securenow 7.7.16 → 8.0.0

package/cli/credentials.js

@@ -14,7 +14,7 @@ function maskSecret(value) {
 }
 
 function buildRuntimeCredentials(options = {}) {
-  const creds = config.loadCredentials() || {};
+  const creds = config.loadRuntimeCredentials() || {};
   const deploymentEnvironment =
     options.environment ||
     options.env ||
@@ -67,10 +67,10 @@ async function runtime(_args, flags) {
   const warn = flags.stdout ? (msg) => console.error(`! ${msg}`) : ui.warn;
 
   if (!creds.app || !creds.app.key) {
-    warn('No app key found. Run `npx securenow login` first so telemetry routes to the selected app.');
+    warn('No app key found. Run `npx securenow app connect` first so telemetry routes to the selected app.');
   }
   if (!creds.apiKey) {
-    warn('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` before generating production runtime credentials.');
+    warn('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` before generating production runtime credentials.');
   }
 
   if (flags.stdout) {
@@ -87,7 +87,7 @@ async function runtime(_args, flags) {
   ui.info('Credential filename lookup is fixed-order and does not depend on NODE_ENV.');
   ui.info(`Environment: ${envName}`);
   ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
-  ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);
+  ui.info(`Runtime API key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);
   ui.info('OAuth token/email were not included.');
 }
 

package/cli/diagnostics.js

@@ -22,8 +22,8 @@ function resolvedConfig(options = {}) {
     ? (noUuid ? baseName : `${baseName}-<uuid-per-worker>`)
     : '(auto-generated)';
   const apiKey = firewall.apiKey || '';
-  const firewallEnabled = !!apiKey && firewall.enabled;
-  const firewallLocalEnabled = firewall.enabled;
+  const firewallEnabled = !!apiKey;
+  const firewallLocalEnabled = true;
 
   return {
     serviceName,
@@ -359,7 +359,6 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
 function firewallStatusLabel(cfg) {
   if (cfg.firewallEnabled) return ui.c.green('enabled');
   if (!cfg.apiKey) return ui.c.dim('disabled (missing firewall API key)');
-  if (!cfg.firewallLocalEnabled) return ui.c.yellow('disabled (config.firewall.enabled=false)');
   return ui.c.dim('disabled');
 }
 
@@ -491,7 +490,7 @@ async function doctor(_args, flags) {
     warnings.push('OpenTelemetry diagnostic log level is `none`; provider registration/export errors are hidden. Set config.otel.logLevel to `error`/`warn`, or temporarily run with OTEL_LOG_LEVEL=debug.');
   }
   if (!cfg.appKey) {
-    warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
+    warnings.push('No app key resolved. Run `npx securenow app connect` or set app.key in .securenow/runtime.json.');
   }
   if (cfg.instance === 'https://ingest.securenow.ai') {
     warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
@@ -501,9 +500,9 @@ async function doctor(_args, flags) {
     warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
-    warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Admin CLI/MCP auth is connected, but the runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
   } else if (!cfg.apiKey) {
-    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
   }
 
   const ok = checks.every((c) => c.ok);

package/cli/firewall.js

@@ -32,7 +32,9 @@ async function status(args, flags) {
     console.log(`  ${enabledLabel}`);
     console.log('');
     ui.keyValue([
-      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Blocked IPs', `${data.totalIps} total`],
+      ['Global blocked IPs', `${data.globalBlockIps ?? data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Scoped block rules', String(data.scopedBlockRuleCount ?? 0)],
       ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
@@ -77,6 +79,8 @@ async function testIp(args, flags) {
     const appKey = await resolveAppKey(flags);
     const query = { environment };
     if (appKey) query.appKey = appKey;
+    if (flags.path || flags.route) query.path = flags.path || flags.route;
+    if (flags.method) query.method = flags.method;
     const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query });
 
     s.stop(`IP ${ip} checked`);
@@ -99,10 +103,16 @@ async function testIp(args, flags) {
         console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
       } else {
         console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
-        if (data.matchedEntry && data.matchedEntry !== ip) {
-          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
-        }
-      }
+        if (data.matchedEntry && data.matchedEntry !== ip) {
+          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+        }
+        if (data.matchedRule) {
+          const scope = data.matchedRule.pathPattern
+            ? `${data.matchedRule.method || 'ALL'} ${data.matchedRule.pathMatchMode || 'prefix'}:${data.matchedRule.pathPattern}`
+            : data.matchedRule.method || 'ALL';
+          console.log(`  ${ui.c.dim(`Rule scope: ${scope}`)}`);
+        }
+      }
     } else {
       if (data.allowlisted) {
         console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is on the allowlist`);
@@ -111,7 +121,9 @@ async function testIp(args, flags) {
       }
     }
     console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} · Environment: ${data.environment || environment}`)}`);
-    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    if (data.path) console.log(`  ${ui.c.dim(`Request scope: ${data.method || 'GET'} ${data.path}`)}`);
+    if (data.scopedMatchRequiresPath) console.log(`  ${ui.c.dim('Scoped block rules exist; pass --path to test route-specific matches')}`);
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries (${data.scopedBlockRuleCount || 0} scoped)`)}`);
     if (data.allowlistActive) {
       console.log(`  ${ui.c.dim('Allowlist is active')}`);
     }
@@ -136,7 +148,7 @@ async function setEnabled(args, flags, enabled) {
   requireAuth();
   const appKey = await resolveAppKey(flags);
   if (!appKey) {
-    ui.error('No app selected. Pass --app <key> or run `securenow login` / `securenow apps default <key>`.');
+    ui.error('No app selected. Pass --app <key> or run `securenow app connect` / `securenow apps default <key>`.');
     process.exit(1);
   }
 

package/cli/human.js

@@ -533,18 +533,23 @@ function mcpPromptText(ref, flags = {}) {
       : '2. For each task, call securenow_notifications_get and securenow_human_action_report for the notificationId and IP.',
     '3. Read the AI report, finalDecision, investigation steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
     '4. Open/inspect trace evidence with securenow_traces_show and securenow_logs_for_trace when trace IDs are available.',
-    '5. Decide one outcome: block the IP, mark a scoped false positive, recommend alert-rule tuning, or skip if evidence is ambiguous.',
-    '6. For block decisions, call securenow_human_action_block with confirm:true, a precise reason, and a decisionReport with summary/evidence/reviewedHistory/traceIds.',
-    '7. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, a precise reason, and a decisionReport.',
-    '8. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
-    '9. For skipped/ambiguous/rule-tuning-needed rows that should be auditable without changing status, call securenow_human_action_decision_report_add or securenow_human_case_decision_report_add with the missing proof.',
-    '10. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
-    '11. Summarize each row handled, skipped, rule tuning needed, and still waiting. Do not globally trust an IP by default.',
+    '5. Decide one outcome: block the IP, rate limit, mark a scoped false positive, apply/prepare alert-rule tuning, create/prepare a new rule, approve/reject a case action, or mark ambiguous/skipped with exact missing proof.',
+    '6. Finished does not always mean enforcement changed. If no write is safe, record or prepare a structured no-write decision report with the exact proof gap, missing permission, or vague guard.',
+    '7. For mixed evidence, split the decision by IP/cluster. Block only proven malicious IPs, false-positive only exact benign shapes, rate-limit only route-specific volume abuse, and leave ambiguous members with missing proof.',
+    '8. If the right fix is global/system rule tuning and MCP returns access denied, do not create customer-specific false positives. Prepare the exact attack-preserving guard/SQL, dry-run it if possible, and record outcome=rule_tuning with missingProof naming the missing permission.',
+    '9. Reject vague AI proposed actions. If "shared benign shape" or similar lacks concrete rule id, path, method, status, user-agent/body/header guard, benign samples, and attack examples that still match, do not execute it.',
+    '10. For block decisions, call securenow_human_action_block with confirm:true, a precise reason, and a decisionReport with summary/evidence/reviewedHistory/traceIds.',
+    '11. For rate-limit decisions, call securenow_rate_limit_create_from_text with confirm:true, then add securenow_human_action_decision_report_add with outcome=rate_limited.',
+    '12. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, a precise reason, and a decisionReport.',
+    '13. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
+    '14. For skipped/ambiguous/rule-tuning-needed/new-rule-needed rows that should be auditable without changing enforcement status, call securenow_human_action_decision_report_add or securenow_human_case_decision_report_add with the missing proof.',
+    '15. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
+    '16. Summarize handled count, writes executed, verification result, rule tuning/admin permission blockers, partial resolutions, skipped proof gaps, and still waiting. Do not globally trust an IP by default.',
     '',
     'Safety:',
     '- Do not call write tools without confirm:true and a reason.',
     '- Do not use broad false-positive scopes if the evidence only supports one alert rule/path/method/status/user-agent/body pattern.',
-    '- Prefer no action over a weak action.',
+    '- Prefer an auditable no-write decision report over a weak substitute action.',
   ].join('\n');
 }
 

package/cli/init.js

@@ -81,7 +81,7 @@ async function init(_args, flags) {
 
   console.log('');
   ui.success('Setup complete.');
-  ui.info('Run `npx securenow login` if this project is not linked to an app yet.');
+  ui.info('Run `npx securenow app connect` if this project is not linked to an app yet.');
   ui.info('Then verify with `npx securenow test-span` and `npx securenow status`.');
 }
 
@@ -101,10 +101,10 @@ function initCredentials(flags) {
       process.exit(1);
     }
     config.setApiKey(explicitApiKey, { local: true });
-    ui.success('Stored firewall API key in .securenow/credentials.json');
+    ui.success('Stored firewall API key in .securenow/runtime.json');
   }
 
-  ui.success('Ensured .securenow/credentials.json has secure defaults and explanations');
+  ui.success('Ensured .securenow/runtime.json has secure defaults and explanations');
 }
 
 async function initNextJs(dir, project, flags) {
@@ -233,8 +233,8 @@ function printAgentPrompt(kind, filename, major, project) {
   ui.heading('Codex/Claude prompt');
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
-    'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
-    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
+    'Use .securenow/runtime.json for local SDK runtime configuration and .securenow/credentials.<env>.json for production runtime exports; do not add .env files.',
+    'Ignore only SecureNow secret files (.securenow/admin.json, .securenow/runtime.json, and .securenow/credentials*.json); keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/cli/run.js

@@ -152,11 +152,7 @@ function run(rawArgs) {
 
   const nodeExe = process.execPath;
 
-  if (process.env.SECURENOW_DEBUG) {
-    console.log(`[securenow] ${ui.c.dim('exec:')} ${nodeExe} ${finalArgs.join(' ')}`);
-  }
-
-  const child = spawn(nodeExe, finalArgs, {
+  const child = spawn(nodeExe, finalArgs, {
     stdio: 'inherit',
     env: process.env,
     cwd: process.cwd(),

package/cli/security.js

@@ -441,7 +441,14 @@ async function alertHistoryList(args, flags) {
 
 // ── Blocklist ──
 
-async function blocklistList(args, flags) {
+function describeBlockTarget(entry) {
+  const parts = [entry.ip || entry.cidr || '-'];
+  if (entry.method && entry.method !== 'ALL') parts.push(entry.method);
+  if (entry.pathPattern) parts.push(`${entry.pathMatchMode || 'prefix'}:${entry.pathPattern}`);
+  return parts.join(' ');
+}
+
+async function blocklistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist');
   try {
@@ -465,7 +472,7 @@ async function blocklistList(args, flags) {
     console.log('');
     const rows = items.map(b => [
       ui.c.dim(ui.truncate(b._id, 12)),
-      ui.c.red(b.ip || b.cidr || '—'),
+      ui.c.red(describeBlockTarget(b)),
       ui.truncate(b.reason || '', 40),
       b.source || '—',
       b.status || 'active',
@@ -475,7 +482,7 @@ async function blocklistList(args, flags) {
       b.unblockedAt ? ui.timeAgo(b.unblockedAt) : ui.c.dim('—'),
       b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
     ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
+    ui.table(['ID', 'Target', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -496,11 +503,16 @@ async function blocklistAdd(args, flags) {
   if (flags.duration) body.duration = flags.duration;
   if (flags.app) body.appKey = flags.app;
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Blocking ${ip}`);
-  try {
-    await api.post('/blocklist', body);
-    s.stop(`${ip} added to blocklist`);
+  if (flags.route || flags.path || flags.pattern) body.pathPattern = flags.route || flags.path || flags.pattern;
+  if (flags.mode || flags['path-mode']) body.pathMatchMode = flags.mode || flags['path-mode'];
+  if (flags.method) body.method = flags.method;
+
+  const target = describeBlockTarget({ ip, method: body.method, pathPattern: body.pathPattern, pathMatchMode: body.pathMatchMode });
+  const s = ui.spinner(`Blocking ${target}`);
+  try {
+    const data = await api.post('/blocklist', body);
+    s.stop(`${target} added to blocklist`);
+    if (flags.json) ui.json(data);
   } catch (err) {
     s.fail('Failed to add to blocklist');
     throw err;
@@ -611,9 +623,17 @@ async function allowlistAdd(args, flags) {
     body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
   }
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Allowing ${ip}`);
-  try {
+
+  if (!flags.force && !flags.yes) {
+    ui.warn('IP Allowlist is deny-by-default: once active, only listed IPs can reach the scoped app/environment and all others are blocked.');
+    ui.info('Use `securenow trusted add` instead if this IP should be trusted without locking out normal visitors.');
+    const ok = await ui.confirm('Add this IP to the restrictive allowlist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  body.allowlistDenyAllApproved = true;
+
+  const s = ui.spinner(`Allowing ${ip}`);
+  try {
     await api.post('/allowlist', body);
     s.stop(`${ip} added to allowlist`);
   } catch (err) {

package/cli/utils.js

@@ -39,9 +39,8 @@ function redact(args, flags) {
   const extra = flags.fields
     ? String(flags.fields).split(',').map((s) => s.trim()).filter(Boolean)
     : [];
-  const envExtra = (appConfig.env('SECURENOW_SENSITIVE_FIELDS') || '')
-    .split(',').map((s) => s.trim()).filter(Boolean);
-  const fields = [...DEFAULT_SENSITIVE_FIELDS, ...envExtra, ...extra];
+  const configExtra = appConfig.listConfig('capture.sensitiveFields');
+  const fields = [...DEFAULT_SENSITIVE_FIELDS, ...configExtra, ...extra];
 
   const result = redactSensitiveData(parsed, fields);
 

package/cli.js

@@ -40,12 +40,12 @@ function parseArgs(argv) {
 
 const COMMANDS = {
   init: {
-    desc: 'Set up SecureNow in the current project (instrumentation + .securenow credentials)',
+    desc: 'Set up SecureNow in the current project (instrumentation + runtime credentials)',
     usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
     flags: {
-      env: 'Deployment environment to write into .securenow/credentials.json (default: local)',
+      env: 'Deployment environment to write into .securenow/runtime.json (default: local)',
       environment: 'Alias for --env',
-      key: 'Firewall API key to write to .securenow/credentials.json',
+      key: 'Firewall API key to write to .securenow/runtime.json',
       'api-key': 'Alias for --key',
       typescript: 'Force TypeScript',
       javascript: 'Force JavaScript',
@@ -55,42 +55,78 @@ const COMMANDS = {
     },
     run: (a, f) => require('./cli/init').init(a, f),
   },
-  login: {
-    desc: 'Authenticate with SecureNow (saves to project .securenow/ by default)',
-    usage: 'securenow login [--token <TOKEN>] [--global]',
+  login: {
+    desc: 'Onboard SecureNow admin auth and app runtime config',
+    usage: 'securenow login [--token <TOKEN>] [--global]',
     flags: {
       token: 'Authenticate with a token directly',
       global: 'Save credentials to ~/.securenow/ (shared across all projects)',
-    },
-    run: (a, f) => require('./cli/auth').login(a, f),
-  },
-  logout: {
-    desc: 'Clear stored credentials',
-    usage: 'securenow logout [--global]',
-    flags: { global: 'Clear global credentials (~/.securenow/) instead of project-local' },
-    run: (a, f) => require('./cli/auth').logout(a, f),
-  },
-  whoami: {
-    desc: 'Show current session info',
+    },
+    run: (a, f) => require('./cli/auth').login(a, f),
+  },
+  admin: {
+    desc: 'Manage admin/control-plane CLI and MCP auth',
+    usage: 'securenow admin <subcommand> [options]',
+    sub: {
+      login: {
+        desc: 'Authenticate admin/control-plane CLI and MCP tools',
+        usage: 'securenow admin login [--token <TOKEN>] [--global]',
+        flags: {
+          token: 'Authenticate with a token directly',
+          global: 'Save admin auth to ~/.securenow/admin.json',
+        },
+        run: (a, f) => require('./cli/auth').adminLogin(a, f),
+      },
+      logout: {
+        desc: 'Clear admin/control-plane auth',
+        usage: 'securenow admin logout [--global]',
+        flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+        run: (a, f) => require('./cli/auth').logout(a, f),
+      },
+    },
+    defaultSub: 'login',
+  },
+  app: {
+    desc: 'Connect the current project runtime to a SecureNow app',
+    usage: 'securenow app <subcommand> [options]',
+    sub: {
+      connect: {
+        desc: 'Select/create app, mint runtime API key, and write SDK runtime config',
+        usage: 'securenow app connect [--global]',
+        flags: { global: 'Save runtime config to ~/.securenow/runtime.json' },
+        run: (a, f) => require('./cli/auth').appConnect(a, f),
+      },
+    },
+    defaultSub: 'connect',
+  },
+  logout: {
+    desc: 'Clear admin/control-plane auth',
+    usage: 'securenow logout [--global]',
+    flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
+  },
+  whoami: {
+    desc: 'Show admin auth and SDK runtime status',
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
-  },
+  },
   'api-key': {
-    desc: 'Manage the firewall API key stored in .securenow/credentials.json',
+    desc: 'Manage the runtime API key stored in runtime credentials',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
       create: {
-        desc: 'Create a firewall API key with your session token and save it',
-        usage: 'securenow api-key create [name] [--name <name>] [--preset firewall] [--global]',
+        desc: 'Create a runtime API key with your session token and save it',
+        usage: 'securenow api-key create [name] [--name <name>] [--preset runtime_app] [--app <appKey>] [--global]',
         flags: {
           name: 'Human-readable key name',
-          preset: 'API key preset to create (default: firewall)',
+          preset: 'API key preset to create (default: runtime_app)',
+          app: 'Application key/id to scope this key to',
           global: 'Save to ~/.securenow/ instead of project-local',
         },
         run: (a, f) => require('./cli/apiKey').create(a, f),
       },
       set: {
-        desc: 'Save an API key (snk_live_...) to the credentials file',
+        desc: 'Save an API key (snk_live_...) to runtime credentials',
         usage: 'securenow api-key set <snk_live_...> [--global]',
         flags: { global: 'Save to ~/.securenow/ instead of project-local' },
         run: (a, f) => require('./cli/apiKey').set(a, f),
@@ -273,7 +309,7 @@ const COMMANDS = {
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--path /admin/users] [--method GET] [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',
   },
@@ -379,10 +415,10 @@ const COMMANDS = {
   blocklist: {
     desc: 'Manage IP blocklist',
     usage: 'securenow blocklist <subcommand> [options]',
-    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', json: 'Output as JSON' },
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', route: 'Route pattern such as /admin*', path: 'Alias for --route', pattern: 'Alias for --route', mode: 'Route match mode: prefix, exact, or regex', 'path-mode': 'Alias for --mode', method: 'HTTP method, or ALL', duration: 'Expiry, e.g. 24h or 7d', json: 'Output as JSON' },
     sub: {
       list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--app <key>] [--env production] [--duration 24h] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
@@ -736,12 +772,9 @@ async function main() {
   }
 }
 
-main().catch((err) => {
-  if (err.name !== 'CLIError') {
-    ui.error(err.message || 'An unexpected error occurred');
-  }
-  if (process.env.SECURENOW_DEBUG) {
-    console.error(err.stack || err);
-  }
-  process.exit(1);
-});
+main().catch((err) => {
+  if (err.name !== 'CLIError') {
+    ui.error(err.message || 'An unexpected error occurred');
+  }
+  process.exit(1);
+});

package/console-instrumentation.js

@@ -24,7 +24,7 @@
 const tracing = require('./tracing');
 
 if (!tracing.isLoggingEnabled()) {
-  console.warn('[securenow] Console instrumentation loaded but logging is disabled (SECURENOW_LOGGING_ENABLED=0).');
+  console.warn('[securenow] Console instrumentation loaded but logging is disabled (config.logging.enabled=false).');
 }
 
 // Get a logger instance

package/firewall-only.js

@@ -7,20 +7,16 @@
  *   node -r securenow/firewall-only app.js
  *   NODE_OPTIONS='-r securenow/firewall-only' next start
  *
- * Reads .securenow/credentials.json first, with legacy env vars supported only
- * as fallbacks. Initialises the HTTP-level firewall when a snk_live_ API key
- * is resolvable.
- */
-
-try { require('dotenv').config({ quiet: true }); } catch (_) {}
-
+ * Reads SecureNow runtime credentials from .securenow/*.json. Initialises the
+ * HTTP-level firewall when a snk_live_ API key is resolvable.
+ */
+
 const appConfig = require('./app-config');
 const firewallOptions = appConfig.resolveFirewallOptions();
 
-// config.firewall.enabled=false disables the local SDK firewall.
-// In all other cases the toggle lives in the dashboard; default ON when an
-// API key is present.
-if (firewallOptions.apiKey && firewallOptions.enabled) {
+// Runtime enable/disable is controlled by the dashboard/API toggle. If a
+// firewall key is present, start sync so the remote toggle can be applied.
+if (firewallOptions.apiKey) {
   require('./firewall').init({
     apiKey: firewallOptions.apiKey,
     appKey: firewallOptions.appKey,