securenow 7.6.8 → 7.7.0

package/NPM_README.md

@@ -511,6 +511,9 @@ npx securenow logs --json --level error | jq '.logs'
 | | `firewall test-ip <ip>` | Check if an IP would be blocked |
 | | `run --firewall-only <script>` | Preload firewall without OTel tracing overhead |
 | **Remediate** | `blocklist` | Blocked IPs |
+| | `automation` | List blocklist automation rules |
+| | `automation dry-run <id>` | Preview automation matches without writing blocks |
+| | `automation execute <id> --yes` | Run an automation rule now |
 | | `blocklist add <ip>` | Block IP |
 | | `blocklist remove <id>` | Unblock IP |
 | | `blocklist stats` | Block stats |
@@ -1652,7 +1655,15 @@ After blocking an IP, it takes 10-15 seconds to propagate (one version-check int
 
 **Check 5: Are you behind a proxy?**
 
-Add your proxy IPs to `config.networking.trustedProxies` in `.securenow/credentials.json` so the firewall sees the real client IP.
+Make sure your proxy forwards the real visitor IP:
+
+```nginx
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+```
+
+SecureNow trusts private, loopback, and same-host proxy peers automatically. For external load balancers or public proxy IPs, add them to `config.networking.trustedProxies` in `.securenow/credentials.json`. If no forwarded header reaches the app, SecureNow can detect the attack shape but cannot recover the real visitor IP from traces.
 
 **Check 6: Using PM2?**
 

package/SKILL-CLI.md

@@ -223,6 +223,7 @@ securenow human list --limit 20
 securenow human show 1                       # inspect row 1 with AI report, DAG, proofs, trace links
 securenow human block 1 --yes --reason "AI evidence confirmed malicious"
 securenow human fp 1 --yes --reason "Scoped false positive after evidence review"
+securenow human action 1 --status rejected --yes --reason "Tuning guard is too broad"
 securenow human prompt 1                     # print a Codex/Claude MCP prompt for this row
 securenow human work --limit 10              # list queue + print MCP runbook for deep queue work
 ```
@@ -234,6 +235,7 @@ MCP parity:
 - `securenow_human_action_report`
 - `securenow_human_action_block`
 - `securenow_human_action_false_positive`
+- `securenow_human_case_action_update`
 - prompts: `investigate_human_action_row`, `work_human_actions`
 
 Write tools still require `confirm:true` plus a reason. False positives should stay restrictive to the app, alert rule, path, method/status, user-agent, body pattern, or other exact evidence the AI report supports.
@@ -243,10 +245,12 @@ Write tools still require `confirm:true` plus a reason. False positives should s
 ```bash
 securenow alerts                             # list alert rules (default)
 securenow alerts rules                       # list alert rules (columns: Status, Applications, Schedule)
-securenow alerts rules show <id>            # one rule; JSON: --json
-securenow alerts rules update <id> --applications-all   # all current & future apps
-securenow alerts rules update <id> --apps key1,key2     # explicit app keys only
-securenow alerts channels                    # list alert channels (Slack, email, etc.)
+securenow alerts rules show <id>            # one rule; JSON: --json
+securenow alerts rules update <id> --applications-all   # all current & future apps
+securenow alerts rules update <id> --apps key1,key2     # explicit app keys only
+securenow alerts rules test <id> --mode dry_run --wait  # validate a rule query
+securenow alerts rules exclusions <id> list              # embedded rule exclusions
+securenow alerts channels                    # list alert channels (Slack, email, etc.)
 securenow alerts history [--limit N]         # past triggered alerts
 ```
 
@@ -282,9 +286,9 @@ securenow api-map stats                      # endpoint statistics
 ### Firewall
 
 ```bash
-securenow firewall                           # show status (default)
-securenow firewall status --env production   # layers, sync time, blocked count, API key info
-securenow firewall test-ip <ip>              # check if IP would be blocked
+securenow firewall                           # show status (default)
+securenow firewall status --app <key> --env production   # app/env toggle, sync time, blocked count
+securenow firewall test-ip <ip> --app <key> --env local  # check if IP would be blocked
 ```
 
 **Zero-config setup (v7.5.1+):** running `securenow login` enables the selected app's firewall toggle, auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and writes it to the credentials file after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
@@ -292,19 +296,28 @@ securenow firewall test-ip <ip>              # check if IP would be blocked
 ### Blocklist — Block Malicious IPs
 
 ```bash
-securenow blocklist                          # list blocked IPs
-securenow blocklist list
-securenow blocklist add <ip> [--reason "Brute force"]
-securenow blocklist remove <id>
-securenow blocklist stats                    # block counts, top reasons
-```
+securenow blocklist                          # list blocked IPs
+securenow blocklist list
+securenow blocklist add <ip> --app <key> --env production --reason "Brute force"
+securenow blocklist remove <id>
+securenow blocklist stats                    # block counts, top reasons
+```
+
+### Automation Rules
+
+```bash
+securenow automation                         # list blocklist automation rules
+securenow automation show <id>
+securenow automation dry-run <id> --limit 500
+securenow automation execute <id> --yes
+```
 
 ### Allowlist — Restrict to Known IPs
 
 ```bash
-securenow allowlist                          # list allowed IPs
-securenow allowlist list
-securenow allowlist add <ip> [--label "Office"] [--reason "Corporate VPN"]
+securenow allowlist                          # list allowed IPs
+securenow allowlist list
+securenow allowlist add <ip> --app <key> --env local --label "Office" --reason "Corporate VPN"
 securenow allowlist remove <id>
 securenow allowlist stats
 ```

package/cli/automation.js

@@ -0,0 +1,275 @@
+'use strict';
+
+const fs = require('fs');
+const { api, requireAuth } = require('./client');
+const ui = require('./ui');
+
+function parseList(value) {
+  if (!value) return [];
+  return String(value).split(',').map((item) => item.trim()).filter(Boolean);
+}
+
+function parseJson(value, label) {
+  try {
+    return JSON.parse(value);
+  } catch (err) {
+    ui.error(`${label} must be valid JSON: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function readBody(flags) {
+  if (flags.body) return parseJson(flags.body, '--body');
+  if (flags.file) return parseJson(fs.readFileSync(flags.file, 'utf8'), '--file');
+  return null;
+}
+
+function bodyFromFlags(flags, requireName = false) {
+  const body = readBody(flags) || {};
+
+  if (flags.name) body.name = flags.name;
+  if (flags.description) body.description = flags.description;
+  if (flags.conditions) body.conditions = parseJson(flags.conditions, '--conditions');
+  if (flags.actions) body.actions = parseJson(flags.actions, '--actions');
+  if (flags.logic || flags['condition-logic']) body.conditionLogic = flags.logic || flags['condition-logic'];
+  if (flags.status) body.status = flags.status;
+
+  if (flags.app || flags.apps) {
+    body.applicationsAll = false;
+    body.applicationKeys = parseList(flags.app || flags.apps);
+  }
+  if (flags['applications-all']) {
+    body.applicationsAll = true;
+    body.applicationKeys = [];
+  }
+
+  if (flags.env || flags.environment || flags.environments) {
+    body.environmentsAll = false;
+    body.environments = parseList(flags.env || flags.environment || flags.environments);
+  }
+  if (flags['environments-all']) {
+    body.environmentsAll = true;
+    body.environments = [];
+  }
+
+  if (requireName && !body.name) {
+    ui.error('Rule name required. Pass --name or --body JSON.');
+    process.exit(1);
+  }
+
+  return body;
+}
+
+function formatApplications(rule) {
+  if (rule.applicationsAll !== false) return ui.c.cyan('all apps');
+  return (rule.applications || []).join(', ') || ui.c.dim('-');
+}
+
+function formatEnvironments(rule) {
+  if (rule.environmentsAll !== false) return ui.c.cyan('all envs');
+  return (rule.environments || []).join(', ') || ui.c.dim('-');
+}
+
+async function list(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching automation rules');
+  try {
+    const data = await api.get('/automation-rules');
+    const rules = data.rules || [];
+    s.stop(`Found ${rules.length} automation rule${rules.length === 1 ? '' : 's'}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = rules.map((rule) => [
+      ui.c.dim(ui.truncate(rule._id || rule.id, 12)),
+      rule.name || '-',
+      ui.statusBadge(rule.status || 'active'),
+      formatApplications(rule),
+      formatEnvironments(rule),
+      String(rule.stats?.totalMatches ?? 0),
+      rule.stats?.lastExecutedAt ? ui.timeAgo(rule.stats.lastExecutedAt) : '-',
+    ]);
+    ui.table(['ID', 'Name', 'Status', 'Apps', 'Envs', 'Matches', 'Last Run'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch automation rules');
+    throw err;
+  }
+}
+
+async function show(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation show <rule-id>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Fetching automation rule');
+  try {
+    const data = await api.get(`/automation-rules/${encodeURIComponent(id)}`);
+    const rule = data.rule || data;
+    s.stop('Automation rule loaded');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.heading(rule.name || 'Automation rule');
+    ui.keyValue([
+      ['ID', rule._id || rule.id || id],
+      ['Status', rule.status || '-'],
+      ['Applications', formatApplications(rule)],
+      ['Environments', formatEnvironments(rule)],
+      ['Condition logic', rule.conditionLogic || 'AND'],
+      ['Conditions', JSON.stringify(rule.conditions || [])],
+      ['Actions', JSON.stringify(rule.actions || [])],
+      ['Total executions', String(rule.stats?.totalExecutions ?? 0)],
+      ['Total matches', String(rule.stats?.totalMatches ?? 0)],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch automation rule');
+    throw err;
+  }
+}
+
+async function create(args, flags) {
+  requireAuth();
+  const body = bodyFromFlags(flags, true);
+  const s = ui.spinner('Creating automation rule');
+  try {
+    const data = await api.post('/automation-rules', body);
+    s.stop('Automation rule created');
+    if (flags.json) { ui.json(data); return; }
+    ui.success(`${data.rule?.name || body.name} created`);
+  } catch (err) {
+    s.fail('Failed to create automation rule');
+    throw err;
+  }
+}
+
+async function update(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation update <rule-id> [--body JSON]');
+    process.exit(1);
+  }
+
+  const body = bodyFromFlags(flags, false);
+  if (Object.keys(body).length === 0) {
+    ui.error('Nothing to update. Pass --body, --file, or field flags.');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Updating automation rule');
+  try {
+    const data = await api.put(`/automation-rules/${encodeURIComponent(id)}`, body);
+    s.stop('Automation rule updated');
+    if (flags.json) { ui.json(data); return; }
+    ui.success('Automation rule updated');
+  } catch (err) {
+    s.fail('Failed to update automation rule');
+    throw err;
+  }
+}
+
+async function dryRun(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation dry-run <rule-id> [--limit 500] [--sample-limit 20]');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (flags.limit) body.limit = Number(flags.limit);
+  if (flags['sample-limit']) body.sampleLimit = Number(flags['sample-limit']);
+
+  const s = ui.spinner('Dry-running automation rule');
+  try {
+    const data = await api.post(`/automation-rules/${encodeURIComponent(id)}/dry-run`, body);
+    s.stop('Dry-run complete');
+    if (flags.json) { ui.json(data); return; }
+
+    const results = data.results || {};
+    console.log('');
+    ui.keyValue([
+      ['Scanned IPs', String(results.scanned ?? 0)],
+      ['Matched IPs', String(results.matched ?? 0)],
+      ['Sample count', String((results.samples || []).length)],
+    ]);
+    if ((results.samples || []).length) {
+      console.log('');
+      const rows = results.samples.map((sample) => [
+        sample.ip,
+        ui.truncate((sample.path || []).join(', '), 32),
+        ui.truncate((sample.attackType || []).join(', '), 28),
+        (sample.environment || []).join(', ') || '-',
+        String(sample.riskScore ?? '-'),
+      ]);
+      ui.table(['IP', 'Paths', 'Attack', 'Env', 'Risk'], rows);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to dry-run automation rule');
+    throw err;
+  }
+}
+
+async function execute(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation execute <rule-id> --yes');
+    process.exit(1);
+  }
+  if (!flags.yes && !flags.force) {
+    const ok = await ui.confirm('Execute this automation rule now? It may add IPs to the blocklist.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Executing automation rule');
+  try {
+    const data = await api.post(`/automation-rules/${encodeURIComponent(id)}/execute`, {});
+    s.stop('Automation rule executed');
+    if (flags.json) { ui.json(data); return; }
+    const r = data.results || {};
+    ui.keyValue([
+      ['Scanned', String(r.scanned ?? 0)],
+      ['Matched', String(r.matched ?? 0)],
+      ['Blocked', String(r.blocked ?? 0)],
+      ['Skipped', String(r.skipped ?? 0)],
+      ['Errors', String(r.errors ?? 0)],
+    ]);
+  } catch (err) {
+    s.fail('Failed to execute automation rule');
+    throw err;
+  }
+}
+
+async function remove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation delete <rule-id> --yes');
+    process.exit(1);
+  }
+  if (!flags.yes && !flags.force) {
+    const ok = await ui.confirm('Delete this automation rule?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Deleting automation rule');
+  try {
+    const data = await api.delete(`/automation-rules/${encodeURIComponent(id)}`);
+    s.stop('Automation rule deleted');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to delete automation rule');
+    throw err;
+  }
+}
+
+module.exports = { list, show, create, update, dryRun, execute, remove };

package/cli/firewall.js

@@ -7,13 +7,16 @@ function resolveEnvironment(flags) {
   return flags.env || flags.environment || 'production';
 }
 
-async function status(args, flags) {
-  requireAuth();
-  const s = ui.spinner('Checking firewall status');
-
-  try {
+async function status(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Checking firewall status');
+
+  try {
     const environment = resolveEnvironment(flags);
-    const data = await api.get('/firewall/status', { query: { environment } });
+    const appKey = await resolveAppKey(flags);
+    const query = { environment };
+    if (appKey) query.appKey = appKey;
+    const data = await api.get('/firewall/status', { query });
 
     s.stop('Firewall status retrieved');
 
@@ -23,10 +26,14 @@ async function status(args, flags) {
     }
 
     console.log('');
-    console.log(`  ${ui.c.bold(ui.c.green('Firewall: ENABLED'))}`);
+    const enabledLabel = data.firewallEnabled === false
+      ? ui.c.bold(ui.c.yellow('Firewall: DISABLED FOR APP/ENV'))
+      : ui.c.bold(ui.c.green('Firewall: ENABLED'));
+    console.log(`  ${enabledLabel}`);
     console.log('');
     ui.keyValue([
       ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
       ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
@@ -66,7 +73,10 @@ async function testIp(args, flags) {
 
   try {
     const environment = resolveEnvironment(flags);
-    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query: { environment } });
+    const appKey = await resolveAppKey(flags);
+    const query = { environment };
+    if (appKey) query.appKey = appKey;
+    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query });
 
     s.stop(`IP ${ip} checked`);
 
@@ -75,8 +85,14 @@ async function testIp(args, flags) {
       return;
     }
 
-    console.log('');
-    if (data.blocked) {
+    console.log('');
+    if (data.firewallEnabled === false) {
+      console.log(`  ${ui.c.bold(ui.c.yellow('NOT ENFORCED'))} — firewall is disabled for ${appKey || 'this app'} (${data.environment || environment})`);
+      if (data.reason) console.log(`  ${ui.c.dim(`Reason: ${data.reason}`)}`);
+      console.log('');
+      return;
+    }
+    if (data.blocked) {
       if (data.allowlistActive && !data.allowlisted) {
         console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is not on the allowlist`);
         console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
@@ -92,8 +108,9 @@ async function testIp(args, flags) {
       } else {
         console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is not in the blocklist`);
       }
-    }
-    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    }
+    console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} · Environment: ${data.environment || environment}`)}`);
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
     if (data.allowlistActive) {
       console.log(`  ${ui.c.dim('Allowlist is active')}`);
     }

package/cli/human.js

@@ -214,6 +214,40 @@ async function show(args, flags) {
   const s = ui.spinner('Fetching human action detail');
   try {
     const { task, row } = await resolveTask(ref, flags);
+    if (task.kind === 'case_action' || task.actionKey) {
+      const [notification, agentCase] = await Promise.all([
+        api.get(`/notifications/${encodeURIComponent(task.notificationId)}`).catch(() => ({})),
+        api.get(`/notifications/${encodeURIComponent(task.notificationId)}/agent-case`).catch(() => ({})),
+      ]);
+      s.stop('Case action loaded');
+      if (flags.json) {
+        ui.json({ task, notification, agentCase });
+        return;
+      }
+      console.log('');
+      printTaskSummary(task, row);
+      console.log('');
+      ui.subheading('Case action');
+      ui.keyValue([
+        ['Action key', task.actionKey || '-'],
+        ['Type', task.actionType || task.action?.type || '-'],
+        ['Title', task.action?.title || task.title || '-'],
+        ['Description', ui.truncate(task.action?.description || '', 140)],
+        ['Status', task.action?.status || 'proposed'],
+      ]);
+      if ((agentCase.proposedActions || []).length) {
+        console.log('');
+        const rows = agentCase.proposedActions.map((action) => [
+          action.actionKey || '-',
+          action.type || '-',
+          action.status || '-',
+          ui.truncate(action.title || action.description || '', 80),
+        ]);
+        ui.table(['Key', 'Type', 'Status', 'Action'], rows);
+      }
+      console.log('');
+      return;
+    }
     const [ipReport, notification] = await Promise.all([
       api.get(`/notifications/${encodeURIComponent(task.notificationId)}/ips/${encodeURIComponent(task.ip)}`),
       api.get(`/notifications/${encodeURIComponent(task.notificationId)}`).catch(() => ({})),
@@ -248,6 +282,63 @@ async function show(args, flags) {
   }
 }
 
+async function action(args, flags) {
+  requireAuth();
+  const ref = args[0];
+  if (!ref) {
+    ui.error('Usage: securenow human action <row|notificationId> [actionKey] --status approved|rejected|executed|failed --yes --reason "..."');
+    process.exit(1);
+  }
+
+  const parsed = parseTaskRef(ref);
+  let notificationId = parsed?.notificationId;
+  let actionKey = flags.actionKey || flags['action-key'] || args[1];
+  let task = null;
+  let row = null;
+
+  if (parsed?.kind === 'row' || !actionKey) {
+    const resolved = await resolveTask(ref, flags);
+    task = resolved.task;
+    row = resolved.row;
+    notificationId = task.notificationId;
+    actionKey = actionKey || task.actionKey;
+  }
+
+  const status = flags.status || args[2];
+  if (!notificationId || !actionKey || !status) {
+    ui.error('notificationId, actionKey, and --status are required.');
+    process.exit(1);
+  }
+
+  if (!['proposed', 'approved', 'rejected', 'executed', 'failed'].includes(status)) {
+    ui.error('Status must be one of: proposed, approved, rejected, executed, failed');
+    process.exit(1);
+  }
+
+  if (!flags.yes && !flags.force) {
+    const label = task ? `row ${row || ''} (${actionKey})` : `${notificationId}/${actionKey}`;
+    const ok = await ui.confirm(`Set case action ${label} to ${status}?`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const result = flags.result ? JSON.parse(flags.result) : {};
+  if (flags.reason) result.reason = flags.reason;
+
+  const s = ui.spinner('Updating case action');
+  try {
+    const data = await api.put(
+      `/notifications/${encodeURIComponent(notificationId)}/agent-case/actions/${encodeURIComponent(actionKey)}`,
+      { status, result }
+    );
+    s.stop('Case action updated');
+    if (flags.json) { ui.json(data); return; }
+    ui.success(`${actionKey} -> ${data.action?.status || status}`);
+  } catch (err) {
+    s.fail('Failed to update case action');
+    throw err;
+  }
+}
+
 async function block(args, flags) {
   requireAuth();
   const ref = args[0];
@@ -328,10 +419,12 @@ function mcpPromptText(ref, flags = {}) {
       : '2. For each task, call securenow_notifications_get and securenow_human_action_report for the notificationId and IP.',
     '3. Read the AI report, finalDecision, DAG steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
     '4. Open/inspect trace evidence with securenow_traces_show and securenow_logs_for_trace when trace IDs are available.',
-    '5. Decide one of only two outcomes: block the IP, or mark a scoped false positive. If evidence is ambiguous, report why and stop for that row.',
+    '5. Decide one outcome: block the IP, mark a scoped false positive, recommend alert-rule tuning, or skip if evidence is ambiguous.',
     '6. For block decisions, call securenow_human_action_block with confirm:true and a precise reason.',
     '7. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, and a precise reason.',
-    '8. Summarize each row handled, skipped, and still waiting. Do not globally trust an IP by default.',
+    '8. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
+    '9. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
+    '10. Summarize each row handled, skipped, rule tuning needed, and still waiting. Do not globally trust an IP by default.',
     '',
     'Safety:',
     '- Do not call write tools without confirm:true and a reason.',
@@ -359,6 +452,7 @@ async function work(args, flags) {
 module.exports = {
   list,
   show,
+  action,
   block,
   fp,
   prompt,