securenow 6.0.1 → 6.1.0

package/cli/security.js

@@ -0,0 +1,980 @@
+'use strict';
+
+const { api, requireAuth } = require('./client');
+const config = require('./config');
+const ui = require('./ui');
+
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+// ── Alert Rules ──
+
+function formatRuleApplicationsCell(rule) {
+  if (rule.applicationsAll) {
+    return ui.c.cyan('all apps');
+  }
+  const keys = rule.applications || [];
+  if (keys.length === 0) return ui.c.dim('—');
+  const joined = keys.join(', ');
+  return joined.length > 48 ? `${joined.slice(0, 45)}…` : joined;
+}
+
+function ruleStatusBadge(rule) {
+  const st = rule.status || (rule.enabled !== false ? 'Active' : 'Disabled');
+  if (st === 'Active') return ui.statusBadge('active');
+  if (st === 'Disabled') return ui.statusBadge('disabled');
+  if (st === 'Paused') return ui.statusBadge('paused');
+  return st;
+}
+
+/** Dispatch: list | show <id> | update <id> ... */
+async function alertRulesRoute(args, flags) {
+  const sub = args[0];
+  if (sub === 'show') {
+    return alertRuleShow(args.slice(1), flags);
+  }
+  if (sub === 'update') {
+    return alertRuleUpdate(args.slice(1), flags);
+  }
+  if (sub === 'list') {
+    return alertRulesList(args.slice(1), flags);
+  }
+  return alertRulesList(args, flags);
+}
+
+async function alertRulesList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching alert rules');
+  try {
+    const data = await api.get('/alert-rules');
+    const rules = data.alertRules || [];
+    s.stop(`Found ${rules.length} rule${rules.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(rules); return; }
+
+    console.log('');
+    const rows = rules.map((r) => [
+      ui.c.dim(ui.truncate(r._id, 12)),
+      r.name || '—',
+      ruleStatusBadge(r),
+      formatRuleApplicationsCell(r),
+      r.schedule?.enabled === false ? ui.c.dim('off') : (r.schedule?.description || r.schedule?.cronExpression || '—'),
+    ]);
+    ui.table(['ID', 'Name', 'Status', 'Applications', 'Schedule'], rows);
+    console.log('');
+    console.log(ui.c.dim('  Applications: "all apps" = all current & future active apps.  show <id>  ·  update <id> --applications-all  ·  --apps k1,k2'));
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch alert rules');
+    throw err;
+  }
+}
+
+async function alertRuleShow(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules show <rule-id>');
+    process.exit(1);
+  }
+  const s = ui.spinner('Fetching alert rule');
+  try {
+    const data = await api.get(`/alert-rules/${id}`);
+    const r = data.alertRule;
+    s.stop('');
+
+    if (flags.json) {
+      ui.json(r);
+      return;
+    }
+
+    console.log('');
+    ui.heading(r.name || 'Alert rule');
+    console.log('');
+    const appLine = r.applicationsAll
+      ? 'All applications (current & future)'
+      : (r.applications && r.applications.length > 0 ? r.applications.join(', ') : '—');
+    ui.keyValue([
+      ['ID', r._id || r.id || id],
+      ['Status', r.status || '—'],
+      ['System rule', r.isSystem ? 'yes' : 'no'],
+      ['Applications', appLine],
+      ['Schedule', r.schedule?.enabled === false ? 'disabled' : (r.schedule?.description || r.schedule?.cronExpression || '—')],
+      ['Throttle', r.throttle?.enabled ? `${r.throttle.minutes} min` : 'off'],
+      ['Query', r.queryMappingId?.name || '—'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch alert rule');
+    throw err;
+  }
+}
+
+async function alertRuleUpdate(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules update <rule-id> (--applications-all | --apps <k1,k2>)');
+    process.exit(1);
+  }
+
+  const hasAll =
+    flags['applications-all'] === true ||
+    flags['applications-all'] === 'true';
+  const hasNoAll =
+    flags['no-applications-all'] === true ||
+    flags['no-applications-all'] === 'true';
+  const appsStr = flags.apps;
+
+  if (hasAll && hasNoAll) {
+    ui.error('Use only one of --applications-all or --no-applications-all');
+    process.exit(1);
+  }
+  if (hasAll && appsStr) {
+    ui.error('Cannot combine --applications-all with --apps');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (hasAll) {
+    body.applicationsAll = true;
+    body.applications = [];
+  } else if (hasNoAll || appsStr) {
+    body.applicationsAll = false;
+    if (!appsStr) {
+      ui.error('Pass --apps key1,key2 when using --no-applications-all, or omit --no-applications-all and use --apps only');
+      process.exit(1);
+    }
+    body.applications = String(appsStr)
+      .split(',')
+      .map((x) => x.trim())
+      .filter(Boolean);
+    if (body.applications.length === 0) {
+      ui.error('No application keys parsed from --apps');
+      process.exit(1);
+    }
+  } else {
+    ui.error('Nothing to update. Use --applications-all or --apps key1,key2');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Updating alert rule');
+  try {
+    await api.put(`/alert-rules/${id}`, body);
+    s.stop('Updated');
+    ui.success('Alert rule updated');
+  } catch (err) {
+    s.fail('Failed to update alert rule');
+    throw err;
+  }
+}
+
+// ── Alert Channels ──
+
+async function alertChannelsList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching alert channels');
+  try {
+    const data = await api.get('/alert-channels');
+    const channels = data.alertChannels || [];
+    s.stop(`Found ${channels.length} channel${channels.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(channels); return; }
+
+    console.log('');
+    const rows = channels.map(ch => [
+      ui.c.dim(ui.truncate(ch._id, 12)),
+      ch.name || '—',
+      ch.type || '—',
+      ui.statusBadge(ch.enabled !== false ? 'enabled' : 'disabled'),
+      ch.target || ch.email || ch.webhookUrl || '—',
+    ]);
+    ui.table(['ID', 'Name', 'Type', 'Status', 'Target'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch alert channels');
+    throw err;
+  }
+}
+
+// ── Alert History ──
+
+async function alertHistoryList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching alert history');
+  try {
+    const query = { limit: flags.limit || 20 };
+    const data = await api.get('/alert-history', { query });
+    const history = data.alerts || [];
+    s.stop(`Found ${history.length} alert${history.length !== 1 ? 's' : ''}${data.totalItems ? ` (${data.totalItems} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = history.map(h => [
+      ui.c.dim(ui.truncate(h._id, 12)),
+      h.ruleName || h.type || '—',
+      h.severity ? ui.statusBadge(h.severity) : '—',
+      ui.truncate(h.message || h.description || '', 40),
+      h.serviceName || '—',
+      ui.timeAgo(h.triggeredAt || h.createdAt),
+    ]);
+    ui.table(['ID', 'Rule', 'Severity', 'Message', 'App', 'Triggered'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch alert history');
+    throw err;
+  }
+}
+
+// ── Blocklist ──
+
+async function blocklistList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching blocklist');
+  try {
+    const data = await api.get('/blocklist');
+    const items = data.blockedIps || [];
+    s.stop(`Found ${items.length} blocked IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = items.map(b => [
+      ui.c.dim(ui.truncate(b._id, 12)),
+      ui.c.red(b.ip || b.cidr || '—'),
+      ui.truncate(b.reason || '', 40),
+      b.source || '—',
+      ui.timeAgo(b.createdAt),
+      b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Added', 'Expires'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch blocklist');
+    throw err;
+  }
+}
+
+async function blocklistAdd(args, flags) {
+  requireAuth();
+  let ip = args[0];
+  if (!ip) {
+    ip = await ui.prompt('IP address or CIDR to block');
+    if (!ip) { ui.error('IP is required'); process.exit(1); }
+  }
+
+  const body = { ip };
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.duration) body.duration = flags.duration;
+  if (flags.app) body.serviceName = flags.app;
+
+  const s = ui.spinner(`Blocking ${ip}`);
+  try {
+    await api.post('/blocklist', body);
+    s.stop(`${ip} added to blocklist`);
+  } catch (err) {
+    s.fail('Failed to add to blocklist');
+    throw err;
+  }
+}
+
+async function blocklistRemove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Blocklist entry ID required. Usage: securenow blocklist remove <id>');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this IP from blocklist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Removing from blocklist');
+  try {
+    await api.delete(`/blocklist/${id}`);
+    s.stop('Removed from blocklist');
+  } catch (err) {
+    s.fail('Failed to remove from blocklist');
+    throw err;
+  }
+}
+
+async function blocklistStats(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching blocklist stats');
+  try {
+    const data = await api.get('/blocklist/stats');
+    const stats = data.stats || data;
+    s.stop('Stats loaded');
+
+    if (flags.json) { ui.json(stats); return; }
+
+    console.log('');
+    ui.heading('Blocklist Statistics');
+    console.log('');
+    ui.keyValue([
+      ['Total Active', String(stats.totalActive ?? '—')],
+      ['Total Removed', String(stats.totalRemoved ?? '—')],
+      ['Manual Blocks', String(stats.manualCount ?? '—')],
+      ['Automation Blocks', String(stats.automationCount ?? '—')],
+      ['Active Rules', String(stats.activeAutomationRules ?? '—')],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch stats');
+    throw err;
+  }
+}
+
+// ── Allowlist ──
+
+async function allowlistList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching allowlist');
+  try {
+    const data = await api.get('/allowlist');
+    const items = data.allowedIps || [];
+    s.stop(`Found ${items.length} allowed IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = items.map(a => [
+      ui.c.dim(ui.truncate(a._id, 12)),
+      ui.c.green(a.ip || '—'),
+      a.label || ui.c.dim('—'),
+      ui.truncate(a.reason || '', 40),
+      ui.timeAgo(a.createdAt),
+      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'Added', 'Expires'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch allowlist');
+    throw err;
+  }
+}
+
+async function allowlistAdd(args, flags) {
+  requireAuth();
+  let ip = args[0];
+  if (!ip) {
+    ip = await ui.prompt('IP address or CIDR to allow');
+    if (!ip) { ui.error('IP is required'); process.exit(1); }
+  }
+
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.reason) body.reason = flags.reason;
+
+  const s = ui.spinner(`Allowing ${ip}`);
+  try {
+    await api.post('/allowlist', body);
+    s.stop(`${ip} added to allowlist`);
+  } catch (err) {
+    s.fail('Failed to add to allowlist');
+    throw err;
+  }
+}
+
+async function allowlistRemove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Allowlist entry ID required. Usage: securenow allowlist remove <id>');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this IP from the allowlist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Removing from allowlist');
+  try {
+    await api.delete(`/allowlist/${id}`);
+    s.stop('Removed from allowlist');
+  } catch (err) {
+    s.fail('Failed to remove from allowlist');
+    throw err;
+  }
+}
+
+async function allowlistStats(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching allowlist stats');
+  try {
+    const data = await api.get('/allowlist/stats');
+    const stats = data.stats || data;
+    s.stop('Stats loaded');
+
+    if (flags.json) { ui.json(stats); return; }
+
+    console.log('');
+    ui.heading('Allowlist Statistics');
+    console.log('');
+    ui.keyValue([
+      ['Total Active', String(stats.totalActive ?? '—')],
+      ['Total Removed', String(stats.totalRemoved ?? '—')],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch stats');
+    throw err;
+  }
+}
+
+// ── Trusted IPs ──
+
+async function trustedList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching trusted IPs');
+  try {
+    const data = await api.get('/trusted-ips');
+    const items = data.trustedIps || [];
+    s.stop(`Found ${items.length} trusted IP${items.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(items); return; }
+
+    console.log('');
+    const rows = items.map(t => [
+      ui.c.dim(ui.truncate(t._id, 12)),
+      ui.c.green(t.ip || t.cidr || '—'),
+      t.label || t.description || ui.c.dim('—'),
+      ui.timeAgo(t.createdAt),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'Added'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch trusted IPs');
+    throw err;
+  }
+}
+
+async function trustedAdd(args, flags) {
+  requireAuth();
+  let ip = args[0];
+  if (!ip) {
+    ip = await ui.prompt('IP address or CIDR to trust');
+    if (!ip) { ui.error('IP is required'); process.exit(1); }
+  }
+
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.description) body.description = flags.description;
+
+  const s = ui.spinner(`Adding ${ip} to trusted IPs`);
+  try {
+    await api.post('/trusted-ips', body);
+    s.stop(`${ip} added to trusted IPs`);
+  } catch (err) {
+    s.fail('Failed to add trusted IP');
+    throw err;
+  }
+}
+
+async function trustedRemove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Trusted IP entry ID required. Usage: securenow trusted remove <id>');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this IP from trusted list?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Removing from trusted IPs');
+  try {
+    await api.delete(`/trusted-ips/${id}`);
+    s.stop('Removed from trusted IPs');
+  } catch (err) {
+    s.fail('Failed to remove trusted IP');
+    throw err;
+  }
+}
+
+// ── Helpers ──
+
+async function resolveAppId(flags) {
+  const appKey = flags.app || config.getDefaultApp();
+  if (!appKey) return null;
+  const data = await api.get('/applications');
+  const apps = data.applications || [];
+  const match = apps.find(a => a.key === appKey);
+  return match ? { id: match._id, key: match.key, name: match.name } : null;
+}
+
+// ── Forensics ──
+
+async function forensicsQuery(args, flags) {
+  requireAuth();
+  const query = args.join(' ');
+  if (!query) {
+    ui.error('Query required. Usage: securenow forensics "your natural language query" [--app <key>]');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Submitting forensic query');
+  try {
+    const body = { query };
+    const resolved = await resolveAppId(flags);
+    if (resolved) {
+      body.applicationId = resolved.id;
+    } else if (flags.instance) {
+      body.instanceId = flags.instance;
+    }
+
+    const job = await api.post('/forensics/query', body);
+    const jobId = job.jobId;
+
+    if (!jobId) {
+      s.stop('Query complete');
+      if (flags.json) { ui.json(job); return; }
+      if (job.result) {
+        console.log('');
+        if (job.sqlquery) {
+          ui.subheading('Generated SQL');
+          console.log(`\n  ${ui.c.dim(job.sqlquery)}\n`);
+        }
+        const data = job.result;
+        if (Array.isArray(data) && data.length > 0) {
+          const headers = Object.keys(data[0]);
+          const rows = data.map(row => headers.map(h => String(row[h] ?? '')));
+          ui.table(headers, rows);
+        } else {
+          ui.json(data);
+        }
+        console.log('');
+      }
+      return;
+    }
+
+    s.update('Processing query...');
+
+    let result;
+    const maxAttempts = 60;
+    for (let i = 0; i < maxAttempts; i++) {
+      await new Promise(r => setTimeout(r, 2000));
+      result = await api.get(`/forensics/query/status/${jobId}`);
+      if (result.status === 'completed' || result.status === 'failed') break;
+      s.update(`Processing query... (${(i + 1) * 2}s)`);
+    }
+
+    if (result.status === 'failed') {
+      s.fail('Query failed');
+      ui.error(result.error || 'Unknown error');
+      return;
+    }
+
+    if (result.status !== 'completed') {
+      s.fail('Query timed out');
+      ui.warn('Query is still processing. Check back later.');
+      return;
+    }
+
+    s.stop('Query complete');
+
+    if (flags.json) { ui.json(result); return; }
+
+    console.log('');
+    if (result.sqlquery) {
+      ui.subheading('Generated SQL');
+      console.log(`\n  ${ui.c.dim(result.sqlquery)}\n`);
+    }
+
+    if (result.result) {
+      const data = result.result;
+      ui.subheading(`Results (${result.rowCount ?? (Array.isArray(data) ? data.length : '?')} rows)`);
+      console.log('');
+
+      if (Array.isArray(data) && data.length > 0) {
+        const headers = Object.keys(data[0]);
+        const rows = data.map(row => headers.map(h => String(row[h] ?? '')));
+        ui.table(headers, rows);
+      } else {
+        ui.json(data);
+      }
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Forensic query failed');
+    throw err;
+  }
+}
+
+async function forensicsLibrary(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching query library');
+  try {
+    const data = await api.get('/forensics/query-library');
+    const queries = data.data || [];
+    s.stop(`Found ${queries.length} saved quer${queries.length !== 1 ? 'ies' : 'y'}`);
+
+    if (flags.json) { ui.json(queries); return; }
+
+    console.log('');
+    const rows = queries.map(q => [
+      ui.c.dim(ui.truncate(q._id, 12)),
+      q.name || q.title || '—',
+      ui.truncate(q.description || q.query || '', 50),
+      ui.timeAgo(q.createdAt),
+    ]);
+    ui.table(['ID', 'Name', 'Description', 'Created'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch query library');
+    throw err;
+  }
+}
+
+// ── Forensics Chat ──
+
+async function forensicsChat(args, flags) {
+  requireAuth();
+  const resolved = await resolveAppId(flags);
+  if (!resolved) {
+    ui.error('App required. Usage: securenow forensics chat --app <key>');
+    ui.info('Set a default with: securenow apps default <key>');
+    process.exit(1);
+  }
+
+  console.log('');
+  ui.heading(`Forensics Chat — ${resolved.name || resolved.key}`);
+  console.log(ui.c.dim(`  App: ${resolved.key} (${resolved.id})`));
+  console.log(ui.c.dim('  Type your question, or "exit" to quit.\n'));
+
+  let conversationId = null;
+
+  const readline = require('readline');
+  const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+
+  const askLine = () => new Promise((resolve) => {
+    rl.question(ui.c.cyan('  you > '), (answer) => resolve(answer.trim()));
+  });
+
+  try {
+    while (true) {
+      const message = await askLine();
+      if (!message || message.toLowerCase() === 'exit' || message.toLowerCase() === 'quit') {
+        console.log('');
+        ui.info('Chat ended.');
+        break;
+      }
+
+      const s = ui.spinner('Thinking');
+      try {
+        const body = { message, applicationKey: resolved.key };
+        if (conversationId) body.conversationId = conversationId;
+
+        const chatRes = await api.post('/forensics/chat', body);
+        conversationId = chatRes.conversationId;
+
+        if (chatRes.status === 'processing') {
+          let result;
+          for (let i = 0; i < 150; i++) {
+            await new Promise(r => setTimeout(r, 2000));
+            result = await api.get(`/forensics/chat/status/${conversationId}`);
+            if (result.status === 'complete' || result.status === 'failed' || result.status === 'awaiting_confirmation') break;
+            const progress = result._progress;
+            if (progress?.action) s.update(progress.action);
+          }
+
+          if (!result || result.status === 'processing') {
+            s.fail('Response timed out');
+            continue;
+          }
+
+          s.stop('Done');
+          printChatMessage(result.message);
+
+          if (result.status === 'awaiting_confirmation') {
+            const proceed = await ui.confirm('Proceed with this query?');
+            if (proceed) {
+              const cs = ui.spinner('Executing query');
+              await api.post(`/forensics/chat/confirm/${conversationId}`);
+              let confirmResult;
+              for (let i = 0; i < 90; i++) {
+                await new Promise(r => setTimeout(r, 2000));
+                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`);
+                if (confirmResult.status !== 'processing') break;
+              }
+              cs.stop('Done');
+              if (confirmResult?.message) printChatMessage(confirmResult.message);
+            } else {
+              ui.info('Query skipped. Ask a different question or refine.');
+            }
+          }
+        } else if (chatRes.message) {
+          s.stop('Done');
+          printChatMessage(chatRes.message);
+        } else {
+          s.stop('Done');
+        }
+      } catch (err) {
+        s.fail('Error');
+        ui.error(err.message);
+      }
+      console.log('');
+    }
+  } finally {
+    rl.close();
+  }
+}
+
+function printChatMessage(msg) {
+  if (!msg) return;
+  console.log('');
+  if (msg.content) {
+    console.log(`  ${ui.c.green('ai >')} ${msg.content}`);
+  }
+  if (msg.sqlQuery) {
+    console.log('');
+    ui.subheading('Generated SQL');
+    console.log(`\n  ${ui.c.dim(msg.sqlQuery)}\n`);
+  }
+  if (msg.results && Array.isArray(msg.results) && msg.results.length > 0) {
+    ui.subheading(`Results (${msg.resultCount ?? msg.results.length} rows)`);
+    console.log('');
+    const headers = Object.keys(msg.results[0]);
+    const rows = msg.results.map(row => headers.map(h => String(row[h] ?? '')));
+    ui.table(headers, rows);
+  }
+  if (msg.estimation) {
+    const est = msg.estimation;
+    const rowLabel = est.timedOut
+      ? 'very large (estimation timed out)'
+      : est.estimatedRows != null
+        ? `~${Number(est.estimatedRows).toLocaleString()}`
+        : 'unknown';
+    console.log(`\n  ${ui.c.yellow('!')} Estimated rows: ${rowLabel}`);
+    if (est.suggestions?.length) {
+      console.log(ui.c.dim('  Suggestions:'));
+      for (const sug of est.suggestions) {
+        console.log(ui.c.dim(`    • ${sug}`));
+      }
+    }
+  }
+  if (msg.error && !msg.results) {
+    console.log(`\n  ${ui.c.red('Error:')} ${msg.error}`);
+  }
+}
+
+// ── IP Lookup ──
+
+async function ipLookup(args, flags) {
+  requireAuth();
+  const ip = args[0];
+  if (!ip) {
+    ui.error('IP address required. Usage: securenow ip <ip-address>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner(`Looking up ${ip}`);
+  try {
+    const data = await api.get(`/ip/${ip}`);
+    s.stop('IP intelligence loaded');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.heading(`IP Intelligence: ${data.ip || ip}`);
+    console.log('');
+
+    const pairs = [];
+    if (data.countryName || data.countryCode) pairs.push(['Country', `${data.countryName || ''} ${data.countryCode ? `(${data.countryCode})` : ''}`.trim()]);
+    if (data.domain) pairs.push(['Domain', data.domain]);
+    if (data.isp) pairs.push(['ISP', data.isp]);
+    if (data.usageType) pairs.push(['Usage Type', data.usageType]);
+    if (data.abuseConfidenceScore != null) pairs.push(['Abuse Score', `${data.abuseConfidenceScore}/100`]);
+    if (data.securenowScore != null) pairs.push(['SecureNow Score', String(data.securenowScore)]);
+    if (data.verdict) pairs.push(['Verdict', data.verdict]);
+    if (data.isMalicious != null) pairs.push(['Malicious', data.isMalicious ? ui.c.red('Yes') : ui.c.green('No')]);
+    if (data.isBot != null) pairs.push(['Bot', data.isBot ? ui.c.yellow('Yes') : 'No']);
+    if (data.activityType) pairs.push(['Activity', data.activityType]);
+    if (data.totalReports != null) pairs.push(['Total Reports', String(data.totalReports)]);
+    if (data.lastReportedAt) pairs.push(['Last Reported', new Date(data.lastReportedAt).toLocaleString()]);
+
+    if (pairs.length) {
+      ui.keyValue(pairs);
+    }
+
+    if (data.riskFactors?.length) {
+      ui.subheading('Risk Factors');
+      console.log('');
+      data.riskFactors.forEach(f => console.log(`  • ${f}`));
+    }
+
+    if (data.attackTypes?.length) {
+      ui.subheading('Attack Types');
+      console.log('');
+      data.attackTypes.forEach(a => console.log(`  • ${a}`));
+    }
+
+    if (data.summary) {
+      ui.subheading('Summary');
+      console.log(`\n  ${data.summary}`);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('IP lookup failed');
+    throw err;
+  }
+}
+
+async function ipTraces(args, flags) {
+  requireAuth();
+  const ip = args[0];
+  if (!ip) {
+    ui.error('IP address required. Usage: securenow ip traces <ip>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner(`Fetching traces for ${ip}`);
+  try {
+    const data = await api.get(`/ip/${ip}/traces`);
+    const traces = data.traces || [];
+    s.stop(`Found ${traces.length} trace${traces.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = traces.map(t => [
+      ui.c.dim(ui.truncate(t.traceID || t.traceId, 16)),
+      t.httpMethod || t.method || '—',
+      ui.httpStatusColor(t.statusCode || t.httpStatusCode || t.responseStatusCode || '—'),
+      ui.truncate(t.httpUrl || t.url || '', 40),
+      ui.durationColor(t.durationNano ? t.durationNano / 1e6 : t.duration),
+      ui.timeAgo(t.timestamp),
+    ]);
+    ui.table(['Trace ID', 'Method', 'Status', 'URL', 'Duration', 'Time'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch traces');
+    throw err;
+  }
+}
+
+// ── Instances ──
+
+async function instancesList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching instances');
+  try {
+    const data = await api.get('/instances');
+    const instances = data.instances || [];
+    s.stop(`Found ${instances.length} instance${instances.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(instances); return; }
+
+    console.log('');
+    const rows = instances.map(inst => [
+      ui.c.dim(ui.truncate(inst._id, 12)),
+      inst.name || inst.host || '—',
+      inst.host || '—',
+      inst.port != null ? String(inst.port) : '—',
+      inst.linkedApps != null ? String(inst.linkedApps) : '—',
+      ui.timeAgo(inst.createdAt),
+    ]);
+    ui.table(['ID', 'Name', 'Host', 'Port', 'Linked Apps', 'Added'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch instances');
+    throw err;
+  }
+}
+
+async function instancesTest(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Instance ID required. Usage: securenow instances test <id>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Testing instance connection');
+  try {
+    const result = await api.post(`/instances/${id}/test`);
+    if (result.success) {
+      s.stop(`Connection successful${result.storageGb ? ` (${result.storageGb} GB storage)` : ''}`);
+    } else {
+      s.fail(result.message || 'Connection failed');
+    }
+
+    if (flags.json) ui.json(result);
+  } catch (err) {
+    s.fail('Instance test failed');
+    throw err;
+  }
+}
+
+// ── Analytics ──
+
+async function analytics(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching analytics');
+  try {
+    const query = {};
+    const appKey = resolveApp(flags);
+    if (flags.instance) query.instanceId = flags.instance;
+
+    const data = await api.get('/analytics/summary', { query });
+
+    s.stop('Analytics loaded');
+
+    if (flags.json) {
+      ui.json(data);
+      return;
+    }
+
+    console.log('');
+    ui.heading('Analytics Overview');
+    console.log('');
+
+    const groups = ['2xx-responses', '3xx-responses', '4xx-responses', '5xx-responses', '500-errors'];
+    const pairs = groups.map(ep => {
+      const val = data[ep];
+      const count = val?.meta?.count ?? '—';
+      return [ep, String(count)];
+    });
+    ui.keyValue(pairs);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch analytics');
+    throw err;
+  }
+}
+
+module.exports = {
+  alertRulesRoute,
+  alertRulesList,
+  alertRuleShow,
+  alertRuleUpdate,
+  alertChannelsList,
+  alertHistoryList,
+  blocklistList,
+  blocklistAdd,
+  blocklistRemove,
+  blocklistStats,
+  allowlistList,
+  allowlistAdd,
+  allowlistRemove,
+  allowlistStats,
+  trustedList,
+  trustedAdd,
+  trustedRemove,
+  forensicsQuery,
+  forensicsChat,
+  forensicsLibrary,
+  ipLookup,
+  ipTraces,
+  instancesList,
+  instancesTest,
+  analytics,
+};