securenow 7.6.9 → 7.7.1

package/cli/credentials.js

@@ -40,7 +40,7 @@ function buildRuntimeCredentials(options = {}) {
     },
     _securenow: {
       ...(creds._securenow || {}),
-      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json in production. Do not commit it.',
+      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',
     },
@@ -83,6 +83,7 @@ async function runtime(_args, flags) {
 
   ui.success(`Wrote runtime credentials to ${output}`);
   ui.info('Deploy this JSON as .securenow/credentials.json on the server/container.');
+  ui.info('SDK v7.7.1+ can also read this generated filename directly when credentials.json is absent.');
   ui.info(`Environment: ${envName}`);
   ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
   ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);

package/cli/firewall.js

@@ -7,13 +7,16 @@ function resolveEnvironment(flags) {
   return flags.env || flags.environment || 'production';
 }
 
-async function status(args, flags) {
-  requireAuth();
-  const s = ui.spinner('Checking firewall status');
-
-  try {
+async function status(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Checking firewall status');
+
+  try {
     const environment = resolveEnvironment(flags);
-    const data = await api.get('/firewall/status', { query: { environment } });
+    const appKey = await resolveAppKey(flags);
+    const query = { environment };
+    if (appKey) query.appKey = appKey;
+    const data = await api.get('/firewall/status', { query });
 
     s.stop('Firewall status retrieved');
 
@@ -23,10 +26,14 @@ async function status(args, flags) {
     }
 
     console.log('');
-    console.log(`  ${ui.c.bold(ui.c.green('Firewall: ENABLED'))}`);
+    const enabledLabel = data.firewallEnabled === false
+      ? ui.c.bold(ui.c.yellow('Firewall: DISABLED FOR APP/ENV'))
+      : ui.c.bold(ui.c.green('Firewall: ENABLED'));
+    console.log(`  ${enabledLabel}`);
     console.log('');
     ui.keyValue([
       ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
       ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
@@ -66,7 +73,10 @@ async function testIp(args, flags) {
 
   try {
     const environment = resolveEnvironment(flags);
-    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query: { environment } });
+    const appKey = await resolveAppKey(flags);
+    const query = { environment };
+    if (appKey) query.appKey = appKey;
+    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query });
 
     s.stop(`IP ${ip} checked`);
 
@@ -75,8 +85,14 @@ async function testIp(args, flags) {
       return;
     }
 
-    console.log('');
-    if (data.blocked) {
+    console.log('');
+    if (data.firewallEnabled === false) {
+      console.log(`  ${ui.c.bold(ui.c.yellow('NOT ENFORCED'))} — firewall is disabled for ${appKey || 'this app'} (${data.environment || environment})`);
+      if (data.reason) console.log(`  ${ui.c.dim(`Reason: ${data.reason}`)}`);
+      console.log('');
+      return;
+    }
+    if (data.blocked) {
       if (data.allowlistActive && !data.allowlisted) {
         console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is not on the allowlist`);
         console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
@@ -92,8 +108,9 @@ async function testIp(args, flags) {
       } else {
         console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is not in the blocklist`);
       }
-    }
-    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    }
+    console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} · Environment: ${data.environment || environment}`)}`);
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
     if (data.allowlistActive) {
       console.log(`  ${ui.c.dim('Allowlist is active')}`);
     }

package/cli/human.js

@@ -214,6 +214,40 @@ async function show(args, flags) {
   const s = ui.spinner('Fetching human action detail');
   try {
     const { task, row } = await resolveTask(ref, flags);
+    if (task.kind === 'case_action' || task.actionKey) {
+      const [notification, agentCase] = await Promise.all([
+        api.get(`/notifications/${encodeURIComponent(task.notificationId)}`).catch(() => ({})),
+        api.get(`/notifications/${encodeURIComponent(task.notificationId)}/agent-case`).catch(() => ({})),
+      ]);
+      s.stop('Case action loaded');
+      if (flags.json) {
+        ui.json({ task, notification, agentCase });
+        return;
+      }
+      console.log('');
+      printTaskSummary(task, row);
+      console.log('');
+      ui.subheading('Case action');
+      ui.keyValue([
+        ['Action key', task.actionKey || '-'],
+        ['Type', task.actionType || task.action?.type || '-'],
+        ['Title', task.action?.title || task.title || '-'],
+        ['Description', ui.truncate(task.action?.description || '', 140)],
+        ['Status', task.action?.status || 'proposed'],
+      ]);
+      if ((agentCase.proposedActions || []).length) {
+        console.log('');
+        const rows = agentCase.proposedActions.map((action) => [
+          action.actionKey || '-',
+          action.type || '-',
+          action.status || '-',
+          ui.truncate(action.title || action.description || '', 80),
+        ]);
+        ui.table(['Key', 'Type', 'Status', 'Action'], rows);
+      }
+      console.log('');
+      return;
+    }
     const [ipReport, notification] = await Promise.all([
       api.get(`/notifications/${encodeURIComponent(task.notificationId)}/ips/${encodeURIComponent(task.ip)}`),
       api.get(`/notifications/${encodeURIComponent(task.notificationId)}`).catch(() => ({})),
@@ -248,6 +282,63 @@ async function show(args, flags) {
   }
 }
 
+async function action(args, flags) {
+  requireAuth();
+  const ref = args[0];
+  if (!ref) {
+    ui.error('Usage: securenow human action <row|notificationId> [actionKey] --status approved|rejected|executed|failed --yes --reason "..."');
+    process.exit(1);
+  }
+
+  const parsed = parseTaskRef(ref);
+  let notificationId = parsed?.notificationId;
+  let actionKey = flags.actionKey || flags['action-key'] || args[1];
+  let task = null;
+  let row = null;
+
+  if (parsed?.kind === 'row' || !actionKey) {
+    const resolved = await resolveTask(ref, flags);
+    task = resolved.task;
+    row = resolved.row;
+    notificationId = task.notificationId;
+    actionKey = actionKey || task.actionKey;
+  }
+
+  const status = flags.status || args[2];
+  if (!notificationId || !actionKey || !status) {
+    ui.error('notificationId, actionKey, and --status are required.');
+    process.exit(1);
+  }
+
+  if (!['proposed', 'approved', 'rejected', 'executed', 'failed'].includes(status)) {
+    ui.error('Status must be one of: proposed, approved, rejected, executed, failed');
+    process.exit(1);
+  }
+
+  if (!flags.yes && !flags.force) {
+    const label = task ? `row ${row || ''} (${actionKey})` : `${notificationId}/${actionKey}`;
+    const ok = await ui.confirm(`Set case action ${label} to ${status}?`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const result = flags.result ? JSON.parse(flags.result) : {};
+  if (flags.reason) result.reason = flags.reason;
+
+  const s = ui.spinner('Updating case action');
+  try {
+    const data = await api.put(
+      `/notifications/${encodeURIComponent(notificationId)}/agent-case/actions/${encodeURIComponent(actionKey)}`,
+      { status, result }
+    );
+    s.stop('Case action updated');
+    if (flags.json) { ui.json(data); return; }
+    ui.success(`${actionKey} -> ${data.action?.status || status}`);
+  } catch (err) {
+    s.fail('Failed to update case action');
+    throw err;
+  }
+}
+
 async function block(args, flags) {
   requireAuth();
   const ref = args[0];
@@ -328,10 +419,12 @@ function mcpPromptText(ref, flags = {}) {
       : '2. For each task, call securenow_notifications_get and securenow_human_action_report for the notificationId and IP.',
     '3. Read the AI report, finalDecision, DAG steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
     '4. Open/inspect trace evidence with securenow_traces_show and securenow_logs_for_trace when trace IDs are available.',
-    '5. Decide one of only two outcomes: block the IP, or mark a scoped false positive. If evidence is ambiguous, report why and stop for that row.',
+    '5. Decide one outcome: block the IP, mark a scoped false positive, recommend alert-rule tuning, or skip if evidence is ambiguous.',
     '6. For block decisions, call securenow_human_action_block with confirm:true and a precise reason.',
     '7. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, and a precise reason.',
-    '8. Summarize each row handled, skipped, and still waiting. Do not globally trust an IP by default.',
+    '8. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
+    '9. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
+    '10. Summarize each row handled, skipped, rule tuning needed, and still waiting. Do not globally trust an IP by default.',
     '',
     'Safety:',
     '- Do not call write tools without confirm:true and a reason.',
@@ -359,6 +452,7 @@ async function work(args, flags) {
 module.exports = {
   list,
   show,
+  action,
   block,
   fp,
   prompt,

package/cli/security.js

@@ -38,12 +38,18 @@ async function alertRulesRoute(args, flags) {
   if (sub === 'show') {
     return alertRuleShow(args.slice(1), flags);
   }
-  if (sub === 'update') {
-    return alertRuleUpdate(args.slice(1), flags);
-  }
-  if (sub === 'list') {
-    return alertRulesList(args.slice(1), flags);
-  }
+  if (sub === 'update') {
+    return alertRuleUpdate(args.slice(1), flags);
+  }
+  if (sub === 'test') {
+    return alertRuleTest(args.slice(1), flags);
+  }
+  if (sub === 'exclusions') {
+    return alertRuleExclusions(args.slice(1), flags);
+  }
+  if (sub === 'list') {
+    return alertRulesList(args.slice(1), flags);
+  }
   return alertRulesList(args, flags);
 }
 
@@ -115,7 +121,7 @@ async function alertRuleShow(args, flags) {
   }
 }
 
-async function alertRuleUpdate(args, flags) {
+async function alertRuleUpdate(args, flags) {
   requireAuth();
   const id = args[0];
   if (!id) {
@@ -172,7 +178,97 @@ async function alertRuleUpdate(args, flags) {
     s.fail('Failed to update alert rule');
     throw err;
   }
-}
+}
+
+async function alertRuleTest(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules test <rule-id> [--app <key>] [--mode dry_run] [--wait]');
+    process.exit(1);
+  }
+
+  const body = {};
+  if (flags.app) body.applicationKey = flags.app;
+  if (flags.mode) body.mode = flags.mode;
+  const s = ui.spinner('Starting alert rule test');
+  try {
+    let data = await api.post(`/alert-rules/${id}/test`, body);
+    if (flags.wait && data.testId) {
+      s.update('Waiting for alert rule test results');
+      for (let i = 0; i < 40; i++) {
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        data = await api.get(`/alert-rules/${id}/test/${data.testId}`);
+        if (['complete', 'failed'].includes(data.status)) break;
+      }
+    }
+    s.stop('Alert rule test ready');
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    ui.keyValue([
+      ['Test ID', data.testId || '-'],
+      ['Mode', data.mode || body.mode || 'live'],
+      ['Status', data.status || '-'],
+      ['Result count', String(data.resultCount ?? '-')],
+      ['Error', data.error || '-'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to test alert rule');
+    throw err;
+  }
+}
+
+async function alertRuleExclusions(args, flags) {
+  requireAuth();
+  const id = args[0];
+  const action = args[1] || 'list';
+  if (!id) {
+    ui.error('Usage: securenow alerts rules exclusions <rule-id> [list|add|delete] [exclusion-id]');
+    process.exit(1);
+  }
+
+  try {
+    if (action === 'add') {
+      const body = {};
+      if (flags.conditions) body.conditions = JSON.parse(flags.conditions);
+      if (flags['match-mode']) body.matchMode = flags['match-mode'];
+      if (flags.reason) body.reason = flags.reason;
+      if (flags.path) body.pathPattern = flags.path;
+      const data = await api.post(`/alert-rules/${id}/exclusions`, body);
+      if (flags.json) { ui.json(data); return; }
+      ui.success('Exclusion added');
+      return;
+    }
+
+    if (action === 'delete' || action === 'remove') {
+      const exclusionId = args[2];
+      if (!exclusionId) {
+        ui.error('Exclusion id required.');
+        process.exit(1);
+      }
+      const data = await api.delete(`/alert-rules/${id}/exclusions/${exclusionId}`);
+      if (flags.json) { ui.json(data); return; }
+      ui.success('Exclusion removed');
+      return;
+    }
+
+    const data = await api.get(`/alert-rules/${id}/exclusions`);
+    const exclusions = data.exclusions || [];
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    const rows = exclusions.map((e) => [
+      ui.c.dim(ui.truncate(e._id, 12)),
+      e.isActive === false ? ui.statusBadge('disabled') : ui.statusBadge('active'),
+      e.matchMode || 'all',
+      ui.truncate(e.reason || e.pathPattern || JSON.stringify(e.conditions || []), 72),
+    ]);
+    ui.table(['ID', 'Status', 'Mode', 'Reason/Pattern'], rows);
+    console.log('');
+  } catch (err) {
+    throw err;
+  }
+}
 
 // ── Alert Channels ──
 
@@ -238,7 +334,12 @@ async function blocklistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist');
   try {
-    const data = await api.get('/blocklist');
+    const query = {};
+    if (flags.page) query.page = flags.page;
+    if (flags.limit) query.limit = flags.limit;
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/blocklist', { query });
     const items = data.blockedIps || [];
     s.stop(`Found ${items.length} blocked IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
 
@@ -249,11 +350,13 @@ async function blocklistList(args, flags) {
       ui.c.dim(ui.truncate(b._id, 12)),
       ui.c.red(b.ip || b.cidr || '—'),
       ui.truncate(b.reason || '', 40),
-      b.source || '—',
-      ui.timeAgo(b.createdAt),
-      b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Added', 'Expires'], rows);
+      b.source || '—',
+      b.applicationKey || ui.c.dim('all apps'),
+      b.environment || ui.c.dim('all envs'),
+      ui.timeAgo(b.createdAt),
+      b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'App', 'Env', 'Added', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -269,10 +372,11 @@ async function blocklistAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.reason) body.reason = flags.reason;
-  if (flags.duration) body.duration = flags.duration;
-  if (flags.app) body.serviceName = flags.app;
+  const body = { ip };
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.duration) body.duration = flags.duration;
+  if (flags.app) body.appKey = flags.app;
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Blocking ${ip}`);
   try {
@@ -340,7 +444,12 @@ async function allowlistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching allowlist');
   try {
-    const data = await api.get('/allowlist');
+    const query = {};
+    if (flags.page) query.page = flags.page;
+    if (flags.limit) query.limit = flags.limit;
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/allowlist', { query });
     const items = data.allowedIps || [];
     s.stop(`Found ${items.length} allowed IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
 
@@ -349,13 +458,15 @@ async function allowlistList(args, flags) {
     console.log('');
     const rows = items.map(a => [
       ui.c.dim(ui.truncate(a._id, 12)),
-      ui.c.green(a.ip || '—'),
-      a.label || ui.c.dim('—'),
-      ui.truncate(a.reason || '', 40),
-      ui.timeAgo(a.createdAt),
-      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'Added', 'Expires'], rows);
+      ui.c.green(a.ip || '—'),
+      a.label || ui.c.dim('—'),
+      ui.truncate(a.reason || '', 40),
+      a.applicationKey || ui.c.dim('all apps'),
+      a.environment || ui.c.dim('all envs'),
+      ui.timeAgo(a.createdAt),
+      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'App', 'Env', 'Added', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch allowlist');
@@ -371,9 +482,14 @@ async function allowlistAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.label) body.label = flags.label;
-  if (flags.reason) body.reason = flags.reason;
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.app) {
+    body.applicationsAll = false;
+    body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
+  }
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Allowing ${ip}`);
   try {
@@ -438,7 +554,10 @@ async function trustedList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching trusted IPs');
   try {
-    const data = await api.get('/trusted-ips');
+    const query = {};
+    if (flags.app) query.appKey = flags.app;
+    if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    const data = await api.get('/trusted-ips', { query });
     const items = data.trustedIps || [];
     s.stop(`Found ${items.length} trusted IP${items.length !== 1 ? 's' : ''}`);
 
@@ -446,12 +565,14 @@ async function trustedList(args, flags) {
 
     console.log('');
     const rows = items.map(t => [
-      ui.c.dim(ui.truncate(t._id, 12)),
-      ui.c.green(t.ip || t.cidr || '—'),
-      t.label || t.description || ui.c.dim('—'),
-      ui.timeAgo(t.createdAt),
-    ]);
-    ui.table(['ID', 'IP/CIDR', 'Label', 'Added'], rows);
+      ui.c.dim(ui.truncate(t._id, 12)),
+      ui.c.green(t.ip || t.cidr || '—'),
+      t.label || t.description || ui.c.dim('—'),
+      t.applicationKey || ui.c.dim('all apps'),
+      t.environment || ui.c.dim('all envs'),
+      ui.timeAgo(t.createdAt),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'App', 'Env', 'Added'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch trusted IPs');
@@ -467,9 +588,15 @@ async function trustedAdd(args, flags) {
     if (!ip) { ui.error('IP is required'); process.exit(1); }
   }
 
-  const body = { ip };
-  if (flags.label) body.label = flags.label;
-  if (flags.description) body.description = flags.description;
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.description) body.description = flags.description;
+  if (flags.note) body.note = flags.note;
+  if (flags.app) {
+    body.applicationsAll = false;
+    body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
+  }
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
 
   const s = ui.spinner(`Adding ${ip} to trusted IPs`);
   try {
@@ -965,9 +1092,11 @@ async function analytics(args, flags) {
 
 module.exports = {
   alertRulesRoute,
-  alertRulesList,
-  alertRuleShow,
-  alertRuleUpdate,
+  alertRulesList,
+  alertRuleShow,
+  alertRuleUpdate,
+  alertRuleTest,
+  alertRuleExclusions,
   alertChannelsList,
   alertHistoryList,
   blocklistList,