securenow 7.7.16 → 7.8.1

package/cli/diagnostics.js

@@ -22,8 +22,8 @@ function resolvedConfig(options = {}) {
     ? (noUuid ? baseName : `${baseName}-<uuid-per-worker>`)
     : '(auto-generated)';
   const apiKey = firewall.apiKey || '';
-  const firewallEnabled = !!apiKey && firewall.enabled;
-  const firewallLocalEnabled = firewall.enabled;
+  const firewallEnabled = !!apiKey;
+  const firewallLocalEnabled = true;
 
   return {
     serviceName,
@@ -359,7 +359,6 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
 function firewallStatusLabel(cfg) {
   if (cfg.firewallEnabled) return ui.c.green('enabled');
   if (!cfg.apiKey) return ui.c.dim('disabled (missing firewall API key)');
-  if (!cfg.firewallLocalEnabled) return ui.c.yellow('disabled (config.firewall.enabled=false)');
   return ui.c.dim('disabled');
 }
 
@@ -491,7 +490,7 @@ async function doctor(_args, flags) {
     warnings.push('OpenTelemetry diagnostic log level is `none`; provider registration/export errors are hidden. Set config.otel.logLevel to `error`/`warn`, or temporarily run with OTEL_LOG_LEVEL=debug.');
   }
   if (!cfg.appKey) {
-    warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
+    warnings.push('No app key resolved. Run `npx securenow app connect` or set app.key in .securenow/runtime.json.');
   }
   if (cfg.instance === 'https://ingest.securenow.ai') {
     warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
@@ -501,9 +500,9 @@ async function doctor(_args, flags) {
     warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
-    warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Admin CLI/MCP auth is connected, but runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
   } else if (!cfg.apiKey) {
-    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
   }
 
   const ok = checks.every((c) => c.ok);

package/cli/firewall.js

@@ -32,7 +32,9 @@ async function status(args, flags) {
     console.log(`  ${enabledLabel}`);
     console.log('');
     ui.keyValue([
-      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Blocked IPs', `${data.totalIps} total`],
+      ['Global blocked IPs', `${data.globalBlockIps ?? data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Scoped block rules', String(data.scopedBlockRuleCount ?? 0)],
       ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
@@ -77,6 +79,8 @@ async function testIp(args, flags) {
     const appKey = await resolveAppKey(flags);
     const query = { environment };
     if (appKey) query.appKey = appKey;
+    if (flags.path || flags.route) query.path = flags.path || flags.route;
+    if (flags.method) query.method = flags.method;
     const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query });
 
     s.stop(`IP ${ip} checked`);
@@ -99,10 +103,16 @@ async function testIp(args, flags) {
         console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
       } else {
         console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
-        if (data.matchedEntry && data.matchedEntry !== ip) {
-          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
-        }
-      }
+        if (data.matchedEntry && data.matchedEntry !== ip) {
+          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+        }
+        if (data.matchedRule) {
+          const scope = data.matchedRule.pathPattern
+            ? `${data.matchedRule.method || 'ALL'} ${data.matchedRule.pathMatchMode || 'prefix'}:${data.matchedRule.pathPattern}`
+            : data.matchedRule.method || 'ALL';
+          console.log(`  ${ui.c.dim(`Rule scope: ${scope}`)}`);
+        }
+      }
     } else {
       if (data.allowlisted) {
         console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is on the allowlist`);
@@ -111,7 +121,9 @@ async function testIp(args, flags) {
       }
     }
     console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} · Environment: ${data.environment || environment}`)}`);
-    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    if (data.path) console.log(`  ${ui.c.dim(`Request scope: ${data.method || 'GET'} ${data.path}`)}`);
+    if (data.scopedMatchRequiresPath) console.log(`  ${ui.c.dim('Scoped block rules exist; pass --path to test route-specific matches')}`);
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries (${data.scopedBlockRuleCount || 0} scoped)`)}`);
     if (data.allowlistActive) {
       console.log(`  ${ui.c.dim('Allowlist is active')}`);
     }
@@ -136,7 +148,7 @@ async function setEnabled(args, flags, enabled) {
   requireAuth();
   const appKey = await resolveAppKey(flags);
   if (!appKey) {
-    ui.error('No app selected. Pass --app <key> or run `securenow login` / `securenow apps default <key>`.');
+    ui.error('No app selected. Pass --app <key> or run `securenow app connect` / `securenow apps default <key>`.');
     process.exit(1);
   }
 

package/cli/init.js

@@ -81,7 +81,7 @@ async function init(_args, flags) {
 
   console.log('');
   ui.success('Setup complete.');
-  ui.info('Run `npx securenow login` if this project is not linked to an app yet.');
+  ui.info('Run `npx securenow app connect` if this project is not linked to an app yet.');
   ui.info('Then verify with `npx securenow test-span` and `npx securenow status`.');
 }
 
@@ -101,10 +101,10 @@ function initCredentials(flags) {
       process.exit(1);
     }
     config.setApiKey(explicitApiKey, { local: true });
-    ui.success('Stored firewall API key in .securenow/credentials.json');
+    ui.success('Stored firewall API key in .securenow/runtime.json');
   }
 
-  ui.success('Ensured .securenow/credentials.json has secure defaults and explanations');
+  ui.success('Ensured .securenow/runtime.json has secure defaults and explanations');
 }
 
 async function initNextJs(dir, project, flags) {
@@ -233,8 +233,8 @@ function printAgentPrompt(kind, filename, major, project) {
   ui.heading('Codex/Claude prompt');
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
-    'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
-    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
+    'Use .securenow/runtime.json for local SDK runtime configuration and .securenow/credentials.<env>.json for production runtime exports; do not add .env files.',
+    'Ignore only SecureNow secret files (.securenow/admin.json, .securenow/runtime.json, and .securenow/credentials*.json); keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/cli/security.js

@@ -441,7 +441,14 @@ async function alertHistoryList(args, flags) {
 
 // ── Blocklist ──
 
-async function blocklistList(args, flags) {
+function describeBlockTarget(entry) {
+  const parts = [entry.ip || entry.cidr || '-'];
+  if (entry.method && entry.method !== 'ALL') parts.push(entry.method);
+  if (entry.pathPattern) parts.push(`${entry.pathMatchMode || 'prefix'}:${entry.pathPattern}`);
+  return parts.join(' ');
+}
+
+async function blocklistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist');
   try {
@@ -465,7 +472,7 @@ async function blocklistList(args, flags) {
     console.log('');
     const rows = items.map(b => [
       ui.c.dim(ui.truncate(b._id, 12)),
-      ui.c.red(b.ip || b.cidr || '—'),
+      ui.c.red(describeBlockTarget(b)),
       ui.truncate(b.reason || '', 40),
       b.source || '—',
       b.status || 'active',
@@ -475,7 +482,7 @@ async function blocklistList(args, flags) {
       b.unblockedAt ? ui.timeAgo(b.unblockedAt) : ui.c.dim('—'),
       b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
     ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
+    ui.table(['ID', 'Target', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -496,11 +503,16 @@ async function blocklistAdd(args, flags) {
   if (flags.duration) body.duration = flags.duration;
   if (flags.app) body.appKey = flags.app;
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Blocking ${ip}`);
-  try {
-    await api.post('/blocklist', body);
-    s.stop(`${ip} added to blocklist`);
+  if (flags.route || flags.path || flags.pattern) body.pathPattern = flags.route || flags.path || flags.pattern;
+  if (flags.mode || flags['path-mode']) body.pathMatchMode = flags.mode || flags['path-mode'];
+  if (flags.method) body.method = flags.method;
+
+  const target = describeBlockTarget({ ip, method: body.method, pathPattern: body.pathPattern, pathMatchMode: body.pathMatchMode });
+  const s = ui.spinner(`Blocking ${target}`);
+  try {
+    const data = await api.post('/blocklist', body);
+    s.stop(`${target} added to blocklist`);
+    if (flags.json) ui.json(data);
   } catch (err) {
     s.fail('Failed to add to blocklist');
     throw err;
@@ -611,9 +623,17 @@ async function allowlistAdd(args, flags) {
     body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
   }
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Allowing ${ip}`);
-  try {
+
+  if (!flags.force && !flags.yes) {
+    ui.warn('IP Allowlist is deny-by-default: once active, only listed IPs can reach the scoped app/environment and all others are blocked.');
+    ui.info('Use `securenow trusted add` instead if this IP should be trusted without locking out normal visitors.');
+    const ok = await ui.confirm('Add this IP to the restrictive allowlist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  body.allowlistDenyAllApproved = true;
+
+  const s = ui.spinner(`Allowing ${ip}`);
+  try {
     await api.post('/allowlist', body);
     s.stop(`${ip} added to allowlist`);
   } catch (err) {

package/cli.js

@@ -40,12 +40,12 @@ function parseArgs(argv) {
 
 const COMMANDS = {
   init: {
-    desc: 'Set up SecureNow in the current project (instrumentation + .securenow credentials)',
+    desc: 'Set up SecureNow in the current project (instrumentation + runtime credentials)',
     usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
     flags: {
-      env: 'Deployment environment to write into .securenow/credentials.json (default: local)',
+      env: 'Deployment environment to write into .securenow/runtime.json (default: local)',
       environment: 'Alias for --env',
-      key: 'Firewall API key to write to .securenow/credentials.json',
+      key: 'Firewall API key to write to .securenow/runtime.json',
       'api-key': 'Alias for --key',
       typescript: 'Force TypeScript',
       javascript: 'Force JavaScript',
@@ -55,28 +55,63 @@ const COMMANDS = {
     },
     run: (a, f) => require('./cli/init').init(a, f),
   },
-  login: {
-    desc: 'Authenticate with SecureNow (saves to project .securenow/ by default)',
-    usage: 'securenow login [--token <TOKEN>] [--global]',
+  login: {
+    desc: 'Onboard SecureNow admin auth and app runtime config',
+    usage: 'securenow login [--token <TOKEN>] [--global]',
     flags: {
       token: 'Authenticate with a token directly',
       global: 'Save credentials to ~/.securenow/ (shared across all projects)',
-    },
-    run: (a, f) => require('./cli/auth').login(a, f),
-  },
-  logout: {
-    desc: 'Clear stored credentials',
-    usage: 'securenow logout [--global]',
-    flags: { global: 'Clear global credentials (~/.securenow/) instead of project-local' },
-    run: (a, f) => require('./cli/auth').logout(a, f),
-  },
-  whoami: {
-    desc: 'Show current session info',
+    },
+    run: (a, f) => require('./cli/auth').login(a, f),
+  },
+  admin: {
+    desc: 'Manage admin/control-plane CLI and MCP auth',
+    usage: 'securenow admin <subcommand> [options]',
+    sub: {
+      login: {
+        desc: 'Authenticate admin/control-plane CLI and MCP tools',
+        usage: 'securenow admin login [--token <TOKEN>] [--global]',
+        flags: {
+          token: 'Authenticate with a token directly',
+          global: 'Save admin auth to ~/.securenow/admin.json',
+        },
+        run: (a, f) => require('./cli/auth').adminLogin(a, f),
+      },
+      logout: {
+        desc: 'Clear admin/control-plane auth',
+        usage: 'securenow admin logout [--global]',
+        flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+        run: (a, f) => require('./cli/auth').logout(a, f),
+      },
+    },
+    defaultSub: 'login',
+  },
+  app: {
+    desc: 'Connect the current project runtime to a SecureNow app',
+    usage: 'securenow app <subcommand> [options]',
+    sub: {
+      connect: {
+        desc: 'Select/create app, mint firewall key, and write SDK runtime config',
+        usage: 'securenow app connect [--global]',
+        flags: { global: 'Save runtime config to ~/.securenow/runtime.json' },
+        run: (a, f) => require('./cli/auth').appConnect(a, f),
+      },
+    },
+    defaultSub: 'connect',
+  },
+  logout: {
+    desc: 'Clear admin/control-plane auth',
+    usage: 'securenow logout [--global]',
+    flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
+  },
+  whoami: {
+    desc: 'Show admin auth and SDK runtime status',
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
   },
   'api-key': {
-    desc: 'Manage the firewall API key stored in .securenow/credentials.json',
+    desc: 'Manage the firewall API key stored in runtime credentials',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
       create: {
@@ -90,7 +125,7 @@ const COMMANDS = {
         run: (a, f) => require('./cli/apiKey').create(a, f),
       },
       set: {
-        desc: 'Save an API key (snk_live_...) to the credentials file',
+        desc: 'Save an API key (snk_live_...) to runtime credentials',
         usage: 'securenow api-key set <snk_live_...> [--global]',
         flags: { global: 'Save to ~/.securenow/ instead of project-local' },
         run: (a, f) => require('./cli/apiKey').set(a, f),
@@ -273,7 +308,7 @@ const COMMANDS = {
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--path /admin/users] [--method GET] [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',
   },
@@ -379,10 +414,10 @@ const COMMANDS = {
   blocklist: {
     desc: 'Manage IP blocklist',
     usage: 'securenow blocklist <subcommand> [options]',
-    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', json: 'Output as JSON' },
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', route: 'Route pattern such as /admin*', path: 'Alias for --route', pattern: 'Alias for --route', mode: 'Route match mode: prefix, exact, or regex', 'path-mode': 'Alias for --mode', method: 'HTTP method, or ALL', duration: 'Expiry, e.g. 24h or 7d', json: 'Output as JSON' },
     sub: {
       list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--app <key>] [--env production] [--duration 24h] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },

package/firewall-only.js

@@ -17,10 +17,9 @@ try { require('dotenv').config({ quiet: true }); } catch (_) {}
 const appConfig = require('./app-config');
 const firewallOptions = appConfig.resolveFirewallOptions();
 
-// config.firewall.enabled=false disables the local SDK firewall.
-// In all other cases the toggle lives in the dashboard; default ON when an
-// API key is present.
-if (firewallOptions.apiKey && firewallOptions.enabled) {
+// Runtime enable/disable is controlled by the dashboard/API toggle. If a
+// firewall key is present, start sync so the remote toggle can be applied.
+if (firewallOptions.apiKey) {
   require('./firewall').init({
     apiKey: firewallOptions.apiKey,
     appKey: firewallOptions.appKey,

package/firewall.js

@@ -17,6 +17,7 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
+let _blocklistRules = [];
 let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 let _eventQueue = [];
@@ -37,8 +38,8 @@ let _lastAllowlistModified = null;
 let _lastAllowlistVersion = null;
 let _lastAllowlistSyncEtag = null;
 
-// Rate-limit policy state is synced in Phase 1 for forward compatibility.
-// Enforcement is intentionally added in the next SDK phase.
+// Route/method-scoped policy state. Global IP/CIDR blocks stay in _matcher so
+// TCP, OS firewall, and Cloud WAF layers never over-enforce an HTTP-only rule.
 let _rateLimitRules = [];
 let _lastRateLimitVersion = null;
 let _rateLimitBuckets = new Map();
@@ -322,9 +323,44 @@ function reportFirewallEvent(event) {
   if (_eventQueue.length >= EVENT_BATCH_SIZE) flushFirewallEvents();
   else scheduleEventFlush();
 }
-
+
+function normalizePrefixPattern(pattern) {
+  const value = String(pattern || '');
+  return value.endsWith('*') ? value.slice(0, -1) : value;
+}
+
+function normalizeBlocklistRules(rules) {
+  if (!Array.isArray(rules)) return [];
+  return rules
+    .map((rule) => {
+      if (!rule || !rule.ip) return null;
+      const pathMatchMode = ['exact', 'prefix', 'regex'].includes(String(rule.pathMatchMode || '').toLowerCase())
+        ? String(rule.pathMatchMode).toLowerCase()
+        : 'prefix';
+      return {
+        ...rule,
+        ip: String(rule.ip || '').trim(),
+        method: String(rule.method || 'ALL').toUpperCase(),
+        pathPattern: pathMatchMode === 'prefix'
+          ? normalizePrefixPattern(rule.pathPattern)
+          : String(rule.pathPattern || '').trim(),
+        pathMatchMode,
+      };
+    })
+    .filter(Boolean);
+}
+
+function setBlocklistData(ips, rules) {
+  const normalizedIps = Array.isArray(ips) ? ips : [];
+  _rawIps = normalizedIps;
+  _blocklistRules = normalizeBlocklistRules(rules);
+  _matcher = createMatcher(normalizedIps);
+  _stats.syncs++;
+  notifyLayers(normalizedIps);
+}
+
 // Unified Sync (v2 - single request for everything)
-
+
 function doUnifiedSync(callback) {
   const query = new URLSearchParams();
   if (_options.appKey) query.set('app', _options.appKey);
@@ -389,13 +425,10 @@ function doUnifiedSync(callback) {
         }
       }
 
-      if (body.blocklistIps) {
-        _rawIps = body.blocklistIps;
-        _matcher = createMatcher(body.blocklistIps);
-        _stats.syncs++;
-        notifyLayers(body.blocklistIps);
-        blChanged = true;
-      }
+      if (body.blocklistIps || body.blocklistRules) {
+        setBlocklistData(body.blocklistIps || [], body.blocklistRules || []);
+        blChanged = true;
+      }
 
       // Update allowlist version + data
       if (body.allowlist) {
@@ -445,16 +478,13 @@ function legacyBlocklistSync(callback) {
     if (res.statusCode === 429) { handleRetryAfter(res); }
     if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
 
-    try {
-      const body = JSON.parse(data);
-      const ips = body.ips || [];
-      _rawIps = ips;
-      _matcher = createMatcher(ips);
-      _lastModified = res.headers['last-modified'] || null;
-      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
-      _stats.syncs++;
-      notifyLayers(ips);
-      callback(null, true, _matcher.stats());
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      setBlocklistData(ips, body.rules || body.blocklistRules || []);
+      _lastModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
+      callback(null, true, _matcher.stats());
     } catch (e) {
       callback(new Error(`Failed to parse blocklist: ${e.message}`));
     }
@@ -612,16 +642,17 @@ function pollOnce(callback) {
     _consecutiveErrors = 0;
     resetCircuit();
     if (result) {
-      if (result.blChanged && _options.log && _matcher) {
-        const s = _matcher.stats();
-        fwLog('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
+      if (result.blChanged && _options.log && _matcher) {
+        const s = _matcher.stats();
+        fwLog('[securenow] Firewall: re-synced %d global blocked IPs (%d exact + %d CIDR ranges) and %d scoped block rules',
+          s.total, s.exact, s.cidr, _blocklistRules.length);
+      }
       if (result.alChanged && _options.log && _allowlistMatcher) {
         const s = _allowlistMatcher.stats();
         fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
       if (result.rlChanged && _options.log) {
-        fwLog('[securenow] Firewall: re-synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+        fwLog('[securenow] Firewall: re-synced %d rate-limit rules', _rateLimitRules.length);
       }
     }
     callback(null);
@@ -701,17 +732,18 @@ function startSyncLoop() {
         return;
       }
 
-      _initialized = true;
-      if (_options.log && _matcher) {
-        const s = _matcher.stats();
-        fwLog('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
+      _initialized = true;
+      if (_options.log && _matcher) {
+        const s = _matcher.stats();
+        fwLog('[securenow] Firewall: synced %d global blocked IPs (%d exact + %d CIDR ranges) and %d scoped block rules',
+          s.total, s.exact, s.cidr, _blocklistRules.length);
+      }
       if (_options.log && _allowlistMatcher) {
         const s = _allowlistMatcher.stats();
         if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
       if (_options.log && _rateLimitRules.length > 0) {
-        fwLog('[securenow] Firewall: synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+        fwLog('[securenow] Firewall: synced %d rate-limit rules', _rateLimitRules.length);
       }
     });
   }
@@ -859,7 +891,7 @@ function rulePathMatches(rule, path) {
   if (mode === 'regex') {
     try { return new RegExp(pattern).test(path); } catch (_) { return false; }
   }
-  return path.startsWith(pattern);
+  return path.startsWith(normalizePrefixPattern(pattern));
 }
 
 function rateLimitKey(rule, ip) {
@@ -868,6 +900,28 @@ function rateLimitKey(rule, ip) {
   return `${id}|${subject}`;
 }
 
+function checkBlocklistRules(req, ip) {
+  if (!_blocklistRules || _blocklistRules.length === 0) return null;
+  const method = String(req.method || 'GET').toUpperCase();
+  const path = requestPath(req);
+
+  for (const rule of _blocklistRules) {
+    if (!rule) continue;
+    const ruleMethod = String(rule.method || 'ALL').toUpperCase();
+    if (ruleMethod !== 'ALL' && ruleMethod !== method) continue;
+    if (!ruleIpMatches(rule, ip)) continue;
+    if (!rulePathMatches(rule, path)) continue;
+    return {
+      rule,
+      ruleId: rule.id || rule._id || '',
+      matchedEntry: rule.ip || ip,
+      path,
+    };
+  }
+
+  return null;
+}
+
 function checkRateLimitRules(req, ip) {
   if (!_rateLimitRules || _rateLimitRules.length === 0) return null;
   const method = String(req.method || 'GET').toUpperCase();
@@ -963,6 +1017,24 @@ function firewallRequestHandler(req, res) {
     return true;
   }
 
+  const blockRuleDecision = checkBlocklistRules(req, ip);
+  if (blockRuleDecision) {
+    _stats.blocked++;
+    if (_options && _options.log) {
+      fwLog('[securenow] Firewall: blocked %s via HTTP (rule=%s)', ip, blockRuleDecision.ruleId || 'scoped');
+    }
+    reportFirewallEvent({
+      source: 'blocklist',
+      ip,
+      matchedEntry: blockRuleDecision.matchedEntry || ip,
+      method: req.method || '',
+      path: blockRuleDecision.path || req.url || '',
+      userAgent: req.headers['user-agent'] || '',
+    });
+    sendBlockResponse(req, res, ip);
+    return true;
+  }
+
   const rateLimitDecision = checkRateLimitRules(req, ip);
   if (rateLimitDecision) {
     _stats.rateLimited++;
@@ -1094,6 +1166,7 @@ function shutdown() {
   _pollInflight = false;
   _retryAfterUntil = 0;
   _localhostFallbackTried = false;
+  _blocklistRules = [];
   _rateLimitRules = [];
   _rateLimitBuckets = new Map();
   _remainingApiUrlFallbacks = [];
@@ -1119,8 +1192,9 @@ function shutdown() {
 
 function getStats() {
   return {
-    ..._stats,
+    ..._stats,
     matcher: _matcher ? _matcher.stats() : null,
+    blocklistRules: _blocklistRules.length,
     allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
     rateLimitRules: _rateLimitRules.length,
     rateLimitBuckets: _rateLimitBuckets.size,
@@ -1139,7 +1213,8 @@ function getStats() {
 // as "no IPs to block" without us mutating the cached matcher.
 function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
 function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function getBlocklistRules() { return _remoteEnabled === false ? [] : _blocklistRules.slice(); }
 function getRateLimitRules() { return _remoteEnabled === false ? [] : _rateLimitRules.slice(); }
 function isRemoteEnabled() { return _remoteEnabled !== false; }
 
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getRateLimitRules, isRemoteEnabled };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getBlocklistRules, getRateLimitRules, isRemoteEnabled };