securenow 6.0.2 → 6.1.0

package/cli/fp.js

@@ -0,0 +1,638 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { api, requireAuth } = require('./client');
+const ui = require('./ui');
+
+// ── Helpers ──
+
+function parseConditions(flags) {
+  if (!flags.conditions) return null;
+  try {
+    const parsed = JSON.parse(flags.conditions);
+    if (!Array.isArray(parsed)) throw new Error();
+    return parsed;
+  } catch {
+    ui.error('--conditions must be a valid JSON array, e.g. \'[{"field":"path","operator":"equals","value":"/api/event"}]\'');
+    process.exit(1);
+  }
+}
+
+function readBody(args, flags) {
+  const raw = args[0] || flags.body;
+  if (!raw && !process.stdin.isTTY) {
+    try {
+      return fs.readFileSync(0, 'utf8');
+    } catch { return null; }
+  }
+  if (!raw) return null;
+  if (raw.startsWith('@')) {
+    const filePath = path.resolve(raw.slice(1));
+    if (!fs.existsSync(filePath)) {
+      ui.error(`File not found: ${filePath}`);
+      process.exit(1);
+    }
+    return fs.readFileSync(filePath, 'utf8');
+  }
+  return raw;
+}
+
+function conditionsSummary(conditions, matchMode) {
+  if (!conditions || !conditions.length) return ui.c.dim('(none)');
+  const mode = matchMode === 'any' ? ' OR ' : ' AND ';
+  return conditions.map(c => `${c.field} ${c.operator} "${ui.truncate(c.value || '', 30)}"`).join(mode);
+}
+
+function printConditions(conditions, matchMode) {
+  if (!conditions?.length) { console.log(ui.c.dim('  No conditions')); return; }
+  const modeLabel = matchMode === 'any' ? ui.c.yellow('ANY (OR)') : ui.c.cyan('ALL (AND)');
+  console.log(`  Match mode: ${modeLabel}\n`);
+  conditions.forEach((c, i) => {
+    const prefix = i > 0 ? `  ${matchMode === 'any' ? 'OR ' : 'AND'}` : '    ';
+    console.log(`${prefix} ${ui.c.bold(c.field)} ${ui.c.cyan(c.operator)} ${ui.c.dim('"')}${c.value || ''}${ui.c.dim('"')}`);
+  });
+}
+
+// ── List ──
+
+async function list(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching exclusion rules');
+  try {
+    const data = await api.get('/false-positives');
+    const exclusions = data.exclusions || [];
+    s.stop(`Found ${exclusions.length} exclusion rule${exclusions.length !== 1 ? 's' : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    if (!exclusions.length) {
+      ui.info('No exclusion rules found. Create one with: securenow fp create');
+      console.log('');
+      return;
+    }
+
+    const rows = exclusions.map(e => {
+      const scope = e.type === 'global' ? ui.c.cyan('All Rules') : `Rule: ${ui.truncate(e.ruleName || '?', 18)}`;
+      return [
+        ui.c.dim(ui.truncate(e._id, 12)),
+        scope,
+        ui.truncate(conditionsSummary(e.conditions, e.matchMode), 40),
+        (e.matchMode || 'all').toUpperCase(),
+        ui.statusBadge(e.isActive !== false ? 'enabled' : 'disabled'),
+        ui.truncate(e.reason || '', 20),
+        ui.timeAgo(e.createdAt),
+      ];
+    });
+    ui.table(['ID', 'Scope', 'Conditions', 'Mode', 'Status', 'Reason', 'Created'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch exclusion rules');
+    throw err;
+  }
+}
+
+// ── Show ──
+
+async function show(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Exclusion ID required. Usage: securenow fp show <id>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Fetching exclusion details');
+  try {
+    const [data, countData] = await Promise.all([
+      api.get(`/false-positives/exclusions/${id}`),
+      api.get(`/false-positives/result-count/${id}`).catch(() => null),
+    ]);
+
+    const excl = data.exclusion;
+    if (!excl) {
+      s.fail(`Exclusion ${id} not found`);
+      process.exit(1);
+    }
+
+    s.stop('Exclusion loaded');
+
+    if (flags.json) { ui.json({ exclusion: excl, scope: data.scope, resultCount: countData }); return; }
+
+    console.log('');
+    ui.heading(`Exclusion Rule: ${excl._id}`);
+    console.log('');
+    ui.keyValue([
+      ['ID', excl._id],
+      ['Active', excl.isActive !== false ? ui.c.green('Yes') : ui.c.red('No')],
+      ['Match Mode', (excl.matchMode || 'all').toUpperCase()],
+      ['Reason', excl.reason || ui.c.dim('—')],
+      ['Scope', data.scope === 'rule' ? `Rule: ${excl._ruleName || excl._ruleId}` : 'Global'],
+      ['Created', excl.createdAt ? new Date(excl.createdAt).toLocaleString() : '—'],
+    ]);
+
+    if (countData) {
+      console.log('');
+      ui.keyValue([
+        ['Matched IPs', String(countData.matchCount ?? '—')],
+      ]);
+    }
+
+    console.log('');
+    ui.subheading('Conditions');
+    console.log('');
+    printConditions(excl.conditions, excl.matchMode);
+
+    if (excl.pathPattern) {
+      console.log(`\n  ${ui.c.bold('Path Pattern')}: ${excl.pathPattern}`);
+    }
+    console.log('');
+  } catch (err) {
+    if (err.statusCode === 404 || err.status === 404) {
+      s.fail(`Exclusion ${id} not found`);
+      process.exit(1);
+    }
+    s.fail('Failed to fetch exclusion');
+    throw err;
+  }
+}
+
+// ── Create ──
+
+async function create(args, flags) {
+  requireAuth();
+  let conditions = parseConditions(flags);
+
+  if (!conditions) {
+    conditions = [];
+    if (flags.path) {
+      conditions.push({ field: 'path', operator: flags['path-op'] || 'equals', value: flags.path });
+    }
+    if (flags.method) {
+      conditions.push({ field: 'method', operator: 'equals', value: flags.method.toUpperCase() });
+    }
+    if (flags['body-operator'] && flags['body-value']) {
+      conditions.push({ field: 'request_body', operator: flags['body-operator'], value: flags['body-value'] });
+    }
+    if (flags['path-safe']) {
+      conditions.push({ field: 'path', operator: 'path_safe_values', value: flags['path-safe'] === true ? 'standard' : flags['path-safe'] });
+    }
+    if (flags['query-safe']) {
+      conditions.push({ field: 'path', operator: 'query_safe_values', value: flags['query-safe'] === true ? 'standard' : flags['query-safe'] });
+    }
+    if (flags['query-keys']) {
+      conditions.push({ field: 'path', operator: 'query_has_only_keys', value: flags['query-keys'] });
+    }
+    if (flags['ua-safe']) {
+      conditions.push({ field: 'user_agent', operator: 'ua_safe_values', value: flags['ua-safe'] === true ? 'standard' : flags['ua-safe'] });
+    }
+    if (flags['headers-safe']) {
+      conditions.push({ field: 'request_headers', operator: 'headers_safe_values', value: flags['headers-safe'] === true ? 'standard' : flags['headers-safe'] });
+    }
+    if (flags['headers-keys']) {
+      conditions.push({ field: 'request_headers', operator: 'headers_has_only_keys', value: flags['headers-keys'] });
+    }
+    if (!conditions.length) {
+      ui.error('At least one condition is required.');
+      ui.info('Use --conditions \'[...]\' or --path, --method, --body-operator, --path-safe, --ua-safe, --headers-safe, etc.');
+      process.exit(1);
+    }
+  }
+
+  const body = {
+    conditions,
+    matchMode: flags['match-mode'] || 'all',
+  };
+  if (flags.reason) body.reason = flags.reason;
+
+  const scopeParams = parseRuleScope(flags);
+  const effectiveScope = scopeParams.ruleScope || 'any_rule';
+
+  if (effectiveScope === 'this_rule') {
+    ui.error('--rule-scope this_rule requires a notification context. Use "securenow fp mark" or --rule-scope specific_rules with --target-rules.');
+    process.exit(1);
+  }
+
+  body.ruleScope = effectiveScope;
+  if (scopeParams.targetRuleIds) body.targetRuleIds = scopeParams.targetRuleIds;
+
+  const s = ui.spinner('Creating exclusion rule');
+  try {
+    const data = await api.post('/false-positives/exclusions', body);
+
+    s.stop('Exclusion rule created');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    if (effectiveScope === 'any_rule') {
+      ui.success(`Created global exclusion: ${data.exclusion?._id || '(unknown ID)'}`);
+    } else {
+      const ruleCount = data.rules?.length || 0;
+      ui.success(`Created exclusion on ${ruleCount} rule${ruleCount !== 1 ? 's' : ''}`);
+      if (data.rules) {
+        data.rules.forEach(r => {
+          console.log(`    ${ui.c.dim('•')} ${r.ruleName || r.ruleId}`);
+        });
+      }
+    }
+    console.log('');
+    ui.keyValue([['Scope', scopeLabel(effectiveScope)]]);
+    console.log('');
+    printConditions(conditions, body.matchMode);
+    if (flags.reason) console.log(`\n  Reason: ${flags.reason}`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to create exclusion rule');
+    throw err;
+  }
+}
+
+// ── Edit ──
+
+async function edit(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Exclusion ID required. Usage: securenow fp edit <id> [--active true/false] [--reason "..."]');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (flags.active != null) body.isActive = flags.active === 'true' || flags.active === true;
+  if (flags.reason) body.reason = flags.reason;
+  if (flags['match-mode']) body.matchMode = flags['match-mode'];
+  const conditions = parseConditions(flags);
+  if (conditions) body.conditions = conditions;
+
+  if (!Object.keys(body).length) {
+    ui.error('Nothing to update. Use --active, --reason, --match-mode, or --conditions.');
+    process.exit(1);
+  }
+
+  const s = ui.spinner(`Updating exclusion ${id}`);
+  try {
+    const data = await api.put(`/false-positives/exclusions/${id}`, body);
+    s.stop('Exclusion updated');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.success(`Updated exclusion: ${id}`);
+    if (data.exclusion) {
+      ui.keyValue([
+        ['Active', data.exclusion.isActive !== false ? ui.c.green('Yes') : ui.c.red('No')],
+        ['Match Mode', (data.exclusion.matchMode || 'all').toUpperCase()],
+        ['Reason', data.exclusion.reason || ui.c.dim('—')],
+      ]);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to update exclusion');
+    throw err;
+  }
+}
+
+// ── Delete ──
+
+async function remove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Exclusion ID required. Usage: securenow fp delete <id>');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm(`Delete exclusion ${id}?`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner(`Deleting exclusion ${id}`);
+  try {
+    await api.delete(`/false-positives/exclusions/${id}`);
+    s.stop('Exclusion deleted');
+  } catch (err) {
+    s.fail('Failed to delete exclusion');
+    throw err;
+  }
+}
+
+// ── Test Body ──
+
+async function testBody(args, flags) {
+  requireAuth();
+  const bodyStr = readBody(args, flags);
+  if (!bodyStr) {
+    ui.error('Request body is required. Pass as argument, --body, @filepath, or pipe via stdin.');
+    ui.info('Example: securenow fp test-body \'{"key":"value"}\' --conditions \'[...]\'');
+    process.exit(1);
+  }
+
+  const conditions = parseConditions(flags);
+  if (!conditions || !conditions.length) {
+    ui.error('--conditions is required with at least one request_body condition.');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Testing body against conditions');
+  try {
+    const data = await api.post('/false-positives/test-body', { body: bodyStr, conditions });
+    s.stop('Test complete');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const verdict = data.allPassed
+      ? ui.c.green('✓ ALL PASSED — this body would be excluded (false positive)')
+      : ui.c.red('✗ FAILED — this body would still trigger alerts');
+    console.log(`  ${verdict}`);
+    console.log(`  Detected format: ${ui.c.cyan(data.detectedFormat || 'unknown')}`);
+    console.log('');
+
+    if (data.results) {
+      const rows = data.results.map(r => {
+        const status = r.passed ? ui.c.green('✓ pass') : ui.c.red('✗ fail');
+        const detail = r.details?.error
+          || (r.details?.threats?.length ? `threats: ${r.details.threats.map(t => t.attacks?.join(',')).join('; ')}` : '')
+          || (r.details?.extraKeys?.length ? `extra keys: ${r.details.extraKeys.join(', ')}` : '')
+          || '';
+        return [
+          status,
+          r.condition?.operator || '—',
+          ui.truncate(r.condition?.value || '', 40),
+          ui.truncate(detail, 40),
+        ];
+      });
+      ui.table(['Result', 'Operator', 'Value', 'Details'], rows);
+    }
+    console.log('');
+
+    if (!data.allPassed) process.exit(2);
+  } catch (err) {
+    s.fail('Body test failed');
+    throw err;
+  }
+}
+
+// ── Dry Run ──
+
+async function dryRun(args, flags) {
+  requireAuth();
+  const conditions = parseConditions(flags);
+  if (!conditions || !conditions.length) {
+    ui.error('--conditions is required.');
+    ui.info('Example: securenow fp dry-run --conditions \'[{"field":"path","operator":"equals","value":"/api/event"},{"field":"method","operator":"equals","value":"POST"}]\'');
+    process.exit(1);
+  }
+
+  const body = { conditions, matchMode: flags['match-mode'] || 'all' };
+  const s = ui.spinner('Running dry-run against live traces (last 3 days)');
+  try {
+    const data = await api.post('/false-positives/dry-run', body);
+    s.stop('Dry-run complete');
+
+    if (flags.json) { ui.json(data); return; }
+
+    const total = data.totalTraces || 0;
+    const matched = data.matchedCount || 0;
+    const unmatched = data.unmatchedCount || 0;
+    const pct = total > 0 ? Math.round((matched / total) * 100) : 0;
+
+    console.log('');
+    ui.heading('Dry-Run Results');
+    console.log('');
+    ui.keyValue([
+      ['Total Traces', String(total)],
+      ['Would Be Excluded', `${ui.c.green(String(matched))} (${pct}%)`],
+      ['Would Still Alert', `${unmatched > 0 ? ui.c.red(String(unmatched)) : ui.c.green('0')} (${100 - pct}%)`],
+    ]);
+
+    if (data.queryLimitHit) {
+      console.log(`\n  ${ui.c.yellow('!')} Query limit reached (5,000 spans). Results are a sample.`);
+    }
+
+    if (data.sqlPreFiltered?.length) {
+      console.log(`\n  ${ui.c.dim('Pre-filtered in DB:')} ${data.sqlPreFiltered.join(' + ')}`);
+    }
+
+    // Aggregated body keys
+    if (data.aggregatedBodyKeys?.length) {
+      const keyCond = conditions.find(c =>
+        c.field === 'request_body' && (c.operator === 'json_has_only_keys' || c.operator === 'body_has_only_fields')
+      );
+      if (keyCond) {
+        const expected = new Set((keyCond.value || '').split(',').map(k => k.trim()).filter(Boolean));
+        const extra = data.aggregatedBodyKeys.filter(k => !expected.has(k));
+        if (extra.length) {
+          console.log('');
+          ui.subheading(`Keys in bodies NOT in allowlist (${extra.length})`);
+          console.log('');
+          extra.forEach(k => console.log(`    ${ui.c.yellow('+')} ${k}`));
+          console.log(`\n  ${ui.c.dim('Copy all keys:')} ${data.aggregatedBodyKeys.join(',')}`);
+        }
+      }
+    }
+
+    // Unmatched traces
+    if (data.unmatchedTraces?.length) {
+      console.log('');
+      ui.subheading(`Unmatched Traces (showing ${data.unmatchedTraces.length} of ${unmatched})`);
+      console.log('');
+      const rows = data.unmatchedTraces.map(t => [
+        ui.c.dim(ui.truncate(t.traceId, 16)),
+        t.method || '—',
+        ui.truncate(t.path || '', 30),
+        t.statusCode || '—',
+        ui.truncate((t.failedConditions || []).join(', '), 35),
+      ]);
+      ui.table(['Trace ID', 'Method', 'Path', 'Status', 'Failed Conditions'], rows);
+    }
+
+    if (total > 0 && unmatched === 0) {
+      console.log(`\n  ${ui.c.green('✓')} All ${total} traces match — they would all be excluded.`);
+    }
+    console.log('');
+
+    if (unmatched > 0) process.exit(2);
+  } catch (err) {
+    s.fail('Dry-run failed');
+    throw err;
+  }
+}
+
+// ── AI Fill ──
+
+async function aiFill(args, flags) {
+  requireAuth();
+  const description = args.join(' ') || flags.description;
+  let httpContext = null;
+
+  if (flags.context) {
+    try {
+      httpContext = JSON.parse(flags.context);
+    } catch {
+      ui.error('--context must be valid JSON, e.g. \'{"method":"POST","url":"/api/event","requestBody":"..."}\'');
+      process.exit(1);
+    }
+  }
+
+  if (!description && !httpContext) {
+    ui.error('Provide a --description or --context for AI to generate conditions.');
+    ui.info('Example: securenow fp ai-fill --description "view_cart events from /api/event"');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (description) body.description = description;
+  if (httpContext) body.httpContext = httpContext;
+
+  const s = ui.spinner('Generating conditions with AI');
+  try {
+    const data = await api.post('/false-positives/ai-fill', body);
+    s.stop('AI suggestion ready');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.heading('AI-Generated Exclusion');
+    console.log('');
+
+    if (data.reason) {
+      console.log(`  ${ui.c.bold('Reason:')} ${data.reason}`);
+      console.log('');
+    }
+
+    console.log(`  ${ui.c.bold('Match Mode:')} ${(data.matchMode || 'all').toUpperCase()}`);
+    console.log('');
+
+    ui.subheading('Conditions');
+    console.log('');
+    printConditions(data.conditions, data.matchMode);
+
+    console.log('');
+    ui.subheading('Use with create');
+    const condStr = JSON.stringify(data.conditions);
+    console.log(`\n  securenow fp create --conditions '${condStr}'${data.reason ? ` --reason "${data.reason}"` : ''}`);
+    console.log('');
+  } catch (err) {
+    s.fail('AI generation failed');
+    throw err;
+  }
+}
+
+// ── Mark False Positive ──
+
+const VALID_RULE_SCOPES = ['this_rule', 'specific_rules', 'all_existing', 'any_rule'];
+
+function parseRuleScope(flags) {
+  const scope = flags['rule-scope'];
+  if (!scope) return {};
+  if (!VALID_RULE_SCOPES.includes(scope)) {
+    ui.error(`--rule-scope must be one of: ${VALID_RULE_SCOPES.join(', ')}`);
+    process.exit(1);
+  }
+  const result = { ruleScope: scope };
+  if (scope === 'specific_rules') {
+    const raw = flags['target-rules'];
+    if (!raw) {
+      ui.error('--target-rules is required when --rule-scope is specific_rules (comma-separated rule IDs)');
+      process.exit(1);
+    }
+    result.targetRuleIds = raw.split(',').map(id => id.trim()).filter(Boolean);
+    if (!result.targetRuleIds.length) {
+      ui.error('--target-rules must contain at least one rule ID');
+      process.exit(1);
+    }
+  }
+  return result;
+}
+
+function scopeLabel(scope) {
+  switch (scope) {
+    case 'this_rule': return 'This rule only';
+    case 'specific_rules': return 'Specific rules';
+    case 'all_existing': return 'All existing rules';
+    case 'any_rule': return 'Any rule (incl. future)';
+    default: return scope || 'This rule only';
+  }
+}
+
+async function mark(args, flags) {
+  requireAuth();
+  const notifId = args[0];
+  const ip = args[1];
+
+  if (!notifId || !ip) {
+    ui.error('Usage: securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule]');
+    process.exit(1);
+  }
+
+  const body = {};
+  const conditions = parseConditions(flags);
+  if (conditions) body.conditions = conditions;
+  if (flags['match-mode']) body.matchMode = flags['match-mode'];
+  if (flags.reason) body.reason = flags.reason;
+  body.createExclusion = flags['create-exclusion'] !== 'false' && flags['create-exclusion'] !== false;
+  body.applyToExisting = flags['apply-existing'] !== 'false' && flags['apply-existing'] !== false;
+
+  const scopeParams = parseRuleScope(flags);
+  Object.assign(body, scopeParams);
+
+  const s = ui.spinner(`Marking ${ip} as false positive`);
+  try {
+    const data = await api.post(`/notifications/${encodeURIComponent(notifId)}/ips/${encodeURIComponent(ip)}/false-positive`, body);
+    s.stop('Marked as false positive');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.success(`IP ${ip} marked as false positive`);
+    console.log('');
+    ui.keyValue([
+      ['Notification', notifId],
+      ['IP', ip],
+      ['Rule Scope', scopeLabel(data.ruleScope)],
+      ['IPs Dismissed (same notif)', String(data.bulkCount ?? 0)],
+      ['Cross-Notification Matches', String(data.crossNotifCount ?? 0)],
+      ['Exclusion Rule Created', data.exclusionCreated ? ui.c.green('Yes') : ui.c.dim('No')],
+    ]);
+
+    if (data.exclusionCreated?.rules?.length > 0) {
+      console.log('');
+      ui.subheading(`Exclusion added to ${data.exclusionCreated.rules.length} rule${data.exclusionCreated.rules.length !== 1 ? 's' : ''}`);
+      console.log('');
+      data.exclusionCreated.rules.forEach(r => {
+        console.log(`    ${ui.c.dim('•')} ${r.ruleName} ${ui.c.dim(`(${r.ruleId})`)}`);
+      });
+    }
+
+    if (data.crossNotifDetails?.length) {
+      console.log('');
+      ui.subheading('Affected Notifications');
+      console.log('');
+      const rows = data.crossNotifDetails.map(d => [
+        ui.truncate(d.title || d.notificationId, 40),
+        String(d.dismissedCount),
+      ]);
+      ui.table(['Notification', 'Dismissed'], rows);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to mark as false positive');
+    throw err;
+  }
+}
+
+module.exports = {
+  list,
+  show,
+  create,
+  edit,
+  remove,
+  testBody,
+  dryRun,
+  aiFill,
+  mark,
+};