securenow 6.0.2 → 6.1.0

package/cli.js

@@ -1,499 +1,510 @@
 #!/usr/bin/env node
 'use strict';
 
-/**
- * SecureNow CLI
- * 
- * Usage: npx securenow init [options]
- */
+const ui = require('./cli/ui');
 
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const http = require('http');
-const https = require('https');
-const crypto = require('crypto');
-const readline = require('readline');
-const { exec } = require('child_process');
+// ── Argument Parser ──
 
-const APP_URL = (process.env.SECURENOW_APP_URL || 'https://app.securenow.ai').replace(/\/$/, '');
-const API_URL = (process.env.SECURENOW_API_URL || 'https://api.securenow.ai').replace(/\/$/, '');
-const CONFIG_DIR = path.join(os.homedir(), '.securenow');
-const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
-
-const commands = {
-  init: initCommand,
-  login: loginCommand,
-  logout: logoutCommand,
-  status: statusCommand,
-  apps: appsCommand,
-  help: helpCommand,
-  version: versionCommand,
-};
-
-// Templates
-const templates = {
-  typescript: `import { registerSecureNow } from 'securenow/nextjs';
-
-export function register() {
-  registerSecureNow();
-}
-
-/**
- * Configuration via .env.local:
- * 
- * Required:
- *   SECURENOW_APPID=my-nextjs-app
- * 
- * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
- *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
- *   OTEL_LOG_LEVEL=info
- */
-`,
-  javascript: `const { registerSecureNow } = require('securenow/nextjs');
-
-export function register() {
-  registerSecureNow();
-}
-
-/**
- * Configuration via .env.local:
- * 
- * Required:
- *   SECURENOW_APPID=my-nextjs-app
- * 
- * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
- *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
- *   OTEL_LOG_LEVEL=info
- */
-`,
-  env: `# SecureNow Configuration
-# Required: Your application identifier
-SECURENOW_APPID=my-nextjs-app
-
-# Optional: Your SigNoz/OpenTelemetry collector endpoint
-# Default: https://freetrial.securenow.ai:4318
-SECURENOW_INSTANCE=http://your-signoz-server:4318
-
-# Optional: API key or authentication headers
-# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"
-
-# Optional: Log level (debug|info|warn|error)
-# OTEL_LOG_LEVEL=info
-`,
-};
+function parseArgs(argv) {
+  const positional = [];
+  const flags = {};
 
-function initCommand(args) {
-  const flags = parseFlags(args);
-  const cwd = process.cwd();
-  
-  console.log('\n🚀 SecureNow Setup\n');
-  
-  // Check if Next.js project
-  const isNextJs = isNextJsProject(cwd);
-  if (!isNextJs && !flags.force) {
-    console.log('⚠️  This doesn\'t appear to be a Next.js project.');
-    console.log('   If you want to proceed anyway, use: npx securenow init --force\n');
-    process.exit(1);
-  }
-  
-  // Determine TypeScript or JavaScript
-  const useTypeScript = flags.typescript || 
-                        (!flags.javascript && fs.existsSync(path.join(cwd, 'tsconfig.json')));
-  
-  // Determine if using src folder
-  const useSrc = flags.src || 
-                 (!flags.root && fs.existsSync(path.join(cwd, 'src')));
-  
-  // Construct file paths
-  const fileName = useTypeScript ? 'instrumentation.ts' : 'instrumentation.js';
-  const filePath = useSrc 
-    ? path.join(cwd, 'src', fileName)
-    : path.join(cwd, fileName);
-  
-  // Check if file already exists
-  if (fs.existsSync(filePath) && !flags.force) {
-    console.log(`❌ ${useSrc ? 'src/' : ''}${fileName} already exists`);
-    console.log('   Use --force to overwrite\n');
-    process.exit(1);
-  }
-  
-  // Create instrumentation file
-  try {
-    const template = useTypeScript ? templates.typescript : templates.javascript;
-    
-    // Ensure src directory exists if needed
-    if (useSrc) {
-      fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    }
-    
-    fs.writeFileSync(filePath, template, 'utf8');
-    console.log(`✅ Created ${useSrc ? 'src/' : ''}${fileName}`);
-  } catch (error) {
-    console.error(`❌ Failed to create instrumentation file: ${error.message}\n`);
-    process.exit(1);
-  }
-  
-  // Create .env.local if it doesn't exist
-  const envPath = path.join(cwd, '.env.local');
-  if (!fs.existsSync(envPath) || flags.force) {
-    try {
-      fs.writeFileSync(envPath, templates.env, 'utf8');
-      console.log('✅ Created .env.local template');
-    } catch (error) {
-      console.warn(`⚠️  Could not create .env.local: ${error.message}`);
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith('--')) {
+      const eqIdx = arg.indexOf('=');
+      if (eqIdx !== -1) {
+        flags[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);
+      } else {
+        const next = argv[i + 1];
+        if (next && !next.startsWith('-')) {
+          flags[arg.slice(2)] = next;
+          i++;
+        } else {
+          flags[arg.slice(2)] = true;
+        }
+      }
+    } else if (arg.startsWith('-') && arg.length === 2) {
+      const shortMap = { f: 'force', y: 'yes', v: 'verbose', j: 'json' };
+      const long = shortMap[arg[1]] || arg[1];
+      flags[long] = true;
+    } else {
+      positional.push(arg);
     }
-  } else {
-    console.log('ℹ️  .env.local already exists (skipped)');
   }
-  
-  // Success message
-  console.log('\n┌─────────────────────────────────────────────────┐');
-  console.log('│  🎉 Setup Complete!                             │');
-  console.log('│                                                 │');
-  console.log('│  Next steps:                                    │');
-  console.log('│                                                 │');
-  console.log('│  1. Edit .env.local and configure:             │');
-  console.log('│     SECURENOW_APPID=your-app-name              │');
-  console.log('│     SECURENOW_INSTANCE=http://signoz:4318      │');
-  console.log('│                                                 │');
-  console.log('│  2. Start your Next.js app: npm run dev        │');
-  console.log('│                                                 │');
-  console.log('│  3. Check SigNoz dashboard for traces!         │');
-  console.log('│                                                 │');
-  console.log('│  📚 Documentation:                              │');
-  console.log('│     node_modules/securenow/NEXTJS-GUIDE.md     │');
-  console.log('└─────────────────────────────────────────────────┘\n');
-}
-
-// ─── Auth / config ──────────────────────────────────────────────
 
-function loadConfig() {
-  try {
-    if (!fs.existsSync(CONFIG_FILE)) return {};
-    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
-  } catch {
-    return {};
-  }
+  return { positional, flags };
 }
 
-function saveConfig(cfg) {
-  try {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true });
-    fs.writeFileSync(CONFIG_FILE, JSON.stringify(cfg, null, 2), { mode: 0o600 });
-    try { fs.chmodSync(CONFIG_FILE, 0o600); } catch {}
-  } catch (err) {
-    console.error(`❌ Could not write ${CONFIG_FILE}: ${err.message}`);
-    process.exit(1);
-  }
-}
+// ── Command Registry ──
+
+const COMMANDS = {
+  init: {
+    desc: 'Set up SecureNow in the current project (instrumentation, config, env)',
+    usage: 'securenow init [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
+    flags: {
+      key: 'API key to write to .env',
+      'api-key': 'Alias for --key',
+      typescript: 'Force TypeScript',
+      javascript: 'Force JavaScript',
+      src: 'Create in src/',
+      root: 'Create in root',
+      force: 'Overwrite existing',
+    },
+    run: (a, f) => require('./cli/init').init(a, f),
+  },
+  login: {
+    desc: 'Authenticate with SecureNow',
+    usage: 'securenow login [--token <TOKEN>] [--local]',
+    flags: { token: 'Authenticate with a token directly', local: 'Save credentials to this project only (.securenow/)' },
+    run: (a, f) => require('./cli/auth').login(a, f),
+  },
+  logout: {
+    desc: 'Clear stored credentials',
+    usage: 'securenow logout [--local]',
+    flags: { local: 'Clear project-local credentials only' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
+  },
+  whoami: {
+    desc: 'Show current session info',
+    usage: 'securenow whoami',
+    run: () => require('./cli/auth').whoami(),
+  },
+  apps: {
+    desc: 'Manage applications',
+    usage: 'securenow apps <subcommand> [options]',
+    sub: {
+      list: { desc: 'List all applications', run: (a, f) => require('./cli/apps').list(a, f) },
+      create: { desc: 'Create a new application (interactive instance picker)', usage: 'securenow apps create <name> [--hosts host1,host2] [--instance <id>]', run: (a, f) => require('./cli/apps').create(a, f) },
+      info: { desc: 'Show application details', usage: 'securenow apps info <id>', run: (a, f) => require('./cli/apps').info(a, f) },
+      delete: { desc: 'Delete an application', usage: 'securenow apps delete <id> [--force]', run: (a, f) => require('./cli/apps').remove(a, f) },
+      default: { desc: 'Set default application', usage: 'securenow apps default <key>', run: (a, f) => require('./cli/apps').setDefault(a, f) },
+      discover: { desc: 'Discover subdomains and add as apps', usage: 'securenow apps discover [appId] [--domain example.com]', run: (a, f) => require('./cli/apps').discover(a, f) },
+      scan: { desc: 'Scan all app domains for new subdomains', usage: 'securenow apps scan [--yes]', run: (a, f) => require('./cli/apps').scan(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  traces: {
+    desc: 'View and analyze traces',
+    usage: 'securenow traces <subcommand> [options]',
+    sub: {
+      list: { desc: 'List recent traces', flags: { app: 'App key', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
+      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
+      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  logs: {
+    desc: 'View application logs',
+    usage: 'securenow logs [options]',
+    sub: {
+      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
+      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  notifications: {
+    desc: 'Manage notifications',
+    usage: 'securenow notifications <subcommand> [options]',
+    sub: {
+      list: { desc: 'List notifications', flags: { limit: 'Max results', page: 'Page number' }, run: (a, f) => require('./cli/monitor').notificationsList(a, f) },
+      read: { desc: 'Mark notification as read', usage: 'securenow notifications read <id>', run: (a, f) => require('./cli/monitor').notificationsRead(a, f) },
+      'read-all': { desc: 'Mark all as read', run: () => require('./cli/monitor').notificationsReadAll() },
+      unread: { desc: 'Show unread count', run: () => require('./cli/monitor').notificationsUnread() },
+    },
+    defaultSub: 'list',
+  },
+  alerts: {
+    desc: 'Manage alerting',
+    usage: 'securenow alerts <subcommand> [options]',
+    sub: {
+      rules: {
+        desc: 'List, show, or update alert rules',
+        flags: {
+          json: 'Output as JSON',
+          'applications-all': 'With update: scope rule to all apps',
+          'no-applications-all': 'With update: scope to explicit --apps list',
+          apps: 'Comma-separated app keys (with update)',
+        },
+        run: (a, f) => require('./cli/security').alertRulesRoute(a, f),
+      },
+      channels: { desc: 'List alert channels', run: (a, f) => require('./cli/security').alertChannelsList(a, f) },
+      history: { desc: 'View alert history', flags: { limit: 'Max results' }, run: (a, f) => require('./cli/security').alertHistoryList(a, f) },
+    },
+    defaultSub: 'rules',
+  },
+  fp: {
+    desc: 'Manage false-positive exclusion rules',
+    usage: 'securenow fp <subcommand> [options]',
+    flags: { json: 'Output as JSON', conditions: 'JSON array of conditions', 'match-mode': 'Match mode: all (AND) or any (OR)', 'rule-scope': 'Scope: this_rule | specific_rules | all_existing | any_rule', 'target-rules': 'Comma-separated rule IDs (when --rule-scope specific_rules)', 'path-safe': 'Add path_safe_values condition (standard|strict)', 'query-safe': 'Add query_safe_values condition (standard|strict)', 'query-keys': 'Allowed query param names (comma-separated)', 'ua-safe': 'Add ua_safe_values condition (standard|strict)', 'headers-safe': 'Add headers_safe_values condition (standard|strict)', 'headers-keys': 'Allowed header names (comma-separated)' },
+    sub: {
+      list: { desc: 'List all exclusion rules', run: (a, f) => require('./cli/fp').list(a, f) },
+      show: { desc: 'Show exclusion rule details', usage: 'securenow fp show <id>', run: (a, f) => require('./cli/fp').show(a, f) },
+      create: { desc: 'Create an exclusion rule', usage: 'securenow fp create [--conditions \'[...]\'] [--path /api/event] [--method POST] [--path-safe standard] [--ua-safe standard] [--headers-safe standard] [--query-keys page,limit] [--headers-keys host,content-type] [--reason "..."] [--rule-scope any_rule|specific_rules|all_existing] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').create(a, f) },
+      edit: { desc: 'Edit an exclusion rule', usage: 'securenow fp edit <id> [--active true/false] [--conditions \'[...]\']', run: (a, f) => require('./cli/fp').edit(a, f) },
+      delete: { desc: 'Delete an exclusion rule', usage: 'securenow fp delete <id> [--yes]', run: (a, f) => require('./cli/fp').remove(a, f) },
+      'test-body': { desc: 'Test a request body against conditions', usage: 'securenow fp test-body <body|@file> --conditions \'[...]\'', run: (a, f) => require('./cli/fp').testBody(a, f) },
+      'dry-run': { desc: 'Dry-run conditions against live traces (last 3 days)', usage: 'securenow fp dry-run --conditions \'[...]\'', run: (a, f) => require('./cli/fp').dryRun(a, f) },
+      'ai-fill': { desc: 'AI-generate exclusion conditions', usage: 'securenow fp ai-fill [--description "..."] [--context \'{"method":"POST",...}\']', run: (a, f) => require('./cli/fp').aiFill(a, f) },
+      mark: { desc: 'Mark an IP as false positive on a notification', usage: 'securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').mark(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  firewall: {
+    desc: 'Firewall status and IP testing',
+    usage: 'securenow firewall <subcommand> [options]',
+    sub: {
+      status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
+    },
+    defaultSub: 'status',
+  },
+  blocklist: {
+    desc: 'Manage IP blocklist',
+    usage: 'securenow blocklist <subcommand> [options]',
+    sub: {
+      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+      remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  allowlist: {
+    desc: 'Manage IP allowlist (only allow listed IPs)',
+    usage: 'securenow allowlist <subcommand> [options]',
+    sub: {
+      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
+      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
+      remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
+      stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  trusted: {
+    desc: 'Manage trusted IPs',
+    usage: 'securenow trusted <subcommand> [options]',
+    sub: {
+      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
+      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
+      remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  ip: {
+    desc: 'IP intelligence lookup',
+    usage: 'securenow ip <ip-address>',
+    sub: {
+      lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
+      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip>', run: (a, f) => require('./cli/security').ipTraces(a, f) },
+    },
+    defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
+  },
+  forensics: {
+    desc: 'Run forensic queries (natural language → SQL)',
+    usage: 'securenow forensics <query> [--app <key>]',
+    sub: {
+      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
+      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key>', flags: { app: 'App key to chat with' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
+      library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
+    },
+    defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
+  },
+  instances: {
+    desc: 'Manage ClickHouse instances',
+    usage: 'securenow instances <subcommand> [options]',
+    sub: {
+      list: { desc: 'List instances', run: (a, f) => require('./cli/security').instancesList(a, f) },
+      test: { desc: 'Test instance connection', usage: 'securenow instances test <id>', run: (a, f) => require('./cli/security').instancesTest(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  analytics: {
+    desc: 'View response analytics',
+    usage: 'securenow analytics [--app <key>]',
+    run: (a, f) => require('./cli/security').analytics(a, f),
+  },
+  status: {
+    desc: 'Dashboard overview',
+    usage: 'securenow status [--app <key>]',
+    run: (a, f) => require('./cli/monitor').status(a, f),
+  },
+  config: {
+    desc: 'Manage CLI configuration',
+    usage: 'securenow config <set|get> [key] [value]',
+    sub: {
+      set: {
+        desc: 'Set a config value',
+        usage: 'securenow config set <key> <value>',
+        run: (a) => {
+          const conf = require('./cli/config');
+          const [key, ...rest] = a;
+          const value = rest.join(' ');
+          if (!key || !value) { ui.error('Usage: securenow config set <key> <value>'); process.exit(1); }
+          conf.setConfigValue(key, value);
+          ui.success(`${key} = ${value}`);
+        },
+      },
+      get: {
+        desc: 'Get a config value',
+        usage: 'securenow config get [key]',
+        run: (a) => {
+          const conf = require('./cli/config');
+          const key = a[0];
+          if (key) {
+            const val = conf.getConfigValue(key);
+            console.log(val != null ? val : ui.c.dim('(not set)'));
+          } else {
+            const all = conf.loadConfig();
+            console.log('');
+            ui.keyValue(Object.entries(all).map(([k, v]) => [k, v != null ? String(v) : ui.c.dim('(not set)')]));
+            console.log('');
+          }
+        },
+      },
+      path: {
+        desc: 'Show config file path',
+        run: () => {
+          const conf = require('./cli/config');
+          console.log(`Config:         ${conf.CONFIG_FILE}`);
+          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
+          if (conf.hasLocalCredentials()) {
+            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
+          }
+          console.log(`Auth source:    ${conf.getAuthSource()}`);
+        },
+      },
+    },
+  },
+  run: {
+    desc: 'Run a Node.js app with automatic OTel instrumentation',
+    usage: 'securenow run [node-flags] [--firewall-only] <script> [app-args]',
+    flags: {
+      watch: 'Enable Node.js watch mode',
+      inspect: 'Enable Node.js inspector',
+      'firewall-only': 'Preload firewall without OTel tracing overhead',
+    },
+    rawArgv: true,
+    run: (rawArgs) => require('./cli/run').run(rawArgs),
+  },
+  redact: {
+    desc: 'Redact sensitive fields from a JSON payload',
+    usage: "securenow redact '<json>' [--fields f1,f2] [--json]",
+    flags: { fields: 'Comma-separated extra field names to redact (added to defaults)' },
+    run: (a, f) => require('./cli/utils').redact(a, f),
+  },
+  cidr: {
+    desc: 'CIDR utilities (match and parse)',
+    usage: 'securenow cidr <match|parse> ...',
+    sub: {
+      match: {
+        desc: 'Check if an IP matches a CIDR list',
+        usage: 'securenow cidr match <ip> <cidr1,cidr2,...>',
+        run: (a, f) => require('./cli/utils').cidrMatch(a, f),
+      },
+      parse: {
+        desc: 'Parse a CIDR and show network/broadcast/size',
+        usage: 'securenow cidr parse <cidr>',
+        run: (a, f) => require('./cli/utils').cidrParse(a, f),
+      },
+    },
+  },
+  log: {
+    desc: 'Emit logs via OTLP (for scripts, cron, debugging)',
+    usage: 'securenow log send <message> [--level info|warn|error] [--attrs k=v,k=v]',
+    sub: {
+      send: {
+        desc: 'Send a single log record to the OTLP collector',
+        flags: {
+          level: 'Severity (trace|debug|info|warn|error|fatal)',
+          attrs: 'Comma-separated key=value attributes',
+        },
+        run: (a, f) => require('./cli/diagnostics').logSend(a, f),
+      },
+    },
+    defaultSub: 'send',
+  },
+  'test-span': {
+    desc: 'Emit a test span to verify collector connectivity',
+    usage: 'securenow test-span [<span-name>]',
+    run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
+  },
+  doctor: {
+    desc: 'Diagnose SecureNow configuration and collector connectivity',
+    usage: 'securenow doctor [--json]',
+    run: (a, f) => require('./cli/diagnostics').doctor(a, f),
+  },
+  env: {
+    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
+    usage: 'securenow env [--json]',
+    run: (a, f) => require('./cli/diagnostics').env(a, f),
+  },
+  version: {
+    desc: 'Show CLI version',
+    run: () => {
+      try {
+        const pkg = require('./package.json');
+        console.log(`securenow v${pkg.version}`);
+      } catch {
+        console.log('securenow (version unknown)');
+      }
+    },
+  },
+};
 
-function openBrowser(url) {
-  const cmd =
-    process.platform === 'darwin' ? `open "${url}"` :
-    process.platform === 'win32' ? `start "" "${url}"` :
-    `xdg-open "${url}"`;
-  exec(cmd, () => {});
-}
+// ── Help System ──
 
-function loginCommand(args) {
-  const flags = parseFlags(args);
-  const state = crypto.randomBytes(16).toString('hex');
+function showBanner() {
+  console.log('');
+  console.log(`  ${ui.c.bold(ui.c.cyan('SecureNow CLI'))} ${ui.c.dim('— Security observability from the terminal')}`);
+  console.log('');
+}
 
-  const server = http.createServer((req, res) => {
-    const url = new URL(req.url, 'http://127.0.0.1');
-    if (url.pathname !== '/callback') {
-      res.writeHead(404); res.end();
-      return;
+function showHelp(commandName) {
+  if (commandName && COMMANDS[commandName]) {
+    const cmd = COMMANDS[commandName];
+    showBanner();
+    console.log(`  ${ui.c.bold(commandName)} — ${cmd.desc}`);
+    console.log('');
+    if (cmd.usage) {
+      console.log(`  ${ui.c.bold('USAGE')}`);
+      console.log(`    ${cmd.usage}`);
+      console.log('');
     }
-    const token = url.searchParams.get('token');
-    const gotState = url.searchParams.get('state');
-    if (!token || gotState !== state) {
-      res.writeHead(400, { 'Content-Type': 'text/html' });
-      res.end('<h1>Auth failed</h1><p>You can close this tab and try again.</p>');
-      return;
+    if (cmd.sub) {
+      console.log(`  ${ui.c.bold('SUBCOMMANDS')}`);
+      const entries = Object.entries(cmd.sub);
+      const maxLen = entries.reduce((m, [k]) => Math.max(m, k.length), 0);
+      for (const [name, sub] of entries) {
+        console.log(`    ${ui.c.cyan(name.padEnd(maxLen + 2))} ${sub.desc}`);
+      }
+      console.log('');
     }
-    saveConfig({ token, savedAt: new Date().toISOString() });
-    res.writeHead(200, { 'Content-Type': 'text/html' });
-    res.end('<h1>✅ Logged in to SecureNow</h1><p>You can close this tab and return to your terminal.</p>');
-    console.log('\n✅ Logged in. Token saved to', CONFIG_FILE, '\n');
-    setTimeout(() => { server.close(); process.exit(0); }, 200);
-  });
-
-  server.listen(0, '127.0.0.1', () => {
-    const port = server.address().port;
-    const callback = `http://127.0.0.1:${port}/callback`;
-    const authUrl = `${APP_URL}/cli/auth?callback=${encodeURIComponent(callback)}&state=${state}${flags.force ? '&force_login=1' : ''}`;
-    console.log('\n🔐 SecureNow Login\n');
-    console.log('Opening browser to authenticate...');
-    console.log('If it doesn\'t open, paste this URL:\n  ' + authUrl + '\n');
-    openBrowser(authUrl);
-  });
-
-  setTimeout(() => {
-    console.error('\n⏱  Login timed out after 5 minutes.');
-    try { server.close(); } catch {}
-    process.exit(1);
-  }, 5 * 60 * 1000).unref();
-}
-
-function logoutCommand() {
-  if (fs.existsSync(CONFIG_FILE)) {
-    try { fs.unlinkSync(CONFIG_FILE); } catch {}
+    if (cmd.flags) {
+      console.log(`  ${ui.c.bold('FLAGS')}`);
+      for (const [flag, desc] of Object.entries(cmd.flags)) {
+        console.log(`    --${ui.c.cyan(flag.padEnd(16))} ${desc}`);
+      }
+      console.log('');
+    }
+    console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
+    console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
+    console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help`);
+    console.log('');
+    return;
   }
-  console.log('✅ Logged out');
-}
 
-function statusCommand() {
-  const cfg = loadConfig();
-  if (!cfg.token) {
-    console.log('❌ Not logged in. Run: npx securenow login');
-    process.exit(1);
+  showBanner();
+
+  const groups = {
+    'Run': ['run'],
+    'Authentication': ['login', 'logout', 'whoami'],
+    'Applications': ['apps', 'init', 'status'],
+    'Observe': ['traces', 'logs', 'analytics'],
+    'Detect & Respond': ['notifications', 'alerts', 'fp'],
+    'Investigate': ['ip', 'forensics'],
+    'Firewall': ['firewall'],
+    'Remediation': ['blocklist', 'allowlist', 'trusted'],
+    'Telemetry': ['log', 'test-span'],
+    'Utilities': ['redact', 'cidr', 'doctor', 'env'],
+    'Settings': ['instances', 'config', 'version'],
+  };
+
+  for (const [group, cmds] of Object.entries(groups)) {
+    console.log(`  ${ui.c.bold(group)}`);
+    for (const name of cmds) {
+      const cmd = COMMANDS[name];
+      if (cmd) {
+        console.log(`    ${ui.c.cyan(name.padEnd(18))} ${cmd.desc}`);
+      }
+    }
+    console.log('');
   }
-  console.log('✅ Logged in');
-  console.log('   Config: ' + CONFIG_FILE);
-  console.log('   API:    ' + API_URL);
-  apiRequest('GET', '/api/applications', null, cfg.token)
-    .then((data) => {
-      const count = (data && (data.applications || data)) ? (data.applications || data).length : 0;
-      console.log('   Apps:   ' + count);
-    })
-    .catch((err) => {
-      console.log('   Apps:   (could not reach API: ' + err.message + ')');
-      process.exit(1);
-    });
-}
-
-// ─── HTTP helper ────────────────────────────────────────────────
 
-function apiRequest(method, pathname, body, token) {
-  return new Promise((resolve, reject) => {
-    const u = new URL(API_URL + pathname);
-    const lib = u.protocol === 'https:' ? https : http;
-    const data = body ? JSON.stringify(body) : null;
-    const req = lib.request({
-      method,
-      hostname: u.hostname,
-      port: u.port || (u.protocol === 'https:' ? 443 : 80),
-      path: u.pathname + u.search,
-      headers: {
-        'Content-Type': 'application/json',
-        'Accept': 'application/json',
-        'User-Agent': 'securenow-cli',
-        ...(token ? { Authorization: `Bearer ${token}` } : {}),
-        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}),
-      },
-    }, (res) => {
-      let chunks = '';
-      res.on('data', (c) => { chunks += c; });
-      res.on('end', () => {
-        if (res.statusCode === 401) return reject(new Error('Unauthorized — run: npx securenow login'));
-        if (res.statusCode >= 400) {
-          let msg = `HTTP ${res.statusCode}`;
-          try { const j = JSON.parse(chunks); if (j.error) msg = j.error; } catch {}
-          return reject(new Error(msg));
-        }
-        try { resolve(chunks ? JSON.parse(chunks) : {}); }
-        catch { resolve({}); }
-      });
-    });
-    req.on('error', reject);
-    if (data) req.write(data);
-    req.end();
-  });
+  console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
+  console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
+  console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help for a command`);
+  console.log('');
+  console.log(`  ${ui.c.dim('Run')} securenow help <command> ${ui.c.dim('for detailed usage')}`);
+  console.log('');
 }
 
-// ─── apps ───────────────────────────────────────────────────────
+// ── Main Router ──
 
-function appsCommand(args) {
-  const sub = args[0];
-  const rest = args.slice(1);
-  if (sub === 'list' || !sub) return appsList(rest);
-  if (sub === 'create' || sub === 'add') return appsCreate(rest);
-  console.error('Unknown apps subcommand. Try: list, create');
-  process.exit(1);
-}
+async function main() {
+  const { positional, flags } = parseArgs(process.argv.slice(2));
+  const cmdName = positional[0] || 'help';
 
-function requireAuth() {
-  const cfg = loadConfig();
-  if (!cfg.token) {
-    console.error('❌ Not logged in. Run: npx securenow login');
-    process.exit(1);
+  if (cmdName === 'help' || flags.help) {
+    showHelp(flags.help === true ? positional[0] : flags.help || positional[1] || (cmdName !== 'help' ? cmdName : null));
+    return;
   }
-  return cfg.token;
-}
 
-async function appsList(args) {
-  const json = args.includes('--json');
-  const token = requireAuth();
-  try {
-    const data = await apiRequest('GET', '/api/applications', null, token);
-    const apps = data.applications || data || [];
-    if (json) { console.log(JSON.stringify(apps, null, 2)); return; }
-    if (!apps.length) { console.log('(no applications yet — npx securenow apps create)'); return; }
-    console.log('\nApplications:\n');
-    for (const a of apps) {
-      console.log(`  • ${a.name}${a.key ? '  ' + a.key : ''}`);
-      if (a.hosts && a.hosts.length) console.log(`      hosts: ${a.hosts.join(', ')}`);
+  const cmd = COMMANDS[cmdName];
+  if (!cmd) {
+    // Auto-detect: if the first arg looks like a file path, treat it as `securenow run <file>`
+    if (/\.(m?[jt]sx?|cjs)$/.test(cmdName) || cmdName.includes('/') || cmdName.includes('\\')) {
+      return COMMANDS.run.run(process.argv.slice(2));
     }
-    console.log('');
-  } catch (err) {
-    console.error('❌ ' + err.message);
+    ui.error(`Unknown command: ${cmdName}`);
+    ui.info('Run `securenow help` for a list of commands.');
     process.exit(1);
   }
-}
 
-function prompt(question) {
-  return new Promise((resolve) => {
-    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    rl.question(question, (a) => { rl.close(); resolve(a.trim()); });
-  });
-}
-
-async function appsCreate(args) {
-  const token = requireAuth();
-  const flags = {};
-  for (let i = 0; i < args.length; i++) {
-    if (args[i] === '--name') flags.name = args[++i];
-    else if (args[i] === '--hosts') flags.hosts = args[++i];
-  }
-  const name = flags.name || await prompt('Application name: ');
-  if (!name) { console.error('❌ Name is required'); process.exit(1); }
-  const hostsStr = flags.hosts != null ? flags.hosts : await prompt('Hosts (comma-separated, optional): ');
-  const hosts = hostsStr ? hostsStr.split(',').map(s => s.trim()).filter(Boolean) : [];
-  try {
-    const data = await apiRequest('POST', '/api/applications', { name, hosts }, token);
-    const app = data.application || data;
-    console.log('\n✅ Created application: ' + (app.name || name));
-    if (app.key) console.log('   Key: ' + app.key);
-    console.log('\nNext: add SECURENOW_APPID=' + (app.name || name) + ' to your .env.local\n');
-  } catch (err) {
-    console.error('❌ ' + err.message);
-    process.exit(1);
+  if (cmd.rawArgv) {
+    // Pass raw argv (everything after the command name) so the command can
+    // forward flags like --watch, --inspect verbatim to child processes.
+    const cmdIdx = process.argv.indexOf(cmdName);
+    const rawArgs = cmdIdx !== -1 ? process.argv.slice(cmdIdx + 1) : positional.slice(1);
+    await cmd.run(rawArgs);
+    return;
   }
-}
-
-function helpCommand() {
-  console.log(`
-SecureNow CLI - OpenTelemetry instrumentation for Next.js
 
-USAGE:
-  npx securenow <command> [options]
-
-COMMANDS:
-  login              Authenticate with SecureNow (opens browser)
-  logout             Remove saved credentials
-  status             Show current auth + API connectivity
-  init               Scaffold instrumentation in your Next.js project
-  apps list          List your applications
-  apps create        Create a new application (interactive)
-  help               Show this help message
-  version            Show package version
-
-OPTIONS:
-  --typescript, --ts    Force TypeScript (creates instrumentation.ts)
-  --javascript, --js    Force JavaScript (creates instrumentation.js)
-  --src                 Create file in src/ folder
-  --root                Create file in project root
-  --force, -f           Overwrite existing files
-
-EXAMPLES:
-  # First-time setup
-  npx securenow login
-  npx securenow apps create --name my-app
-  npx securenow init
-
-  # Auto-detect and setup
-  npx securenow init
+  if (cmd.run && !cmd.sub) {
+    await cmd.run(positional.slice(1), flags);
+    return;
+  }
 
-  # Force TypeScript in src folder
-  npx securenow init --typescript --src
+  if (cmd.sub) {
+    let subName = positional[1];
+    let subArgs = positional.slice(2);
 
-  # Force JavaScript in root
-  npx securenow init --javascript --root
+    if (subName && cmd.sub[subName]) {
+      if (flags.help) {
+        showHelp(cmdName);
+        return;
+      }
+      await cmd.sub[subName].run(subArgs, flags);
+      return;
+    }
 
-  # Overwrite existing files
-  npx securenow init --force
+    if (cmd.defaultAction) {
+      const allArgs = subName ? [subName, ...subArgs] : [];
+      await cmd.defaultAction(allArgs, flags);
+      return;
+    }
 
-DOCUMENTATION:
-  Quick Start: node_modules/securenow/NEXTJS-QUICKSTART.md
-  Full Guide:  node_modules/securenow/NEXTJS-GUIDE.md
-  Examples:    node_modules/securenow/examples/
-`);
-}
+    if (cmd.defaultSub) {
+      const allArgs = subName ? [subName, ...subArgs] : [];
+      await cmd.sub[cmd.defaultSub].run(allArgs, flags);
+      return;
+    }
 
-function versionCommand() {
-  try {
-    const packageJson = require('./package.json');
-    console.log(`securenow v${packageJson.version}`);
-  } catch (error) {
-    console.log('securenow (version unknown)');
+    showHelp(cmdName);
+    return;
   }
-}
 
-// Utility functions
-function parseFlags(args) {
-  const flags = {};
-  
-  for (let i = 0; i < args.length; i++) {
-    const arg = args[i];
-    
-    if (arg === '--typescript' || arg === '--ts') {
-      flags.typescript = true;
-    } else if (arg === '--javascript' || arg === '--js') {
-      flags.javascript = true;
-    } else if (arg === '--src') {
-      flags.src = true;
-    } else if (arg === '--root') {
-      flags.root = true;
-    } else if (arg === '--force' || arg === '-f') {
-      flags.force = true;
-    }
+  if (cmd.run) {
+    await cmd.run(positional.slice(1), flags);
   }
-  
-  return flags;
 }
 
-function isNextJsProject(dir) {
-  try {
-    const packageJsonPath = path.join(dir, 'package.json');
-    if (!fs.existsSync(packageJsonPath)) return false;
-    
-    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-    const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
-    
-    return !!deps.next;
-  } catch (error) {
-    return false;
+main().catch((err) => {
+  if (err.name !== 'CLIError') {
+    ui.error(err.message || 'An unexpected error occurred');
   }
-}
-
-// Main
-function main() {
-  const args = process.argv.slice(2);
-  const command = args[0] || 'help';
-  const commandFn = commands[command];
-  
-  if (!commandFn) {
-    console.error(`Unknown command: ${command}`);
-    console.log('Run "npx securenow help" for usage\n');
-    process.exit(1);
+  if (process.env.SECURENOW_DEBUG) {
+    console.error(err.stack || err);
   }
-  
-  commandFn(args.slice(1));
-}
-
-if (require.main === module) {
-  main();
-}
-
-module.exports = { main };
-
-
-
-
-
-
-
+  process.exit(1);
+});