securenow 7.6.9 → 7.7.1

package/cli.js

@@ -164,7 +164,7 @@ const COMMANDS = {
   },
   human: {
     desc: 'Work the human action queue prepared by SecureNow AI',
-    usage: 'securenow human <list|show|block|fp|prompt|work> [row|notificationId:ip] [options]',
+    usage: 'securenow human <list|show|block|fp|action|prompt|work> [row|notificationId:ip] [options]',
     flags: {
       json: 'Output as JSON',
       page: 'Queue page number',
@@ -178,6 +178,9 @@ const COMMANDS = {
       'rule-scope': 'False-positive scope: this_rule | specific_rules | all_existing | any_rule',
       'create-exclusion': 'Create a restrictive exclusion when marking false positive',
       'apply-existing': 'Apply false-positive decision to existing matching rows',
+      status: 'Case action status: approved, rejected, executed, failed, or proposed',
+      'action-key': 'Case-level proposed action key',
+      result: 'Case action result JSON',
       mode: 'Prompt mode label for MCP prompt output',
     },
     sub: {
@@ -185,6 +188,7 @@ const COMMANDS = {
       show: { desc: 'Show one row with AI report, proofs, DAG, and trace links', usage: 'securenow human show <row|notificationId:ip>', run: (a, f) => require('./cli/human').show(a, f) },
       block: { desc: 'Approve the AI block recommendation for a row', usage: 'securenow human block <row|notificationId:ip> --yes --reason "..."', run: (a, f) => require('./cli/human').block(a, f) },
       fp: { desc: 'Mark a row as a scoped false positive', usage: 'securenow human fp <row|notificationId:ip> --yes --reason "..."', run: (a, f) => require('./cli/human').fp(a, f) },
+      action: { desc: 'Approve/reject/execute a case-level proposed action', usage: 'securenow human action <row|notificationId> [actionKey] --status approved --yes --reason "..."', run: (a, f) => require('./cli/human').action(a, f) },
       prompt: { desc: 'Print a Codex/Claude MCP prompt for row or queue work', usage: 'securenow human prompt [row|notificationId:ip] [--limit 10]', run: (a, f) => require('./cli/human').prompt(a, f) },
       work: { desc: 'List the queue and print the MCP runbook to work it deeply', usage: 'securenow human work [--limit 10]', run: (a, f) => require('./cli/human').work(a, f) },
     },
@@ -226,47 +230,86 @@ const COMMANDS = {
     },
     defaultSub: 'list',
   },
-  firewall: {
-    desc: 'Firewall status, per-app toggle, and IP testing',
-    usage: 'securenow firewall <subcommand> [options]',
-    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
+  firewall: {
+    desc: 'Firewall status, per-app toggle, and IP testing',
+    usage: 'securenow firewall <subcommand> [options]',
+    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
       status: { desc: 'Show firewall status, layers, and blocklist info', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').status(a, f) },
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
       'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
-    },
-    defaultSub: 'status',
-  },
-  blocklist: {
-    desc: 'Manage IP blocklist',
-    usage: 'securenow blocklist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+    },
+    defaultSub: 'status',
+  },
+  automation: {
+    desc: 'Manage automation rules for blocklist actions',
+    usage: 'securenow automation <list|show|create|update|dry-run|execute|delete> [rule-id] [options]',
+    flags: {
+      json: 'Output as JSON',
+      body: 'Full JSON body for create/update',
+      file: 'Read JSON body from file',
+      name: 'Rule name',
+      description: 'Rule description',
+      conditions: 'Conditions JSON array',
+      actions: 'Actions JSON array',
+      logic: 'Condition logic: AND or OR',
+      status: 'Rule status: active or disabled',
+      app: 'Comma-separated app key(s) to scope the rule',
+      apps: 'Alias for --app',
+      'applications-all': 'Scope rule to all apps',
+      env: 'Comma-separated environment(s) to scope the rule',
+      environment: 'Alias for --env',
+      environments: 'Alias for --env',
+      'environments-all': 'Scope rule to all environments',
+      limit: 'Dry-run notification scan limit',
+      'sample-limit': 'Dry-run sample count',
+      yes: 'Confirm execute/delete',
+      force: 'Alias for --yes',
+    },
+    sub: {
+      list: { desc: 'List automation rules', run: (a, f) => require('./cli/automation').list(a, f) },
+      show: { desc: 'Show automation rule details', usage: 'securenow automation show <rule-id>', run: (a, f) => require('./cli/automation').show(a, f) },
+      create: { desc: 'Create automation rule', usage: 'securenow automation create --name "..." --conditions \'[...]\' --actions \'[...]\'', run: (a, f) => require('./cli/automation').create(a, f) },
+      update: { desc: 'Update automation rule', usage: 'securenow automation update <rule-id> --body \'{...}\'', run: (a, f) => require('./cli/automation').update(a, f) },
+      'dry-run': { desc: 'Preview automation matches without writing blocklist entries', usage: 'securenow automation dry-run <rule-id>', run: (a, f) => require('./cli/automation').dryRun(a, f) },
+      execute: { desc: 'Execute an automation rule now', usage: 'securenow automation execute <rule-id> --yes', run: (a, f) => require('./cli/automation').execute(a, f) },
+      delete: { desc: 'Delete an automation rule', usage: 'securenow automation delete <rule-id> --yes', run: (a, f) => require('./cli/automation').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  blocklist: {
+    desc: 'Manage IP blocklist',
+    usage: 'securenow blocklist <subcommand> [options]',
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
     },
     defaultSub: 'list',
   },
-  allowlist: {
-    desc: 'Manage IP allowlist (only allow listed IPs)',
-    usage: 'securenow allowlist <subcommand> [options]',
-    sub: {
-      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
-      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
+  allowlist: {
+    desc: 'Manage IP allowlist (only allow listed IPs)',
+    usage: 'securenow allowlist <subcommand> [options]',
+    flags: { app: 'Scope to app key(s), comma-separated', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
+      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--app <key>] [--env local] [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
       remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
       stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
     },
     defaultSub: 'list',
   },
-  trusted: {
-    desc: 'Manage trusted IPs',
-    usage: 'securenow trusted <subcommand> [options]',
-    sub: {
-      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
-      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
+  trusted: {
+    desc: 'Manage trusted IPs',
+    usage: 'securenow trusted <subcommand> [options]',
+    flags: { app: 'Scope to app key(s), comma-separated', env: 'Scope to environment', environment: 'Alias for --env', json: 'Output as JSON' },
+    sub: {
+      list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
+      add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--app <key>] [--env local] [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
       remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
     },
     defaultSub: 'list',
@@ -499,8 +542,8 @@ function showHelp(commandName) {
     'Observe': ['traces', 'logs', 'analytics'],
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
-    'Firewall': ['firewall'],
-    'Remediation': ['blocklist', 'allowlist', 'trusted'],
+    'Firewall': ['firewall'],
+    'Remediation': ['automation', 'blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],

package/mcp/catalog.js

@@ -230,8 +230,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/firewall/status',
-    queryFields: ['environment'],
-    inputSchema: objectSchema({ ...environmentInput }),
+    queryFields: ['environment', 'appKey'],
+    inputSchema: objectSchema({
+      appKey: string('Optional application key UUID to scope the status check.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_firewall_enable',
@@ -297,9 +300,10 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/firewall/check/:ip',
     pathParams: ['ip'],
-    queryFields: ['environment'],
+    queryFields: ['environment', 'appKey'],
     inputSchema: objectSchema({
       ip: string('IPv4 address to test.'),
+      appKey: string('Optional application key UUID to test the app/environment toggle and scoped lists.'),
       ...environmentInput,
     }, ['ip']),
   },
@@ -421,6 +425,19 @@ const TOOLS = [
       id: string('Notification id.'),
     }, ['id']),
   },
+  {
+    name: 'securenow_notifications_batch_get',
+    title: 'Get Notifications Batch',
+    description: 'Fetch multiple notification/case records in one request.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'POST',
+    endpoint: '/notifications/batch',
+    bodyFields: ['ids'],
+    inputSchema: objectSchema({
+      ids: arrayOfStrings('Notification ids to fetch, up to 50.'),
+    }, ['ids']),
+  },
   {
     name: 'securenow_human_actions_list',
     title: 'List Human Action Queue',
@@ -496,6 +513,26 @@ const TOOLS = [
       ...confirmSchema,
     }, ['notificationId', 'ip', 'confirm', 'reason']),
   },
+  {
+    name: 'securenow_human_case_action_update',
+    title: 'Update Case-Level Human Action',
+    description: 'Approve, reject, execute, or fail a case-level proposed action such as tune_rule or create_exclusion. Write action; requires confirmation.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/notifications/:notificationId/agent-case/actions/:actionKey',
+    pathParams: ['notificationId', 'actionKey'],
+    bodyFields: ['status', 'result'],
+    reasonInResult: true,
+    inputSchema: objectSchema({
+      notificationId: string('Notification id from the case-action row.'),
+      actionKey: string('Proposed action key from the row, for example tune_rule:...'),
+      status: string('New status: proposed, approved, rejected, executed, or failed.'),
+      result: { type: 'object', additionalProperties: true, description: 'Optional structured result/audit details.' },
+      ...confirmSchema,
+    }, ['notificationId', 'actionKey', 'status', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_ip_lookup',
     title: 'IP Intelligence Lookup',
@@ -567,6 +604,258 @@ const TOOLS = [
       instanceId: string('Optional ClickHouse instance id.'),
     }),
   },
+  {
+    name: 'securenow_automation_rules_list',
+    title: 'List Automation Rules',
+    description: 'List blocklist automation rules with app/environment scope and stats.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/automation-rules',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_automation_rule_get',
+    title: 'Get Automation Rule',
+    description: 'Fetch one automation rule.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_automation_rule_create',
+    title: 'Create Automation Rule',
+    description: 'Create a blocklist automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules',
+    bodyFields: ['name', 'description', 'conditions', 'conditionLogic', 'actions', 'applicationsAll', 'applicationKeys', 'environmentsAll', 'environments'],
+    inputSchema: objectSchema({
+      name: string('Rule name.'),
+      description: string('Optional rule description.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Condition array. Fields include abuseConfidenceScore, riskScore, alertName, alertTag, attackType, path, environment.' },
+      conditionLogic: string('AND or OR.'),
+      actions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Action array, for example [{ "type":"addToBlocklist", "config":{ "reason":"...", "ttlHours":24 }}].' },
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys when not applying to all applications.'),
+      environmentsAll: boolean('Apply to all environments.'),
+      environments: arrayOfStrings('Deployment environments when not applying to all environments.'),
+      ...confirmSchema,
+    }, ['name', 'conditions', 'actions', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_update',
+    title: 'Update Automation Rule',
+    description: 'Update a blocklist automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    bodyFields: ['name', 'description', 'conditions', 'conditionLogic', 'actions', 'status', 'applicationsAll', 'applicationKeys', 'environmentsAll', 'environments'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      name: string('Rule name.'),
+      description: string('Optional rule description.'),
+      status: string('active or disabled.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Condition array.' },
+      conditionLogic: string('AND or OR.'),
+      actions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Action array.' },
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys when not applying to all applications.'),
+      environmentsAll: boolean('Apply to all environments.'),
+      environments: arrayOfStrings('Deployment environments when not applying to all environments.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_dry_run',
+    title: 'Dry-Run Automation Rule',
+    description: 'Preview automation matches without writing blocklist entries.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'POST',
+    endpoint: '/automation-rules/:id/dry-run',
+    pathParams: ['id'],
+    bodyFields: ['limit', 'sampleLimit'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      limit: number('Maximum notifications to scan.', { minimum: 1, maximum: 2000 }),
+      sampleLimit: number('Maximum sample matches to return.', { minimum: 1, maximum: 50 }),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_automation_rule_execute',
+    title: 'Execute Automation Rule',
+    description: 'Execute an automation rule and add matching IPs to the blocklist. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    destructive: true,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules/:id/execute',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_delete',
+    title: 'Delete Automation Rule',
+    description: 'Delete an automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    destructive: true,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rules_list',
+    title: 'List Alert Rules',
+    description: 'List alert rules, including system rules and app scope.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_alert_rule_get',
+    title: 'Get Alert Rule',
+    description: 'Fetch one alert rule.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_rule_update',
+    title: 'Update Alert Rule',
+    description: 'Update alert rule scope/status/schedule/throttle or record a review action. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id',
+    pathParams: ['id'],
+    bodyFields: ['name', 'description', 'status', 'applicationsAll', 'applications', 'schedule', 'throttle', 'alertChannelIds', 'reviewAction', 'reviewNote', 'reviewNotificationId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      name: string('Rule name for custom rules.'),
+      description: string('Rule description for custom rules.'),
+      status: string('Active, Disabled, or Paused.'),
+      applicationsAll: boolean('Scope rule to all applications.'),
+      applications: arrayOfStrings('Application keys when applicationsAll is false.'),
+      schedule: { type: 'object', additionalProperties: true, description: 'Schedule patch.' },
+      throttle: { type: 'object', additionalProperties: true, description: 'Throttle patch.' },
+      alertChannelIds: arrayOfStrings('Alert channel ids.'),
+      reviewAction: string('Rule review action, e.g. keep_active or saved_new_version.'),
+      reviewNote: string('Review note.'),
+      reviewNotificationId: string('Notification id tied to this review.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_test',
+    title: 'Test Alert Rule',
+    description: 'Start a live or dry-run alert rule test.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/alert-rules/:id/test',
+    pathParams: ['id'],
+    bodyFields: ['applicationKey', 'mode'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      applicationKey: string('Application key to test.'),
+      mode: string('dry_run or live.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_test_result',
+    title: 'Get Alert Rule Test Result',
+    description: 'Poll alert rule test status and results.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id/test/:testId',
+    pathParams: ['id', 'testId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      testId: string('Alert rule test id.'),
+    }, ['id', 'testId']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusions_list',
+    title: 'List Alert Rule Exclusions',
+    description: 'List exclusions embedded on one alert rule.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id/exclusions',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusion_add',
+    title: 'Add Alert Rule Exclusion',
+    description: 'Add a restrictive exclusion to one alert rule. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/alert-rules/:id/exclusions',
+    pathParams: ['id'],
+    bodyFields: ['conditions', 'matchMode', 'reason', 'pathPattern', 'isActive'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Restrictive exclusion conditions.' },
+      matchMode: string('all or any.'),
+      reason: string('Exclusion reason.'),
+      pathPattern: string('Optional path pattern.'),
+      isActive: boolean('Whether the exclusion is active.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusion_remove',
+    title: 'Remove Alert Rule Exclusion',
+    description: 'Remove an alert rule exclusion. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/alert-rules/:id/exclusions/:exclusionId',
+    pathParams: ['id', 'exclusionId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      exclusionId: string('Exclusion id.'),
+      ...confirmSchema,
+    }, ['id', 'exclusionId', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_blocklist_list',
     title: 'List Blocklist',
@@ -575,8 +864,12 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/blocklist',
-    queryFields: ['page', 'limit'],
-    inputSchema: objectSchema({ ...pagingInput }),
+    queryFields: ['page', 'limit', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_blocklist_add',
@@ -587,12 +880,14 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/blocklist',
-    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata'],
+    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       reason: string('Reason for blocking.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       metadata: { type: 'object', additionalProperties: true, description: 'Optional metadata.' },
+      appKey: string('Optional application key to scope this block. Omit for all apps.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -629,8 +924,12 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/allowlist',
-    queryFields: ['page', 'limit'],
-    inputSchema: objectSchema({ ...pagingInput }),
+    queryFields: ['page', 'limit', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_allowlist_add',
@@ -641,7 +940,7 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/allowlist',
-    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys'],
+    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
@@ -649,6 +948,7 @@ const TOOLS = [
       expiresAt: string('Optional expiry time as ISO 8601.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this allowlist entry to.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -675,7 +975,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/trusted-ips',
-    inputSchema: objectSchema({}),
+    queryFields: ['appKey', 'environment'],
+    inputSchema: objectSchema({
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_trusted_add',
@@ -686,13 +990,14 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/trusted-ips',
-    bodyFields: ['ip', 'label', 'note', 'applicationsAll', 'applicationKeys'],
+    bodyFields: ['ip', 'label', 'note', 'applicationsAll', 'applicationKeys', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
       note: string('Optional note.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this trusted IP to.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -883,10 +1188,11 @@ function promptMessages(name, args = {}) {
             `Fetch page=${page}, limit=${limit} with securenow_human_actions_list, select row ${rowNumber}, then call securenow_notifications_get and securenow_human_action_report for that notificationId and IP.`,
             'Read the AI report, finalDecision, DAG steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
             'Open trace evidence with securenow_traces_show and correlated logs with securenow_logs_for_trace when trace IDs are available.',
-            'Return one of only two outcomes: Block IP or False Positive. If evidence is ambiguous, stop and explain what is missing.',
+            'Return one clear outcome: Block IP, False Positive, Rule Tuning Needed, or Ambiguous. If evidence is ambiguous, stop and explain what is missing.',
             confirmWrites
               ? 'The user requested execution. If evidence supports the decision, call securenow_human_action_block or securenow_human_action_false_positive with confirm:true and a precise reason.'
               : 'Do not execute write tools yet. Prepare the recommended decision and exact tool call the user can approve.',
+            'If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
             'False positives must be narrow: app + alert rule + path + method/status/user-agent/body evidence where possible. Never globally trust an IP by default.',
           ].join('\n'),
         },
@@ -906,12 +1212,12 @@ function promptMessages(name, args = {}) {
             'Work my SecureNow Requires Human queue like a senior security analyst using the MCP tools.',
             `Review up to ${limit} row(s), most urgent first.${args.search ? ` Search filter: ${args.search}.` : ''}`,
             'Start with securenow_human_actions_list. For each row, call securenow_notifications_get and securenow_human_action_report, inspect the AI report/DAG/proofs/trace IDs, and fetch trace/log evidence where useful.',
-            'For each row choose exactly one outcome: Block IP, False Positive, or Skip because evidence is insufficient. Explain skipped rows.',
+            'For each row choose exactly one outcome: Block IP, False Positive, Rule Tuning Needed, or Skip because evidence is insufficient. Explain skipped rows.',
             confirmWrites
               ? 'The user requested execution. For supported decisions, call the correct write tool with confirm:true and a precise reason, then continue.'
               : 'Do not execute write tools yet. Produce a row-by-row action plan and exact MCP write calls for user approval.',
-            'For block decisions, use securenow_human_action_block. For false positives, use securenow_human_action_false_positive with restrictive conditions. Avoid broad/global trust.',
-            'End with counts: handled, proposed block, proposed false positive, skipped, still waiting.',
+            'For block decisions, use securenow_human_action_block. For false positives, use securenow_human_action_false_positive with restrictive conditions. For case-level tune_rule/create_exclusion rows, inspect securenow_notifications_get and then use securenow_human_case_action_update only when the action is safe to approve/reject.',
+            'End with counts: handled, proposed block, proposed false positive, rule tuning needed, skipped, still waiting.',
           ].join('\n'),
         },
       },
@@ -991,6 +1297,12 @@ function buildApiRequest(tool, rawArgs = {}) {
   if (tool.reasonAsNote && !body.note && args.reason) {
     body.note = args.reason;
   }
+  if (tool.reasonInResult && args.reason) {
+    body.result = {
+      ...(body.result && typeof body.result === 'object' ? body.result : {}),
+      reason: args.reason,
+    };
+  }
 
   return {
     method: tool.method,