.');
+    try { server.close(); } catch {}
+    process.exit(1);
+  }, 5 * 60 * 1000).unref();
+}
+
+function logoutCommand() {
+  if (fs.existsSync(CONFIG_FILE)) {
+    try { fs.unlinkSync(CONFIG_FILE); } catch {}
   }
+  console.log('✅ Logged out');
+}
 
-  showBanner();
-
-  const groups = {
-    'Run': ['run'],
-    'Authentication': ['login', 'logout', 'whoami'],
-    'Applications': ['apps', 'init', 'status'],
-    'Observe': ['traces', 'logs', 'analytics'],
-    'Detect & Respond': ['notifications', 'alerts', 'fp'],
-    'Investigate': ['ip', 'forensics', 'api-map'],
-    'Firewall': ['firewall'],
-    'Remediation': ['blocklist', 'allowlist', 'trusted'],
-    'Settings': ['instances', 'config', 'version'],
-  };
-
-  for (const [group, cmds] of Object.entries(groups)) {
-    console.log(`  ${ui.c.bold(group)}`);
-    for (const name of cmds) {
-      const cmd = COMMANDS[name];
-      if (cmd) {
-        console.log(`    ${ui.c.cyan(name.padEnd(18))} ${cmd.desc}`);
-      }
-    }
-    console.log('');
+function statusCommand() {
+  const cfg = loadConfig();
+  if (!cfg.token) {
+    console.log('❌ Not logged in. Run: npx securenow login');
+    process.exit(1);
   }
+  console.log('✅ Logged in');
+  console.log('   Config: ' + CONFIG_FILE);
+  console.log('   API:    ' + API_URL);
+  apiRequest('GET', '/api/applications', null, cfg.token)
+    .then((data) => {
+      const count = (data && (data.applications || data)) ? (data.applications || data).length : 0;
+      console.log('   Apps:   ' + count);
+    })
+    .catch((err) => {
+      console.log('   Apps:   (could not reach API: ' + err.message + ')');
+      process.exit(1);
+    });
+}
+
+// ─── HTTP helper ────────────────────────────────────────────────
 
-  console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
-  console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
-  console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help for a command`);
-  console.log('');
-  console.log(`  ${ui.c.dim('Run')} securenow help <command> ${ui.c.dim('for detailed usage')}`);
-  console.log('');
+function apiRequest(method, pathname, body, token) {
+  return new Promise((resolve, reject) => {
+    const u = new URL(API_URL + pathname);
+    const lib = u.protocol === 'https:' ? https : http;
+    const data = body ? JSON.stringify(body) : null;
+    const req = lib.request({
+      method,
+      hostname: u.hostname,
+      port: u.port || (u.protocol === 'https:' ? 443 : 80),
+      path: u.pathname + u.search,
+      headers: {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'User-Agent': 'securenow-cli',
+        ...(token ? { Authorization: `Bearer ${token}` } : {}),
+        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}),
+      },
+    }, (res) => {
+      let chunks = '';
+      res.on('data', (c) => { chunks += c; });
+      res.on('end', () => {
+        if (res.statusCode === 401) return reject(new Error('Unauthorized — run: npx securenow login'));
+        if (res.statusCode >= 400) {
+          let msg = `HTTP ${res.statusCode}`;
+          try { const j = JSON.parse(chunks); if (j.error) msg = j.error; } catch {}
+          return reject(new Error(msg));
+        }
+        try { resolve(chunks ? JSON.parse(chunks) : {}); }
+        catch { resolve({}); }
+      });
+    });
+    req.on('error', reject);
+    if (data) req.write(data);
+    req.end();
+  });
 }
 
-// ── Main Router ──
+// ─── apps ───────────────────────────────────────────────────────
 
-async function main() {
-  const { positional, flags } = parseArgs(process.argv.slice(2));
-  const cmdName = positional[0] || 'help';
+function appsCommand(args) {
+  const sub = args[0];
+  const rest = args.slice(1);
+  if (sub === 'list' || !sub) return appsList(rest);
+  if (sub === 'create' || sub === 'add') return appsCreate(rest);
+  console.error('Unknown apps subcommand. Try: list, create');
+  process.exit(1);
+}
 
-  if (cmdName === 'help' || flags.help) {
-    showHelp(flags.help === true ? positional[0] : flags.help || positional[1] || (cmdName !== 'help' ? cmdName : null));
-    return;
+function requireAuth() {
+  const cfg = loadConfig();
+  if (!cfg.token) {
+    console.error('❌ Not logged in. Run: npx securenow login');
+    process.exit(1);
   }
+  return cfg.token;
+}
 
-  const cmd = COMMANDS[cmdName];
-  if (!cmd) {
-    // Auto-detect: if the first arg looks like a file path, treat it as `securenow run <file>`
-    if (/\.(m?[jt]sx?|cjs)$/.test(cmdName) || cmdName.includes('/') || cmdName.includes('\\')) {
-      return COMMANDS.run.run(process.argv.slice(2));
+async function appsList(args) {
+  const json = args.includes('--json');
+  const token = requireAuth();
+  try {
+    const data = await apiRequest('GET', '/api/applications', null, token);
+    const apps = data.applications || data || [];
+    if (json) { console.log(JSON.stringify(apps, null, 2)); return; }
+    if (!apps.length) { console.log('(no applications yet — npx securenow apps create)'); return; }
+    console.log('\nApplications:\n');
+    for (const a of apps) {
+      console.log(`  • ${a.name}${a.key ? '  ' + a.key : ''}`);
+      if (a.hosts && a.hosts.length) console.log(`      hosts: ${a.hosts.join(', ')}`);
     }
-    ui.error(`Unknown command: ${cmdName}`);
-    ui.info('Run `securenow help` for a list of commands.');
+    console.log('');
+  } catch (err) {
+    console.error('❌ ' + err.message);
     process.exit(1);
   }
+}
 
-  if (cmd.rawArgv) {
-    // Pass raw argv (everything after the command name) so the command can
-    // forward flags like --watch, --inspect verbatim to child processes.
-    const cmdIdx = process.argv.indexOf(cmdName);
-    const rawArgs = cmdIdx !== -1 ? process.argv.slice(cmdIdx + 1) : positional.slice(1);
-    await cmd.run(rawArgs);
-    return;
-  }
+function prompt(question) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (a) => { rl.close(); resolve(a.trim()); });
+  });
+}
 
-  if (cmd.run && !cmd.sub) {
-    await cmd.run(positional.slice(1), flags);
-    return;
+async function appsCreate(args) {
+  const token = requireAuth();
+  const flags = {};
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--name') flags.name = args[++i];
+    else if (args[i] === '--hosts') flags.hosts = args[++i];
+  }
+  const name = flags.name || await prompt('Application name: ');
+  if (!name) { console.error('❌ Name is required'); process.exit(1); }
+  const hostsStr = flags.hosts != null ? flags.hosts : await prompt('Hosts (comma-separated, optional): ');
+  const hosts = hostsStr ? hostsStr.split(',').map(s => s.trim()).filter(Boolean) : [];
+  try {
+    const data = await apiRequest('POST', '/api/applications', { name, hosts }, token);
+    const app = data.application || data;
+    console.log('\n✅ Created application: ' + (app.name || name));
+    if (app.key) console.log('   Key: ' + app.key);
+    console.log('\nNext: add SECURENOW_APPID=' + (app.name || name) + ' to your .env.local\n');
+  } catch (err) {
+    console.error('❌ ' + err.message);
+    process.exit(1);
   }
+}
 
-  if (cmd.sub) {
-    let subName = positional[1];
-    let subArgs = positional.slice(2);
+function helpCommand() {
+  console.log(`
+SecureNow CLI - OpenTelemetry instrumentation for Next.js
 
-    if (subName && cmd.sub[subName]) {
-      if (flags.help) {
-        showHelp(cmdName);
-        return;
-      }
-      await cmd.sub[subName].run(subArgs, flags);
-      return;
-    }
+USAGE:
+  npx securenow <command> [options]
 
-    if (cmd.defaultAction) {
-      const allArgs = subName ? [subName, ...subArgs] : [];
-      await cmd.defaultAction(allArgs, flags);
-      return;
-    }
+COMMANDS:
+  login              Authenticate with SecureNow (opens browser)
+  logout             Remove saved credentials
+  status             Show current auth + API connectivity
+  init               Scaffold instrumentation in your Next.js project
+  apps list          List your applications
+  apps create        Create a new application (interactive)
+  help               Show this help message
+  version            Show package version
 
-    if (cmd.defaultSub) {
-      const allArgs = subName ? [subName, ...subArgs] : [];
-      await cmd.sub[cmd.defaultSub].run(allArgs, flags);
-      return;
-    }
+OPTIONS:
+  --typescript, --ts    Force TypeScript (creates instrumentation.ts)
+  --javascript, --js    Force JavaScript (creates instrumentation.js)
+  --src                 Create file in src/ folder
+  --root                Create file in project root
+  --force, -f           Overwrite existing files
+
+EXAMPLES:
+  # First-time setup
+  npx securenow login
+  npx securenow apps create --name my-app
+  npx securenow init
 
-    showHelp(cmdName);
-    return;
+  # Auto-detect and setup
+  npx securenow init
+
+  # Force TypeScript in src folder
+  npx securenow init --typescript --src
+
+  # Force JavaScript in root
+  npx securenow init --javascript --root
+
+  # Overwrite existing files
+  npx securenow init --force
+
+DOCUMENTATION:
+  Quick Start: node_modules/securenow/NEXTJS-QUICKSTART.md
+  Full Guide:  node_modules/securenow/NEXTJS-GUIDE.md
+  Examples:    node_modules/securenow/examples/
+`);
+}
+
+function versionCommand() {
+  try {
+    const packageJson = require('./package.json');
+    console.log(`securenow v${packageJson.version}`);
+  } catch (error) {
+    console.log('securenow (version unknown)');
   }
+}
 
-  if (cmd.run) {
-    await cmd.run(positional.slice(1), flags);
+// Utility functions
+function parseFlags(args) {
+  const flags = {};
+  
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    
+    if (arg === '--typescript' || arg === '--ts') {
+      flags.typescript = true;
+    } else if (arg === '--javascript' || arg === '--js') {
+      flags.javascript = true;
+    } else if (arg === '--src') {
+      flags.src = true;
+    } else if (arg === '--root') {
+      flags.root = true;
+    } else if (arg === '--force' || arg === '-f') {
+      flags.force = true;
+    }
   }
+  
+  return flags;
 }
 
-main().catch((err) => {
-  if (err.name !== 'CLIError') {
-    ui.error(err.message || 'An unexpected error occurred');
+function isNextJsProject(dir) {
+  try {
+    const packageJsonPath = path.join(dir, 'package.json');
+    if (!fs.existsSync(packageJsonPath)) return false;
+    
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+    const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+    
+    return !!deps.next;
+  } catch (error) {
+    return false;
   }
-  if (process.env.SECURENOW_DEBUG) {
-    console.error(err.stack || err);
+}
+
+// Main
+function main() {
+  const args = process.argv.slice(2);
+  const command = args[0] || 'help';
+  const commandFn = commands[command];
+  
+  if (!commandFn) {
+    console.error(`Unknown command: ${command}`);
+    console.log('Run "npx securenow help" for usage\n');
+    process.exit(1);
   }
-  process.exit(1);
-});
+  
+  commandFn(args.slice(1));
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { main };
+
+
+
+
+
+
+