securenow 7.6.9 → 7.7.1

package/NPM_README.md

@@ -415,8 +415,9 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | `~/.securenow/config.json` | API URL, default app, output format |
 | `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
 | `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>` |
 
-**Resolution order:** project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Legacy CLI token overrides still work for existing automation.
 
 ### Global Flags
 
@@ -464,6 +465,8 @@ npx securenow credentials runtime --env production
 
 # Store .securenow/credentials.production.json as a deployment secret file,
 # then materialize it as .securenow/credentials.json in the running app.
+# Since v7.7.1, mounting it as .securenow/credentials.production.json
+# also works when the canonical credentials.json file is absent.
 
 # Use --json for machine-readable output
 npx securenow logs --json --level error | jq '.logs'
@@ -511,6 +514,9 @@ npx securenow logs --json --level error | jq '.logs'
 | | `firewall test-ip <ip>` | Check if an IP would be blocked |
 | | `run --firewall-only <script>` | Preload firewall without OTel tracing overhead |
 | **Remediate** | `blocklist` | Blocked IPs |
+| | `automation` | List blocklist automation rules |
+| | `automation dry-run <id>` | Preview automation matches without writing blocks |
+| | `automation execute <id> --yes` | Run an automation rule now |
 | | `blocklist add <ip>` | Block IP |
 | | `blocklist remove <id>` | Unblock IP |
 | | `blocklist stats` | Block stats |
@@ -1070,7 +1076,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
 
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then global `~/.securenow/credentials.json`. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project `./.securenow/credentials.<environment>.json`, then global `~/.securenow/credentials.json`, then global `~/.securenow/credentials.<environment>.json`. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
 
 On startup, you'll see:
 
@@ -1652,7 +1658,15 @@ After blocking an IP, it takes 10-15 seconds to propagate (one version-check int
 
 **Check 5: Are you behind a proxy?**
 
-Add your proxy IPs to `config.networking.trustedProxies` in `.securenow/credentials.json` so the firewall sees the real client IP.
+Make sure your proxy forwards the real visitor IP:
+
+```nginx
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+```
+
+SecureNow trusts private, loopback, and same-host proxy peers automatically. For external load balancers or public proxy IPs, add them to `config.networking.trustedProxies` in `.securenow/credentials.json`. If no forwarded header reaches the app, SecureNow can detect the attack shape but cannot recover the real visitor IP from traces.
 
 **Check 6: Using PM2?**
 

package/README.md

@@ -152,11 +152,15 @@ npx securenow credentials runtime --env production
 
 It writes `.securenow/credentials.production.json`, with the same `app`, `apiKey`, `config`, and `_securenow.explanations` shape, but without the CLI OAuth `token`, `email`, or `expiresAt`. Store that JSON in your deployment secret manager and materialize it as `.securenow/credentials.json` at runtime.
 
+Starting in v7.7.1, the SDK also accepts the generated filename directly. If `.securenow/credentials.json` is missing, it checks `.securenow/credentials.<environment>.json`, so a production app with `NODE_ENV=production` can mount `.securenow/credentials.production.json` directly.
+
 Resolution order:
 
 1. Project-local `.securenow/credentials.json`
-2. Global `~/.securenow/credentials.json`
-3. `package.json#name` (label only)
+2. Project-local `.securenow/credentials.<environment>.json`
+3. Global `~/.securenow/credentials.json`
+4. Global `~/.securenow/credentials.<environment>.json`
+5. `package.json#name` (label only)
 
 Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
 
@@ -395,11 +399,12 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | File | Purpose |
 |---|---|
 | `./.securenow/credentials.json` | Project-local or production runtime credentials |
-| `./.securenow/credentials.production.json` | Tokenless production file generated by `securenow credentials runtime --env production` |
+| `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>` |
 | `~/.securenow/credentials.json` | Global (with `login --global`) |
+| `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Resolution order: project `.securenow/` -> global `~/.securenow/` -> package name fallback. Legacy env vars are fallback-only for older installs.
+Resolution order: project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json` -> package name fallback. Legacy env vars are fallback-only for older installs.
 
 Override the dashboard API with `securenow config set apiUrl <url>`.
 

package/SKILL-API.md

@@ -273,7 +273,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> global `~/.securenow/credentials.json`; legacy env vars are fallback-only for existing deployments.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> project `./.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`; legacy env vars are fallback-only for existing deployments.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -457,7 +457,7 @@ securenow redact @request.json --fields internal_id,sessionHash
 
 ## Credentials Configuration
 
-Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Environment variables are legacy fallbacks only.
+Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.1, the SDK also accepts `.securenow/credentials.<environment>.json` when the canonical `credentials.json` file is absent, so `.securenow/credentials.production.json` can be mounted directly. Environment variables are legacy fallbacks only.
 
 ### App Identity
 

package/SKILL-CLI.md

@@ -39,11 +39,11 @@ securenow whoami            # verify session (shows email, app, auth source)
 
 **Default-on security (v7.5.1+):** after picking or creating the app, `securenow login` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 
-Credentials resolve in order: project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Legacy env vars are fallback-only for existing deployments.
+Credentials resolve in order: project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Legacy env vars are fallback-only for existing deployments.
 
 The **firewall API key** should live in the same credentials file as `apiKey`. Legacy `SECURENOW_API_KEY` overrides are honored only when they start with `snk_live_`.
 
-For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`.
+For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`. Since v7.7.1, mounting the generated `.securenow/credentials.production.json` filename directly also works when `credentials.json` is absent.
 
 **Environment model:** use one SecureNow app key for local, preview, staging, and production. The credentials field `config.runtime.deploymentEnvironment` separates traces/logs/firewall/forensics by environment. CLI security commands default to `production`; pass `--env local`, `--env staging`, or `--env all` only when that scope is intentional.
 
@@ -81,10 +81,11 @@ Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-proje
 | `~/.securenow/config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
 | `~/.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config` (global, use `login --global`) |
 | `.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config`, `_securenow.explanations` (project-local default) |
-
-**Credential resolution order:** `.securenow/credentials.json` (project) -> `~/.securenow/credentials.json` (global). Legacy env vars are fallback-only for existing deployments.
-
-**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `securenow credentials runtime --env <environment>` |
+
+**Credential resolution order:** `.securenow/credentials.json` (project) -> `.securenow/credentials.<environment>.json` (project) -> `~/.securenow/credentials.json` (global) -> `~/.securenow/credentials.<environment>.json` (global). Legacy env vars are fallback-only for existing deployments.
+
+**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
 
 ```bash
 securenow config set apiUrl https://api.securenow.ai
@@ -223,6 +224,7 @@ securenow human list --limit 20
 securenow human show 1                       # inspect row 1 with AI report, DAG, proofs, trace links
 securenow human block 1 --yes --reason "AI evidence confirmed malicious"
 securenow human fp 1 --yes --reason "Scoped false positive after evidence review"
+securenow human action 1 --status rejected --yes --reason "Tuning guard is too broad"
 securenow human prompt 1                     # print a Codex/Claude MCP prompt for this row
 securenow human work --limit 10              # list queue + print MCP runbook for deep queue work
 ```
@@ -234,6 +236,7 @@ MCP parity:
 - `securenow_human_action_report`
 - `securenow_human_action_block`
 - `securenow_human_action_false_positive`
+- `securenow_human_case_action_update`
 - prompts: `investigate_human_action_row`, `work_human_actions`
 
 Write tools still require `confirm:true` plus a reason. False positives should stay restrictive to the app, alert rule, path, method/status, user-agent, body pattern, or other exact evidence the AI report supports.
@@ -243,10 +246,12 @@ Write tools still require `confirm:true` plus a reason. False positives should s
 ```bash
 securenow alerts                             # list alert rules (default)
 securenow alerts rules                       # list alert rules (columns: Status, Applications, Schedule)
-securenow alerts rules show <id>            # one rule; JSON: --json
-securenow alerts rules update <id> --applications-all   # all current & future apps
-securenow alerts rules update <id> --apps key1,key2     # explicit app keys only
-securenow alerts channels                    # list alert channels (Slack, email, etc.)
+securenow alerts rules show <id>            # one rule; JSON: --json
+securenow alerts rules update <id> --applications-all   # all current & future apps
+securenow alerts rules update <id> --apps key1,key2     # explicit app keys only
+securenow alerts rules test <id> --mode dry_run --wait  # validate a rule query
+securenow alerts rules exclusions <id> list              # embedded rule exclusions
+securenow alerts channels                    # list alert channels (Slack, email, etc.)
 securenow alerts history [--limit N]         # past triggered alerts
 ```
 
@@ -282,9 +287,9 @@ securenow api-map stats                      # endpoint statistics
 ### Firewall
 
 ```bash
-securenow firewall                           # show status (default)
-securenow firewall status --env production   # layers, sync time, blocked count, API key info
-securenow firewall test-ip <ip>              # check if IP would be blocked
+securenow firewall                           # show status (default)
+securenow firewall status --app <key> --env production   # app/env toggle, sync time, blocked count
+securenow firewall test-ip <ip> --app <key> --env local  # check if IP would be blocked
 ```
 
 **Zero-config setup (v7.5.1+):** running `securenow login` enables the selected app's firewall toggle, auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and writes it to the credentials file after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
@@ -292,19 +297,28 @@ securenow firewall test-ip <ip>              # check if IP would be blocked
 ### Blocklist — Block Malicious IPs
 
 ```bash
-securenow blocklist                          # list blocked IPs
-securenow blocklist list
-securenow blocklist add <ip> [--reason "Brute force"]
-securenow blocklist remove <id>
-securenow blocklist stats                    # block counts, top reasons
-```
+securenow blocklist                          # list blocked IPs
+securenow blocklist list
+securenow blocklist add <ip> --app <key> --env production --reason "Brute force"
+securenow blocklist remove <id>
+securenow blocklist stats                    # block counts, top reasons
+```
+
+### Automation Rules
+
+```bash
+securenow automation                         # list blocklist automation rules
+securenow automation show <id>
+securenow automation dry-run <id> --limit 500
+securenow automation execute <id> --yes
+```
 
 ### Allowlist — Restrict to Known IPs
 
 ```bash
-securenow allowlist                          # list allowed IPs
-securenow allowlist list
-securenow allowlist add <ip> [--label "Office"] [--reason "Corporate VPN"]
+securenow allowlist                          # list allowed IPs
+securenow allowlist list
+securenow allowlist add <ip> --app <key> --env local --label "Office" --reason "Corporate VPN"
 securenow allowlist remove <id>
 securenow allowlist stats
 ```

package/app-config.js

@@ -4,6 +4,9 @@
  * Shared SecureNow configuration resolver.
  *
  * Local development and production are driven by ./.securenow/credentials.json.
+ * Environment-specific runtime files such as
+ * ./.securenow/credentials.production.json are also accepted when the
+ * canonical file is not present.
  * Legacy environment variables are only fallback inputs for existing installs;
  * every SDK setting has a file-backed equivalent so customers do not need .env
  * files.
@@ -157,7 +160,9 @@ function clone(value) {
 
 function readJsonSafe(filepath) {
   try {
-    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+    let content = fs.readFileSync(filepath, 'utf8');
+    if (content.charCodeAt(0) === 0xFEFF) content = content.slice(1);
+    return JSON.parse(content);
   } catch {
     return null;
   }
@@ -191,6 +196,30 @@ function findUpFile(startDir, relativePath) {
   }
 }
 
+function findUpFirstFile(startDir, relativePaths) {
+  if (!startDir) return null;
+  const candidates = Array.isArray(relativePaths) ? relativePaths.filter(Boolean) : [relativePaths].filter(Boolean);
+  if (!candidates.length) return null;
+
+  let dir;
+  try {
+    dir = path.resolve(startDir);
+  } catch {
+    return null;
+  }
+
+  while (true) {
+    for (const relativePath of candidates) {
+      const found = fileIfReadable(path.join(dir, relativePath));
+      if (found) return found;
+    }
+
+    const parent = path.dirname(dir);
+    if (!parent || parent === dir) return null;
+    dir = parent;
+  }
+}
+
 function uniq(values) {
   const seen = new Set();
   const out = [];
@@ -202,6 +231,35 @@ function uniq(values) {
   return out;
 }
 
+function credentialEnvironmentNames() {
+  const names = [];
+  const rawValues = [
+    rawEnv('SECURENOW_ENVIRONMENT'),
+    rawEnv('SECURENOW_DEPLOYMENT_ENVIRONMENT'),
+    rawEnv('NODE_ENV'),
+  ];
+
+  for (const rawValue of rawValues) {
+    const value = pick(rawValue);
+    if (value == null) continue;
+    const text = String(value).trim().toLowerCase();
+    if (/^[a-z0-9_.-]{1,64}$/.test(text)) names.push(text);
+    names.push(normalizeDeploymentEnvironment(text));
+  }
+
+  names.push('production');
+  return uniq(names);
+}
+
+function credentialRelativePaths() {
+  return uniq([
+    path.join('.securenow', 'credentials.json'),
+    ...credentialEnvironmentNames().map((envName) =>
+      path.join('.securenow', `credentials.${envName}.json`)
+    ),
+  ]);
+}
+
 function resolveLocalCredentialsFile() {
   const starts = [];
   try {
@@ -212,8 +270,25 @@ function resolveLocalCredentialsFile() {
   if (process.argv && process.argv[1]) starts.push(path.dirname(process.argv[1]));
   if (require.main && require.main.filename) starts.push(path.dirname(require.main.filename));
 
+  const candidates = credentialRelativePaths();
   for (const start of uniq(starts)) {
-    const found = findUpFile(start, path.join('.securenow', 'credentials.json'));
+    const found = findUpFirstFile(start, candidates);
+    if (found) return found;
+  }
+
+  return null;
+}
+
+function resolveGlobalCredentialsFile() {
+  let home;
+  try {
+    home = os.homedir();
+  } catch {
+    return null;
+  }
+
+  for (const relativePath of credentialRelativePaths()) {
+    const found = fileIfReadable(path.join(home, relativePath));
     if (found) return found;
   }
 
@@ -248,7 +323,7 @@ function loadLocalCredentials() {
 
 function loadGlobalCredentials() {
   try {
-    return withCredentialDefaults(readJsonSafe(path.join(os.homedir(), '.securenow', 'credentials.json')));
+    return withCredentialDefaults(readJsonSafe(resolveGlobalCredentialsFile()));
   } catch {
     return null;
   }
@@ -668,6 +743,9 @@ module.exports = {
   listEnv,
   parseHeaders,
   headersToString,
+  credentialRelativePaths,
+  resolveLocalCredentialsFile,
+  resolveGlobalCredentialsFile,
   loadCredentials,
   loadLocalCredentials,
   loadGlobalCredentials,

package/cli/automation.js

@@ -0,0 +1,275 @@
+'use strict';
+
+const fs = require('fs');
+const { api, requireAuth } = require('./client');
+const ui = require('./ui');
+
+function parseList(value) {
+  if (!value) return [];
+  return String(value).split(',').map((item) => item.trim()).filter(Boolean);
+}
+
+function parseJson(value, label) {
+  try {
+    return JSON.parse(value);
+  } catch (err) {
+    ui.error(`${label} must be valid JSON: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function readBody(flags) {
+  if (flags.body) return parseJson(flags.body, '--body');
+  if (flags.file) return parseJson(fs.readFileSync(flags.file, 'utf8'), '--file');
+  return null;
+}
+
+function bodyFromFlags(flags, requireName = false) {
+  const body = readBody(flags) || {};
+
+  if (flags.name) body.name = flags.name;
+  if (flags.description) body.description = flags.description;
+  if (flags.conditions) body.conditions = parseJson(flags.conditions, '--conditions');
+  if (flags.actions) body.actions = parseJson(flags.actions, '--actions');
+  if (flags.logic || flags['condition-logic']) body.conditionLogic = flags.logic || flags['condition-logic'];
+  if (flags.status) body.status = flags.status;
+
+  if (flags.app || flags.apps) {
+    body.applicationsAll = false;
+    body.applicationKeys = parseList(flags.app || flags.apps);
+  }
+  if (flags['applications-all']) {
+    body.applicationsAll = true;
+    body.applicationKeys = [];
+  }
+
+  if (flags.env || flags.environment || flags.environments) {
+    body.environmentsAll = false;
+    body.environments = parseList(flags.env || flags.environment || flags.environments);
+  }
+  if (flags['environments-all']) {
+    body.environmentsAll = true;
+    body.environments = [];
+  }
+
+  if (requireName && !body.name) {
+    ui.error('Rule name required. Pass --name or --body JSON.');
+    process.exit(1);
+  }
+
+  return body;
+}
+
+function formatApplications(rule) {
+  if (rule.applicationsAll !== false) return ui.c.cyan('all apps');
+  return (rule.applications || []).join(', ') || ui.c.dim('-');
+}
+
+function formatEnvironments(rule) {
+  if (rule.environmentsAll !== false) return ui.c.cyan('all envs');
+  return (rule.environments || []).join(', ') || ui.c.dim('-');
+}
+
+async function list(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching automation rules');
+  try {
+    const data = await api.get('/automation-rules');
+    const rules = data.rules || [];
+    s.stop(`Found ${rules.length} automation rule${rules.length === 1 ? '' : 's'}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = rules.map((rule) => [
+      ui.c.dim(ui.truncate(rule._id || rule.id, 12)),
+      rule.name || '-',
+      ui.statusBadge(rule.status || 'active'),
+      formatApplications(rule),
+      formatEnvironments(rule),
+      String(rule.stats?.totalMatches ?? 0),
+      rule.stats?.lastExecutedAt ? ui.timeAgo(rule.stats.lastExecutedAt) : '-',
+    ]);
+    ui.table(['ID', 'Name', 'Status', 'Apps', 'Envs', 'Matches', 'Last Run'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch automation rules');
+    throw err;
+  }
+}
+
+async function show(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation show <rule-id>');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Fetching automation rule');
+  try {
+    const data = await api.get(`/automation-rules/${encodeURIComponent(id)}`);
+    const rule = data.rule || data;
+    s.stop('Automation rule loaded');
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    ui.heading(rule.name || 'Automation rule');
+    ui.keyValue([
+      ['ID', rule._id || rule.id || id],
+      ['Status', rule.status || '-'],
+      ['Applications', formatApplications(rule)],
+      ['Environments', formatEnvironments(rule)],
+      ['Condition logic', rule.conditionLogic || 'AND'],
+      ['Conditions', JSON.stringify(rule.conditions || [])],
+      ['Actions', JSON.stringify(rule.actions || [])],
+      ['Total executions', String(rule.stats?.totalExecutions ?? 0)],
+      ['Total matches', String(rule.stats?.totalMatches ?? 0)],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch automation rule');
+    throw err;
+  }
+}
+
+async function create(args, flags) {
+  requireAuth();
+  const body = bodyFromFlags(flags, true);
+  const s = ui.spinner('Creating automation rule');
+  try {
+    const data = await api.post('/automation-rules', body);
+    s.stop('Automation rule created');
+    if (flags.json) { ui.json(data); return; }
+    ui.success(`${data.rule?.name || body.name} created`);
+  } catch (err) {
+    s.fail('Failed to create automation rule');
+    throw err;
+  }
+}
+
+async function update(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation update <rule-id> [--body JSON]');
+    process.exit(1);
+  }
+
+  const body = bodyFromFlags(flags, false);
+  if (Object.keys(body).length === 0) {
+    ui.error('Nothing to update. Pass --body, --file, or field flags.');
+    process.exit(1);
+  }
+
+  const s = ui.spinner('Updating automation rule');
+  try {
+    const data = await api.put(`/automation-rules/${encodeURIComponent(id)}`, body);
+    s.stop('Automation rule updated');
+    if (flags.json) { ui.json(data); return; }
+    ui.success('Automation rule updated');
+  } catch (err) {
+    s.fail('Failed to update automation rule');
+    throw err;
+  }
+}
+
+async function dryRun(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation dry-run <rule-id> [--limit 500] [--sample-limit 20]');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (flags.limit) body.limit = Number(flags.limit);
+  if (flags['sample-limit']) body.sampleLimit = Number(flags['sample-limit']);
+
+  const s = ui.spinner('Dry-running automation rule');
+  try {
+    const data = await api.post(`/automation-rules/${encodeURIComponent(id)}/dry-run`, body);
+    s.stop('Dry-run complete');
+    if (flags.json) { ui.json(data); return; }
+
+    const results = data.results || {};
+    console.log('');
+    ui.keyValue([
+      ['Scanned IPs', String(results.scanned ?? 0)],
+      ['Matched IPs', String(results.matched ?? 0)],
+      ['Sample count', String((results.samples || []).length)],
+    ]);
+    if ((results.samples || []).length) {
+      console.log('');
+      const rows = results.samples.map((sample) => [
+        sample.ip,
+        ui.truncate((sample.path || []).join(', '), 32),
+        ui.truncate((sample.attackType || []).join(', '), 28),
+        (sample.environment || []).join(', ') || '-',
+        String(sample.riskScore ?? '-'),
+      ]);
+      ui.table(['IP', 'Paths', 'Attack', 'Env', 'Risk'], rows);
+    }
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to dry-run automation rule');
+    throw err;
+  }
+}
+
+async function execute(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation execute <rule-id> --yes');
+    process.exit(1);
+  }
+  if (!flags.yes && !flags.force) {
+    const ok = await ui.confirm('Execute this automation rule now? It may add IPs to the blocklist.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Executing automation rule');
+  try {
+    const data = await api.post(`/automation-rules/${encodeURIComponent(id)}/execute`, {});
+    s.stop('Automation rule executed');
+    if (flags.json) { ui.json(data); return; }
+    const r = data.results || {};
+    ui.keyValue([
+      ['Scanned', String(r.scanned ?? 0)],
+      ['Matched', String(r.matched ?? 0)],
+      ['Blocked', String(r.blocked ?? 0)],
+      ['Skipped', String(r.skipped ?? 0)],
+      ['Errors', String(r.errors ?? 0)],
+    ]);
+  } catch (err) {
+    s.fail('Failed to execute automation rule');
+    throw err;
+  }
+}
+
+async function remove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow automation delete <rule-id> --yes');
+    process.exit(1);
+  }
+  if (!flags.yes && !flags.force) {
+    const ok = await ui.confirm('Delete this automation rule?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Deleting automation rule');
+  try {
+    const data = await api.delete(`/automation-rules/${encodeURIComponent(id)}`);
+    s.stop('Automation rule deleted');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to delete automation rule');
+    throw err;
+  }
+}
+
+module.exports = { list, show, create, update, dryRun, execute, remove };

package/cli/config.js

@@ -28,7 +28,9 @@ function ensureDir(dir) {
 
 function loadJSON(filepath) {
   try {
-    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+    let content = fs.readFileSync(filepath, 'utf8');
+    if (content.charCodeAt(0) === 0xFEFF) content = content.slice(1);
+    return JSON.parse(content);
   } catch {
     return {};
   }
@@ -50,17 +52,16 @@ function credentialsFileForLocal(local) {
 }
 
 function hasLocalCredentials() {
-  return fs.existsSync(LOCAL_CREDENTIALS_FILE);
+  return !!appConfig.resolveLocalCredentialsFile();
 }
 
 function resolveCredentialsFile() {
-  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return LOCAL_CREDENTIALS_FILE;
-  return CREDENTIALS_FILE;
+  return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || CREDENTIALS_FILE;
 }
 
 function getAuthSource() {
   if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
-  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return 'project (.securenow/)';
+  if (appConfig.resolveLocalCredentialsFile()) return 'project (.securenow/)';
   return 'global (~/.securenow/)';
 }
 
@@ -91,9 +92,8 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  const credentials = fs.existsSync(LOCAL_CREDENTIALS_FILE)
-    ? loadJSON(LOCAL_CREDENTIALS_FILE)
-    : loadJSON(CREDENTIALS_FILE);
+  const credentialsFile = resolveCredentialsFile();
+  const credentials = loadJSON(credentialsFile);
   return appConfig.withCredentialDefaults(credentials) || {};
 }