securenow 7.6.8 → 7.7.0

package/cli/security.js

@@ -38,12 +38,18 @@ async function alertRulesRoute(args, flags) {
   if (sub === 'show') {
     return alertRuleShow(args.slice(1), flags);
   }
-  if (sub === 'update') {
-    return alertRuleUpdate(args.slice(1), flags);
-  }
-  if (sub === 'list') {
-    return alertRulesList(args.slice(1), flags);
-  }
+  if (sub === 'update') {
+    return alertRuleUpdate(args.slice(1), flags);
+  }
+  if (sub === 'test') {
+    return alertRuleTest(args.slice(1), flags);
+  }
+  if (sub === 'exclusions') {
+    return alertRuleExclusions(args.slice(1), flags);
+  }
+  if (sub === 'list') {
+    return alertRulesList(args.slice(1), flags);
+  }
   return alertRulesList(args, flags);
 }
 
@@ -115,7 +121,7 @@ async function alertRuleShow(args, flags) {
   }
 }
 
-async function alertRuleUpdate(args, flags) {
+async function alertRuleUpdate(args, flags) {
   requireAuth();
   const id = args[0];
   if (!id) {
@@ -172,7 +178,97 @@ async function alertRuleUpdate(args, flags) {
     s.fail('Failed to update alert rule');
     throw err;
   }
-}
+}
+
+async function alertRuleTest(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules test <rule-id> [--app <key>] [--mode dry_run] [--wait]');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (flags.app) body.applicationKey = flags.app;
+  if (flags.mode) body.mode = flags.mode;
+  const s = ui.spinner('Starting alert rule test');
+  try {
+    let data = await api.post(`/alert-rules/${id}/test`, body);
+    if (flags.wait && data.testId) {
+      s.update('Waiting for alert rule test results');
+      for (let i = 0; i < 40; i++) {
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        data = await api.get(`/alert-rules/${id}/test/${data.testId}`);
+        if (['complete', 'failed'].includes(data.status)) break;
+      }
+    }
+    s.stop('Alert rule test ready');
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    ui.keyValue([
+      ['Test ID', data.testId || '-'],
+      ['Mode', data.mode || body.mode || 'live'],
+      ['Status', data.status || '-'],
+      ['Result count', String(data.resultCount ?? '-')],
+      ['Error', data.error || '-'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to test alert rule');
+    throw err;
+  }
+}
+
+async function alertRuleExclusions(args, flags) {
+  requireAuth();
+  const id = args[0];
+  const action = args[1] || 'list';
+  if (!id) {
+    ui.error('Usage: securenow alerts rules exclusions <rule-id> [list|add|delete] [exclusion-id]');
+    process.exit(1);
+  }
+
+  try {
+    if (action === 'add') {
+      const body = {};
+      if (flags.conditions) body.conditions = JSON.parse(flags.conditions);
+      if (flags['match-mode']) body.matchMode = flags['match-mode'];
+      if (flags.reason) body.reason = flags.reason;
+      if (flags.path) body.pathPattern = flags.path;
+      const data = await api.post(`/alert-rules/${id}/exclusions`, body);
+      if (flags.json) { ui.json(data); return; }
+      ui.success('Exclusion added');
+      return;
+    }
+
+    if (action === 'delete' || action === 'remove') {
+      const exclusionId = args[2];
+      if (!exclusionId) {
+        ui.error('Exclusion id required.');
+        process.exit(1);
+      }
+      const data = await api.delete(`/alert-rules/${id}/exclusions/${exclusionId}`);
+      if (flags.json) { ui.json(data); return; }
+      ui.success('Exclusion removed');
+      return;
+    }
+
+    const data = await api.get(`/alert-rules/${id}/exclusions`);
+    const exclusions = data.exclusions || [];
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    const rows = exclusions.map((e) => [
+      ui.c.dim(ui.truncate(e._id, 12)),
+      e.isActive === false ? ui.statusBadge('disabled') : ui.statusBadge('active'),
+      e.matchMode || 'all',
+      ui.truncate(e.reason || e.pathPattern || JSON.stringify(e.conditions || []), 72),
+    ]);
+    ui.table(['ID', 'Status', 'Mode', 'Reason/Pattern'], rows);
+    console.log('');
+  } catch (err) {
+    throw err;
+  }
+}
 
 // ── Alert Channels ──
 
@@ -238,7 +334,12 @@ async function blocklistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist');
   try {
-    const data = await api.get('/blocklist');
+    const query = {};
+    if (flags.page) query.page = flags.page;
+    if (flags.limit) query.limit = flags.limit;
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/blocklist', { query });
     const items = data.blockedIps || [];
     s.stop(`Found ${items.length} blocked IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
 
@@ -249,11 +350,13 @@ async function blocklistList(args, flags) {
       ui.c.dim(ui.truncate(b._id, 12)),
       ui.c.red(b.ip || b.cidr || '—'),
       ui.truncate(b.reason || '', 40),
-      b.source || '—',
-      ui.timeAgo(b.createdAt),
-      b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Added', 'Expires'], rows);
+      b.source || '—',
+      b.applicationKey || ui.c.dim('all apps'),
+      b.environment || ui.c.dim('all envs'),
+      ui.timeAgo(b.createdAt),
+      b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'App', 'Env', 'Added', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -269,10 +372,11 @@ async function blocklistAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.reason) body.reason = flags.reason;
-  if (flags.duration) body.duration = flags.duration;
-  if (flags.app) body.serviceName = flags.app;
+  const body = { ip };
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.duration) body.duration = flags.duration;
+  if (flags.app) body.appKey = flags.app;
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Blocking ${ip}`);
   try {
@@ -340,7 +444,12 @@ async function allowlistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching allowlist');
   try {
-    const data = await api.get('/allowlist');
+    const query = {};
+    if (flags.page) query.page = flags.page;
+    if (flags.limit) query.limit = flags.limit;
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/allowlist', { query });
     const items = data.allowedIps || [];
     s.stop(`Found ${items.length} allowed IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
 
@@ -349,13 +458,15 @@ async function allowlistList(args, flags) {
     console.log('');
     const rows = items.map(a => [
       ui.c.dim(ui.truncate(a._id, 12)),
-      ui.c.green(a.ip || '—'),
-      a.label || ui.c.dim('—'),
-      ui.truncate(a.reason || '', 40),
-      ui.timeAgo(a.createdAt),
-      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'Added', 'Expires'], rows);
+      ui.c.green(a.ip || '—'),
+      a.label || ui.c.dim('—'),
+      ui.truncate(a.reason || '', 40),
+      a.applicationKey || ui.c.dim('all apps'),
+      a.environment || ui.c.dim('all envs'),
+      ui.timeAgo(a.createdAt),
+      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'App', 'Env', 'Added', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch allowlist');
@@ -371,9 +482,14 @@ async function allowlistAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.label) body.label = flags.label;
-  if (flags.reason) body.reason = flags.reason;
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.app) {
+    body.applicationsAll = false;
+    body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
+  }
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Allowing ${ip}`);
   try {
@@ -438,7 +554,10 @@ async function trustedList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching trusted IPs');
   try {
-    const data = await api.get('/trusted-ips');
+    const query = {};
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/trusted-ips', { query });
     const items = data.trustedIps || [];
     s.stop(`Found ${items.length} trusted IP${items.length !== 1 ? 's' : ''}`);
 
@@ -446,12 +565,14 @@ async function trustedList(args, flags) {
 
     console.log('');
     const rows = items.map(t => [
-      ui.c.dim(ui.truncate(t._id, 12)),
-      ui.c.green(t.ip || t.cidr || '—'),
-      t.label || t.description || ui.c.dim('—'),
-      ui.timeAgo(t.createdAt),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Label', 'Added'], rows);
+      ui.c.dim(ui.truncate(t._id, 12)),
+      ui.c.green(t.ip || t.cidr || '—'),
+      t.label || t.description || ui.c.dim('—'),
+      t.applicationKey || ui.c.dim('all apps'),
+      t.environment || ui.c.dim('all envs'),
+      ui.timeAgo(t.createdAt),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'App', 'Env', 'Added'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch trusted IPs');
@@ -467,9 +588,15 @@ async function trustedAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.label) body.label = flags.label;
-  if (flags.description) body.description = flags.description;
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.description) body.description = flags.description;
+  if (flags.note) body.note = flags.note;
+  if (flags.app) {
+    body.applicationsAll = false;
+    body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
+  }
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Adding ${ip} to trusted IPs`);
   try {
@@ -965,9 +1092,11 @@ async function analytics(args, flags) {
 
 module.exports = {
   alertRulesRoute,
-  alertRulesList,
-  alertRuleShow,
-  alertRuleUpdate,
+  alertRulesList,
+  alertRuleShow,
+  alertRuleUpdate,
+  alertRuleTest,
+  alertRuleExclusions,
   alertChannelsList,
   alertHistoryList,
   blocklistList,

package/cli.js

@@ -164,7 +164,7 @@ const COMMANDS = {
   },
   human: {
     desc: 'Work the human action queue prepared by SecureNow AI',
-    usage: 'securenow human <list|show|block|fp|prompt|work> [row|notificationId:ip] [options]',
+    usage: 'securenow human <list|show|block|fp|action|prompt|work> [row|notificationId:ip] [options]',
     flags: {
       json: 'Output as JSON',
       page: 'Queue page number',
@@ -178,6 +178,9 @@ const COMMANDS = {
       'rule-scope': 'False-positive scope: this_rule | specific_rules | all_existing | any_rule',
       'create-exclusion': 'Create a restrictive exclusion when marking false positive',
       'apply-existing': 'Apply false-positive decision to existing matching rows',
+      status: 'Case action status: approved, rejected, executed, failed, or proposed',
+      'action-key': 'Case-level proposed action key',
+      result: 'Case action result JSON',
       mode: 'Prompt mode label for MCP prompt output',
     },
     sub: {
@@ -185,6 +188,7 @@ const COMMANDS = {
       show: { desc: 'Show one row with AI report, proofs, DAG, and trace links', usage: 'securenow human show <row|notificationId:ip>', run: (a, f) => require('./cli/human').show(a, f) },
       block: { desc: 'Approve the AI block recommendation for a row', usage: 'securenow human block <row|notificationId:ip> --yes --reason "..."', run: (a, f) => require('./cli/human').block(a, f) },
       fp: { desc: 'Mark a row as a scoped false positive', usage: 'securenow human fp <row|notificationId:ip> --yes --reason "..."', run: (a, f) => require('./cli/human').fp(a, f) },
+      action: { desc: 'Approve/reject/execute a case-level proposed action', usage: 'securenow human action <row|notificationId> [actionKey] --status approved --yes --reason "..."', run: (a, f) => require('./cli/human').action(a, f) },
       prompt: { desc: 'Print a Codex/Claude MCP prompt for row or queue work', usage: 'securenow human prompt [row|notificationId:ip] [--limit 10]', run: (a, f) => require('./cli/human').prompt(a, f) },
       work: { desc: 'List the queue and print the MCP runbook to work it deeply', usage: 'securenow human work [--limit 10]', run: (a, f) => require('./cli/human').work(a, f) },
     },
@@ -226,47 +230,86 @@ const COMMANDS = {
     },
     defaultSub: 'list',
   },
-  firewall: {
-    desc: 'Firewall status, per-app toggle, and IP testing',
-    usage: 'securenow firewall <subcommand> [options]',
-    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
+  firewall: {
+    desc: 'Firewall status, per-app toggle, and IP testing',
+    usage: 'securenow firewall <subcommand> [options]',
+    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
       status: { desc: 'Show firewall status, layers, and blocklist info', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').status(a, f) },
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
       'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
-    },
-    defaultSub: 'status',
-  },
-  blocklist: {
-    desc: 'Manage IP blocklist',
-    usage: 'securenow blocklist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+    },
+    defaultSub: 'status',
+  },
+  automation: {
+    desc: 'Manage automation rules for blocklist actions',
+    usage: 'securenow automation <list|show|create|update|dry-run|execute|delete> [rule-id] [options]',
+    flags: {
+      json: 'Output as JSON',
+      body: 'Full JSON body for create/update',
+      file: 'Read JSON body from file',
+      name: 'Rule name',
+      description: 'Rule description',
+      conditions: 'Conditions JSON array',
+      actions: 'Actions JSON array',
+      logic: 'Condition logic: AND or OR',
+      status: 'Rule status: active or disabled',
+      app: 'Comma-separated app key(s) to scope the rule',
+      apps: 'Alias for --app',
+      'applications-all': 'Scope rule to all apps',
+      env: 'Comma-separated environment(s) to scope the rule',
+      environment: 'Alias for --env',
+      environments: 'Alias for --env',
+      'environments-all': 'Scope rule to all environments',
+      limit: 'Dry-run notification scan limit',
+      'sample-limit': 'Dry-run sample count',
+      yes: 'Confirm execute/delete',
+      force: 'Alias for --yes',
+    },
+    sub: {
+      list: { desc: 'List automation rules', run: (a, f) => require('./cli/automation').list(a, f) },
+      show: { desc: 'Show automation rule details', usage: 'securenow automation show <rule-id>', run: (a, f) => require('./cli/automation').show(a, f) },
+      create: { desc: 'Create automation rule', usage: 'securenow automation create --name "..." --conditions \'[...]\' --actions \'[...]\'', run: (a, f) => require('./cli/automation').create(a, f) },
+      update: { desc: 'Update automation rule', usage: 'securenow automation update <rule-id> --body \'{...}\'', run: (a, f) => require('./cli/automation').update(a, f) },
+      'dry-run': { desc: 'Preview automation matches without writing blocklist entries', usage: 'securenow automation dry-run <rule-id>', run: (a, f) => require('./cli/automation').dryRun(a, f) },
+      execute: { desc: 'Execute an automation rule now', usage: 'securenow automation execute <rule-id> --yes', run: (a, f) => require('./cli/automation').execute(a, f) },
+      delete: { desc: 'Delete an automation rule', usage: 'securenow automation delete <rule-id> --yes', run: (a, f) => require('./cli/automation').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  blocklist: {
+    desc: 'Manage IP blocklist',
+    usage: 'securenow blocklist <subcommand> [options]',
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
     },
     defaultSub: 'list',
   },
-  allowlist: {
-    desc: 'Manage IP allowlist (only allow listed IPs)',
-    usage: 'securenow allowlist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
-      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
+  allowlist: {
+    desc: 'Manage IP allowlist (only allow listed IPs)',
+    usage: 'securenow allowlist <subcommand> [options]',
+    flags: { app: 'Scope to app key(s), comma-separated', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
+      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--app <key>] [--env local] [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
       remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
       stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
     },
     defaultSub: 'list',
   },
-  trusted: {
-    desc: 'Manage trusted IPs',
-    usage: 'securenow trusted <subcommand> [options]',
-    sub: {
-      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
-      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
+  trusted: {
+    desc: 'Manage trusted IPs',
+    usage: 'securenow trusted <subcommand> [options]',
+    flags: { app: 'Scope to app key(s), comma-separated', env: 'Scope to environment', environment: 'Alias for --env', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
+      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--app <key>] [--env local] [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
       remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
     },
     defaultSub: 'list',
@@ -499,8 +542,8 @@ function showHelp(commandName) {
     'Observe': ['traces', 'logs', 'analytics'],
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
-    'Firewall': ['firewall'],
-    'Remediation': ['blocklist', 'allowlist', 'trusted'],
+    'Firewall': ['firewall'],
+    'Remediation': ['automation', 'blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],