securenow 7.7.16 → 8.0.0

package/mcp/catalog.js

@@ -10,14 +10,15 @@ const MARKDOWN = 'text/markdown';
 const UNIVERSAL_SECURENOW_SETUP_PROMPT = `You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
 
 Primary goals:
-- Use the latest published SecureNow npm package. Require securenow@7.5.1 or newer.
+- Use the latest published SecureNow npm package. Require securenow@7.8.0 or newer for split admin/runtime credentials.
 - By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
 - If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
-- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
+- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow AI IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
+- Do not confuse IP Allowlist with Trusted IPs. IP Allowlist is restrictive deny-by-default: when any allowlist entry exists for an app/environment, only listed IPs can reach it and all other IPs are blocked. Use Trusted IPs for known-safe monitors, office/VPN traffic, or false-positive suppression. Only use allowlist after explicit human approval to lock the app/environment to known IPs.
 
 Safety rules:
-- Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
-- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
+- Do not print full API keys, JWTs, tokens, or local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, or .securenow/credentials.*.json). Mask secrets.
+- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, .securenow/credentials.json, and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -31,37 +32,39 @@ Runbook:
 2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
    node -p "require('./node_modules/securenow/package.json').version"
    npx securenow version
-   Stop and fix the install if either is below 7.5.1 or npx still resolves an older local package.
+   Stop and fix the install if either is below 7.8.0 or npx still resolves an older local package.
 3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
-4. Mandatory auth gate:
-   - Run npx securenow whoami from the project root.
-   - If not logged in, run npx securenow login from the project root and wait for the browser flow.
-   - After the CLI exits, rerun npx securenow whoami.
-   - Do not proceed to app edits or verification until whoami succeeds.
+4. Mandatory auth/runtime gate:
+   - Run npx securenow whoami from the project root.
+   - If admin auth is missing, run npx securenow admin login from the project root and wait for the browser flow.
+   - If runtime app config is missing, run npx securenow app connect from the project root and wait for the browser flow.
+   - After the CLI exits, rerun npx securenow whoami.
+   - Do not proceed to app edits or verification until whoami shows the required lane(s). SDK setup needs runtime app config; admin/global MCP operations need admin auth.
 5. Validate project-local credentials without exposing secrets:
-   - Confirm .securenow/credentials.json exists.
-   - Confirm it has SecureNow's default config/explanations block.
-   - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
-   - Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
-6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
+   - Confirm .securenow/runtime.json exists for SDK runtime setup, or legacy .securenow/credentials.json exists for old installs.
+   - Confirm the runtime file has SecureNow's default config/explanations block.
+   - Confirm the runtime file has an app key/name/instance and a firewall API key after app selection.
+   - Confirm .securenow/admin.json exists only when admin CLI/MCP auth is needed.
+   - Confirm .securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
+6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.8.0, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.
    - Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
    - Express/Fastify/NestJS/Koa/Hapi/Hono/raw Node: preload securenow/register through existing scripts, NODE_OPTIONS, PM2 node_args, Docker CMD, or the process manager already used.
    - Firewall-only: preload securenow/firewall-only or use the documented securenow run --firewall-only command. Do not add OTel/tracing/logging in this mode.
    - Vite/browser-only: use only documented browser integration and state that server firewall protection requires a server runtime.
-8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/credentials.json:
+8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/runtime.json, with legacy .securenow/credentials.json and generated runtime credential files still supported:
    - config.logging.enabled: true
    - config.capture.body: true
    - config.capture.multipart: true
    - config.firewall.enabled: true
    - config.firewall.failMode: "open"
    - config.capture.maxBodySize: 10240
-   For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
+   For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json or <app-root>/.securenow/credentials.production.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
    Local credentials should use config.runtime.deploymentEnvironment="local". Production runtime credentials should use "production". The app key stays the same; traces, logs, firewall status, forensics, and CLI/MCP queries are scoped by environment.
 9. Verify firewall and threshold:
    - Run npx securenow firewall apps and npx securenow firewall status.
-   - Confirm the selected app is present, firewallEnabled is true, and the SecureNow IPDB confidence threshold is visible.
+   - Confirm the selected app is present, firewallEnabled is true, and the SecureNow AI IPDB confidence threshold is visible.
    - If firewallEnabled is false, run the documented per-app enable command, for example npx securenow firewall enable --app <appKey>, then verify again.
 10. End-to-end proof:
    - Run npx securenow doctor.
@@ -186,7 +189,7 @@ const TOOLS = [
   {
     name: 'securenow_auth_status',
     title: 'SecureNow Auth Status',
-    description: 'Show local SecureNow credential source, selected app, and masked firewall key.',
+    description: 'Show local SecureNow credential source, selected app, and masked runtime API key.',
     scope: null,
     localOnly: true,
     readOnly: true,
@@ -235,7 +238,7 @@ const TOOLS = [
   {
     name: 'securenow_firewall_apps',
     title: 'List Firewall Apps',
-    description: 'List applications with firewall toggle and SecureNow IPDB threshold state.',
+    description: 'List applications with firewall toggle and SecureNow AI IPDB threshold state.',
     scope: 'applications:read',
     readOnly: true,
     method: 'GET',
@@ -295,8 +298,8 @@ const TOOLS = [
   },
   {
     name: 'securenow_firewall_set_threshold',
-    title: 'Set SecureNow IPDB Threshold',
-    description: 'Set the per-app SecureNow IPDB confidence threshold. Write action; requires confirmation.',
+    title: 'Set SecureNow AI IPDB Threshold',
+    description: 'Set the per-app SecureNow AI IPDB confidence threshold. Write action; requires confirmation.',
     scope: 'applications:write',
     readOnly: false,
     confirm: true,
@@ -306,7 +309,7 @@ const TOOLS = [
     bodyFields: ['confidenceMinimum', 'environment'],
     inputSchema: objectSchema({
       appKey: string('Application key UUID.'),
-      confidenceMinimum: number('Minimum SecureNow IPDB confidence score.', { minimum: 0, maximum: 100 }),
+      confidenceMinimum: number('Minimum SecureNow AI IPDB confidence score.', { minimum: 0, maximum: 100 }),
       ...environmentInput,
       ...confirmSchema,
     }, ['appKey', 'confidenceMinimum', 'confirm', 'reason']),
@@ -472,6 +475,190 @@ const TOOLS = [
       search: string('Optional search over IP, rule, path, or verdict.'),
     }),
   },
+  {
+    name: 'securenow_human_actions_grouped_list',
+    title: 'List Grouped Human Actions',
+    description: 'List Requires Human work as root-cause groups with batch-safety preview instead of one row per IP/action.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/approval-task-groups',
+    queryFields: ['limit', 'page', 'search'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      search: string('Optional search over IP, rule, path, action, or verdict.'),
+    }),
+  },
+  {
+    name: 'securenow_alert_review_runs_list',
+    title: 'List Alert Review Root Causes',
+    description: 'List pending alert-review runs as root-cause groups with batch-action preview, rather than row-by-row noisy alert triage.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/alert-review-runs',
+    queryFields: ['limit', 'page', 'search', 'rootCauseKey', 'groupKey', 'includeRuns', 'maxScan'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      search: string('Optional search over rule, route, IP, evidence, or proposed guard.'),
+      rootCauseKey: string('Optional root-cause group key to filter to one group.'),
+      groupKey: string('Compatibility alias for rootCauseKey.'),
+      includeRuns: boolean('Whether to include compact matching run rows in the response.'),
+      maxScan: number('Maximum pending-review rows to scan before grouping. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+    }),
+  },
+  {
+    name: 'securenow_alert_review_runs_count',
+    title: 'Count Alert Review Runs',
+    description: 'Count pending alert-review rows and the root-cause groups they collapse into.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/alert-review-runs/count',
+    queryFields: ['search', 'maxScan'],
+    inputSchema: objectSchema({
+      search: string('Optional search over rule, route, IP, evidence, or proposed guard.'),
+      maxScan: number('Maximum pending-review rows to scan before grouping. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+    }),
+  },
+  {
+    name: 'securenow_alert_review_run_get',
+    title: 'Get Alert Review Run',
+    description: 'Fetch one pending-review alert run with its root-cause key, evidence-quality score, and similar open siblings.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/alert-review-runs/:id',
+    pathParams: ['id'],
+    queryFields: ['maxScan'],
+    inputSchema: objectSchema({
+      id: string('Notification id for the alert review run.'),
+      maxScan: number('Maximum pending-review rows to scan for similar siblings. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_review_run_resolve',
+    title: 'Resolve Alert Review Run',
+    description: 'Close one pending alert-review row with an auditable no-write decision report.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/alert-review-runs/:id/resolve',
+    pathParams: ['id'],
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['confirm', 'reason', 'decisionReport', 'decisionSummary', 'outcome', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      id: string('Notification id for the alert review run.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_review_run_dismiss',
+    title: 'Dismiss Alert Review Run',
+    description: 'Dismiss one pending alert-review row with an audit report and no enforcement write.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/alert-review-runs/:id/dismiss',
+    pathParams: ['id'],
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['confirm', 'reason', 'decisionReport', 'decisionSummary', 'outcome', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      id: string('Notification id for the alert review run.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_review_run_keep_alive',
+    title: 'Keep Alert Rule Active',
+    description: 'Mark the noisy/paused alert rule as reviewed, keep it active, and close the pending alert-review row with an audit report.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/alert-review-runs/:id/keep-alive',
+    pathParams: ['id'],
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['confirm', 'reason', 'reviewNote', 'decisionReport', 'decisionSummary', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      id: string('Notification id for the alert review run.'),
+      reviewNote: string('Optional rule-review note. Defaults to reason.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_review_run_apply_group_decision',
+    title: 'Apply Alert Review Group Decision',
+    description: 'Apply one verified no-write decision report to every currently matching alert-review row in a root-cause group, leaving non-matching rows open.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/alert-review-runs/apply-group-decision',
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['confirm', 'reason', 'rootCauseKey', 'groupKey', 'prototypeRunId', 'notificationIds', 'status', 'outcome', 'allowMixed', 'previewOnly', 'maxRows', 'maxScan', 'search', 'decisionReport', 'decisionSummary', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      rootCauseKey: string('Root-cause group key from securenow_alert_review_runs_list.'),
+      groupKey: string('Compatibility alias for rootCauseKey.'),
+      prototypeRunId: string('Optional notification id whose root-cause key should be used.'),
+      notificationIds: arrayOfStrings('Optional subset of eligible notification ids to close. Leave empty to apply to every eligible row in the group.'),
+      status: string('Resolution status: resolved or dismissed. Defaults to resolved.'),
+      allowMixed: boolean('Allow a mixed decision/attribution group only after every row was manually reviewed. Defaults to false.'),
+      previewOnly: boolean('When true, returns the eligible rows without writing.'),
+      maxRows: number('Maximum rows to close in this batch. Defaults to 100, capped at 250.', { minimum: 1, maximum: 250 }),
+      maxScan: number('Maximum pending-review rows to scan before grouping. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+      search: string('Optional search filter applied before grouping.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_review_apply_group_decision',
+    title: 'Apply Alert Review Group Decision',
+    description: 'Compatibility alias for securenow_alert_review_run_apply_group_decision.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/alert-review-runs/apply-group-decision',
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['confirm', 'reason', 'rootCauseKey', 'groupKey', 'prototypeRunId', 'notificationIds', 'status', 'outcome', 'allowMixed', 'previewOnly', 'maxRows', 'maxScan', 'search', 'decisionReport', 'decisionSummary', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      rootCauseKey: string('Root-cause group key from securenow_alert_review_runs_list.'),
+      groupKey: string('Compatibility alias for rootCauseKey.'),
+      prototypeRunId: string('Optional notification id whose root-cause key should be used.'),
+      notificationIds: arrayOfStrings('Optional subset of eligible notification ids to close. Leave empty to apply to every eligible row in the group.'),
+      status: string('Resolution status: resolved or dismissed. Defaults to resolved.'),
+      allowMixed: boolean('Allow a mixed decision/attribution group only after every row was manually reviewed. Defaults to false.'),
+      previewOnly: boolean('When true, returns the eligible rows without writing.'),
+      maxRows: number('Maximum rows to close in this batch. Defaults to 100, capped at 250.', { minimum: 1, maximum: 250 }),
+      maxScan: number('Maximum pending-review rows to scan before grouping. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+      search: string('Optional search filter applied before grouping.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_review_group_similar',
+    title: 'List Similar Alert Review Runs',
+    description: 'Fetch the current rows in one alert-review root-cause group for preview before a batch decision.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/alert-review-runs',
+    queryFields: ['rootCauseKey', 'groupKey', 'includeRuns', 'maxScan'],
+    fixedQuery: { includeRuns: true },
+    inputSchema: objectSchema({
+      rootCauseKey: string('Root-cause group key from securenow_alert_review_runs_list.'),
+      groupKey: string('Compatibility alias for rootCauseKey.'),
+      maxScan: number('Maximum pending-review rows to scan before grouping. Defaults to 500, capped at 1000.', { minimum: 1, maximum: 1000 }),
+    }),
+  },
   {
     name: 'securenow_human_action_report',
     title: 'Get Human Action Report',
@@ -529,6 +716,25 @@ const TOOLS = [
       ...confirmSchema,
     }, ['notificationId', 'ip', 'confirm', 'reason']),
   },
+  {
+    name: 'securenow_human_action_close_no_write',
+    title: 'Close Human Action Without Enforcement',
+    description: 'Close one Requires Human IP row with an auditable no-write decision report. Use for ambiguous, skipped, rule-tuning-needed, new-rule-needed, rate-limited, or already-handled rows.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/notifications/:notificationId/ips/:ip/close-no-write',
+    pathParams: ['notificationId', 'ip'],
+    fixedBody: { reportSource: 'mcp' },
+    bodyFields: ['reason', 'decisionReport', 'decisionSummary', 'outcome', 'evidence', 'reviewedHistory', 'traceIds', 'paths', 'methods', 'statusCodes', 'userAgents', 'missingProof', 'recommendations'],
+    inputSchema: objectSchema({
+      notificationId: string('Notification id from the human action row.'),
+      ip: string('IP address for the row to close.'),
+      ...decisionReportInput,
+      ...confirmSchema,
+    }, ['notificationId', 'ip', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_human_action_false_positive',
     title: 'Mark Human Action False Positive',
@@ -802,6 +1008,69 @@ const TOOLS = [
       ...confirmSchema,
     }, ['id', 'confirm', 'reason']),
   },
+  {
+    name: 'securenow_rate_limit_list',
+    title: 'List Rate Limits',
+    description: 'List rate-limit remediation rules with app/environment scope.',
+    scope: 'rate_limits:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/rate-limits',
+    queryFields: ['status', 'search', 'page', 'limit', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      status: string('Rule status: active, disabled, removed, or all. Defaults to active.'),
+      search: string('Optional IP/path/name search.'),
+      ...pagingInput,
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
+  },
+  {
+    name: 'securenow_rate_limit_get',
+    title: 'Get Rate Limit',
+    description: 'Fetch one rate-limit remediation rule.',
+    scope: 'rate_limits:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/rate-limits/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Rate-limit rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_rate_limit_test',
+    title: 'Test Rate Limit Match',
+    description: 'Check whether an IP/path/method would match an active rate-limit rule.',
+    scope: 'rate_limits:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/rate-limits/check',
+    queryFields: ['ip', 'path', 'method', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address to test.'),
+      path: string('Request path to test. Defaults to /.'),
+      method: string('HTTP method to test. Defaults to GET.'),
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }, ['ip']),
+  },
+  {
+    name: 'securenow_rate_limit_remove',
+    title: 'Remove Rate Limit',
+    description: 'Remove a rate-limit remediation rule. Write action; requires confirmation.',
+    scope: 'rate_limits:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/rate-limits/:id',
+    pathParams: ['id'],
+    bodyFields: ['reason'],
+    inputSchema: objectSchema({
+      id: string('Rate-limit rule id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_rate_limit_parse',
     title: 'Parse Rate Limit Text',
@@ -905,6 +1174,256 @@ const TOOLS = [
       ...confirmSchema,
     }, ['id', 'sqlQuery', 'confirm', 'reason']),
   },
+  {
+    name: 'securenow_alert_rule_instant_update',
+    title: 'Update Instant Alert Rule',
+    description: 'Patch instant rule conditions/config with version/hash guards and before/after seeded tests. System rules require applyGlobally:true and admin permission. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id/instant',
+    pathParams: ['id'],
+    bodyFields: [
+      'operations',
+      'conditions',
+      'enabled',
+      'source',
+      'matchMode',
+      'executionMode',
+      'severity',
+      'throttle',
+      'expectedRuleVersion',
+      'expectedCurrentInstantHash',
+      'expectedCurrentRuleHash',
+      'applyGlobally',
+      'dryRun',
+      'reactivatePausedCopies',
+      'fixtures',
+      'reviewNotificationId',
+      'reviewNote',
+      'reason',
+    ],
+    fixedBody: { auditSource: 'mcp' },
+    inputSchema: objectSchema({
+      id: string('Alert rule id. Fetch with securenow_alert_rule_get first to get ruleVersion and instantHash.'),
+      operations: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Condition patch operations: add_condition, remove_condition, update_condition. Use zero-based index/conditionIndex for remove/update.',
+      },
+      conditions: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional full replacement instant conditions array. Use operations for smaller patches.',
+      },
+      enabled: boolean('Whether instant detection is enabled.'),
+      source: string('Instant event source. Currently trace.'),
+      matchMode: string('Condition match mode: all or any.'),
+      executionMode: string('Rule execution mode: instant or hybrid when instant detection is enabled.'),
+      severity: string('Optional severity override: critical, high, medium, or low.'),
+      throttle: { type: 'object', additionalProperties: true, description: 'Throttle patch, for example { enabled:true, minutes:15 }.' },
+      expectedRuleVersion: number('Required current reviewState.reviewVersion from securenow_alert_rule_get.', { minimum: 1 }),
+      expectedCurrentInstantHash: string('Required SHA-256 hash of the current instant config from securenow_alert_rule_get.'),
+      expectedCurrentRuleHash: string('Optional SHA-256 hash of the current instant/throttle/severity surface from securenow_alert_rule_get.'),
+      applyGlobally: boolean('Required true for system rules. Updates every customer copy of the system rule.'),
+      dryRun: boolean('When true, validates and runs before/after seeded tests without saving.'),
+      reactivatePausedCopies: boolean('Whether to reactivate paused noisy copies after the instant rule is tuned.'),
+      fixtures: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional seeded fixtures. Each may include kind attack/benign, label, path, method, requestBody, requestHeaders, and expectMatch.',
+      },
+      reviewNotificationId: string('Optional notification id tied to this review/tuning action.'),
+      reviewNote: string('Optional review note. Defaults to reason.'),
+      ...confirmSchema,
+    }, ['id', 'expectedRuleVersion', 'expectedCurrentInstantHash', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_conditions_get',
+    title: 'Get Alert Rule Conditions',
+    description: 'Fetch instant rule conditions with rule version and hash guards for safe condition-level tuning.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id/conditions',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_rule_condition_update',
+    title: 'Update Alert Rule Condition',
+    description: 'Patch instant alert-rule conditions with version/hash guards and seeded before/after tests. Compatibility alias for condition-level tuning.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id/instant',
+    pathParams: ['id'],
+    bodyFields: [
+      'confirm',
+      'operations',
+      'conditions',
+      'enabled',
+      'source',
+      'matchMode',
+      'executionMode',
+      'expectedRuleVersion',
+      'expectedCurrentInstantHash',
+      'expectedCurrentRuleHash',
+      'applyGlobally',
+      'reactivatePausedCopies',
+      'fixtures',
+      'reviewNotificationId',
+      'reviewNote',
+      'reason',
+    ],
+    fixedBody: { auditSource: 'mcp' },
+    inputSchema: objectSchema({
+      id: string('Alert rule id. Fetch with securenow_alert_rule_conditions_get first to get ruleVersion and instantHash.'),
+      operations: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Condition patch operations: add_condition, remove_condition, update_condition. Use zero-based index/conditionIndex for remove/update.',
+      },
+      conditions: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional full replacement instant conditions array. Use operations for smaller patches.',
+      },
+      enabled: boolean('Whether instant detection is enabled.'),
+      source: string('Instant event source. Currently trace.'),
+      matchMode: string('Condition match mode: all or any.'),
+      executionMode: string('Rule execution mode: instant or hybrid when instant detection is enabled.'),
+      expectedRuleVersion: number('Required current reviewState.reviewVersion from securenow_alert_rule_conditions_get.', { minimum: 1 }),
+      expectedCurrentInstantHash: string('Required SHA-256 hash of the current instant config from securenow_alert_rule_conditions_get.'),
+      expectedCurrentRuleHash: string('Optional SHA-256 hash of the current instant/throttle/severity surface from securenow_alert_rule_conditions_get.'),
+      applyGlobally: boolean('Required true for system rules. Updates every customer copy of the system rule.'),
+      reactivatePausedCopies: boolean('Whether to reactivate paused noisy copies after the condition is tuned.'),
+      fixtures: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional seeded fixtures. Each may include kind attack/benign, label, path, method, requestBody, requestHeaders, and expectMatch.',
+      },
+      reviewNotificationId: string('Optional notification id tied to this review/tuning action.'),
+      reviewNote: string('Optional review note. Defaults to reason.'),
+      ...confirmSchema,
+    }, ['id', 'expectedRuleVersion', 'expectedCurrentInstantHash', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_condition_candidate_test',
+    title: 'Test Alert Rule Condition Candidate',
+    description: 'Dry-run a condition-level instant-rule patch without saving it, including seeded benign/attack fixture checks.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id/instant',
+    pathParams: ['id'],
+    bodyFields: [
+      'confirm',
+      'operations',
+      'conditions',
+      'enabled',
+      'source',
+      'matchMode',
+      'executionMode',
+      'expectedRuleVersion',
+      'expectedCurrentInstantHash',
+      'expectedCurrentRuleHash',
+      'applyGlobally',
+      'fixtures',
+      'reviewNotificationId',
+      'reviewNote',
+      'reason',
+    ],
+    fixedBody: { auditSource: 'mcp', dryRun: true },
+    inputSchema: objectSchema({
+      id: string('Alert rule id. Fetch with securenow_alert_rule_conditions_get first to get ruleVersion and instantHash.'),
+      operations: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Candidate condition operations to test.',
+      },
+      conditions: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional full replacement instant conditions array to test.',
+      },
+      enabled: boolean('Whether instant detection would be enabled.'),
+      source: string('Instant event source. Currently trace.'),
+      matchMode: string('Condition match mode: all or any.'),
+      executionMode: string('Rule execution mode: instant or hybrid when instant detection is enabled.'),
+      expectedRuleVersion: number('Required current reviewState.reviewVersion from securenow_alert_rule_conditions_get.', { minimum: 1 }),
+      expectedCurrentInstantHash: string('Required SHA-256 hash of the current instant config from securenow_alert_rule_conditions_get.'),
+      expectedCurrentRuleHash: string('Optional SHA-256 hash of the current instant/throttle/severity surface from securenow_alert_rule_conditions_get.'),
+      applyGlobally: boolean('Required true for system rules, even for admin dry-runs.'),
+      fixtures: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional seeded fixtures. Each may include kind attack/benign, label, path, method, requestBody, requestHeaders, and expectMatch.',
+      },
+      reviewNotificationId: string('Optional notification id tied to this review/tuning action.'),
+      reviewNote: string('Optional review note. Defaults to reason.'),
+      ...confirmSchema,
+    }, ['id', 'expectedRuleVersion', 'expectedCurrentInstantHash', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_condition_diff',
+    title: 'Diff Alert Rule Condition Candidate',
+    description: 'Return the current instant conditions, candidate conditions, hashes, and before/after fixture behavior without saving.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id/instant',
+    pathParams: ['id'],
+    bodyFields: [
+      'confirm',
+      'operations',
+      'conditions',
+      'enabled',
+      'source',
+      'matchMode',
+      'executionMode',
+      'expectedRuleVersion',
+      'expectedCurrentInstantHash',
+      'expectedCurrentRuleHash',
+      'applyGlobally',
+      'fixtures',
+      'reason',
+    ],
+    fixedBody: { auditSource: 'mcp', dryRun: true },
+    inputSchema: objectSchema({
+      id: string('Alert rule id. Fetch with securenow_alert_rule_conditions_get first to get ruleVersion and instantHash.'),
+      operations: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Candidate condition operations to diff.',
+      },
+      conditions: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional full replacement instant conditions array to diff.',
+      },
+      enabled: boolean('Whether instant detection would be enabled.'),
+      source: string('Instant event source. Currently trace.'),
+      matchMode: string('Condition match mode: all or any.'),
+      executionMode: string('Rule execution mode: instant or hybrid when instant detection is enabled.'),
+      expectedRuleVersion: number('Required current reviewState.reviewVersion from securenow_alert_rule_conditions_get.', { minimum: 1 }),
+      expectedCurrentInstantHash: string('Required SHA-256 hash of the current instant config from securenow_alert_rule_conditions_get.'),
+      expectedCurrentRuleHash: string('Optional SHA-256 hash of the current instant/throttle/severity surface from securenow_alert_rule_conditions_get.'),
+      applyGlobally: boolean('Required true for system rules, even for admin dry-runs.'),
+      fixtures: {
+        type: 'array',
+        items: { type: 'object', additionalProperties: true },
+        description: 'Optional seeded fixtures used to explain benign removals and attack coverage.',
+      },
+      ...confirmSchema,
+    }, ['id', 'expectedRuleVersion', 'expectedCurrentInstantHash', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_alert_rule_test',
     title: 'Test Alert Rule',
@@ -1108,19 +1627,22 @@ const TOOLS = [
   {
     name: 'securenow_blocklist_add',
     title: 'Add Blocked IP',
-    description: 'Add an IP/CIDR to the blocklist. Write action; requires confirmation.',
+    description: 'Add an IP/CIDR to the blocklist, optionally scoped to a route/method. Write action; requires confirmation.',
     scope: 'blocklist:write',
     readOnly: false,
     confirm: true,
     method: 'POST',
     endpoint: '/blocklist',
-    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment'],
+    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment', 'pathPattern', 'pathMatchMode', 'method'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       reason: string('Reason for blocking.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       metadata: { type: 'object', additionalProperties: true, description: 'Optional metadata.' },
       appKey: string('Optional application key to scope this block. Omit for all apps.'),
+      pathPattern: string('Optional route/path pattern, for example /admin*. Omit to block all routes.'),
+      pathMatchMode: { type: 'string', enum: ['exact', 'prefix', 'regex'], description: 'Path matching mode. Defaults to prefix.' },
+      method: { type: 'string', enum: ['ALL', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], description: 'HTTP method scope. Defaults to ALL.' },
       ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
@@ -1169,8 +1691,8 @@ const TOOLS = [
   },
   {
     name: 'securenow_allowlist_list',
-    title: 'List Allowlist',
-    description: 'List allowed IPs.',
+    title: 'List Restrictive Allowlist',
+    description: 'List restrictive allowlist entries. If any active entry exists for an app/environment, only listed IPs can reach it and all other IPs are blocked. This is not the Trusted IP list.',
     scope: 'allowlist:read',
     readOnly: true,
     method: 'GET',
@@ -1184,24 +1706,26 @@ const TOOLS = [
   },
   {
     name: 'securenow_allowlist_add',
-    title: 'Add Allowed IP',
-    description: 'Add an IP/CIDR to the allowlist. Write action; requires confirmation.',
+    title: 'Add Restrictive Allowlist IP',
+    description: 'Dangerous production action: add an IP/CIDR to the restrictive allowlist. Once active, allowlist mode blocks every IP except listed entries. Do not use this to mark an IP trusted or suppress false positives; use securenow_trusted_add instead. Requires explicit human approval confirming deny-all behavior.',
     scope: 'allowlist:write',
     readOnly: false,
     confirm: true,
     method: 'POST',
     endpoint: '/allowlist',
-    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment'],
+    fixedBody: { initiatedBy: 'mcp' },
+    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment', 'allowlistDenyAllApproved'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
-      reason: string('Reason for allowing.'),
+      reason: string('Required human-approved reason. Must acknowledge that allowlist blocks all non-listed IPs and why Trusted IPs is not the correct action.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this allowlist entry to.'),
+      allowlistDenyAllApproved: boolean('Must be true only after the user explicitly approves deny-by-default allowlist behavior. Do not set this for trusted IPs, monitors, false positives, or investigation cleanup.'),
       ...environmentInput,
       ...confirmSchema,
-    }, ['ip', 'confirm', 'reason']),
+    }, ['ip', 'confirm', 'reason', 'allowlistDenyAllApproved']),
   },
   {
     name: 'securenow_allowlist_remove',
@@ -1221,7 +1745,7 @@ const TOOLS = [
   {
     name: 'securenow_trusted_list',
     title: 'List Trusted IPs',
-    description: 'List trusted IPs.',
+    description: 'List trusted IPs. Trusted IPs are for known-safe traffic and do not turn on deny-by-default allowlist mode.',
     scope: 'trusted_ips:read',
     readOnly: true,
     method: 'GET',
@@ -1235,7 +1759,7 @@ const TOOLS = [
   {
     name: 'securenow_trusted_add',
     title: 'Add Trusted IP',
-    description: 'Add a trusted IP/CIDR. Write action; requires confirmation.',
+    description: 'Add a trusted IP/CIDR for known-safe infrastructure, monitors, office/VPN traffic, or scoped false-positive suppression. This does not enable deny-by-default allowlist mode and is the correct tool when an IP should be trusted without blocking other visitors. Write action; requires confirmation.',
     scope: 'trusted_ips:write',
     readOnly: false,
     confirm: true,
@@ -1347,7 +1871,7 @@ const PROMPTS = [
   {
     name: 'investigate_human_action_row',
     title: 'Investigate Human Action Row',
-    description: 'Use MCP tools to deeply review one Requires Human row and either block the IP or mark a scoped false positive.',
+    description: 'Use MCP tools to deeply review one Requires Human row and reach a safe audited outcome.',
     arguments: [
       { name: 'rowNumber', description: '1-based row number from the Requires Human queue.', required: true },
       { name: 'page', description: 'Queue page number. Defaults to 1.', required: false },
@@ -1417,7 +1941,7 @@ function promptMessages(name, args = {}) {
             'Verify SecureNow default-on protection for this project.',
             args.appKey ? `App key: ${args.appKey}` : null,
             'Check npx securenow whoami, npx securenow api-key show, npx securenow firewall apps, and npx securenow firewall status.',
-            'Confirm traces, logs, capture.body, capture.multipart, and firewall.enabled are enabled by .securenow/credentials.json defaults unless explicitly set false.',
+            'Confirm traces, logs, capture.body, capture.multipart, and firewall.enabled are enabled by .securenow/runtime.json defaults unless explicitly set false. Legacy .securenow/credentials.json is still accepted.',
             'Do not print full tokens or API keys.',
           ].filter(Boolean).join('\n'),
         },
@@ -1436,7 +1960,7 @@ function promptMessages(name, args = {}) {
             args.appKeys ? `Scope to app keys: ${args.appKeys}` : null,
             `Environment scope: ${args.environment || 'production'}.`,
             'Use IP intelligence first, then related traces/logs, then recommend remediation.',
-            'Only block, allow, or trust the IP after explicit user confirmation.',
+            'Only block or trust the IP after explicit user confirmation. Never use IP Allowlist for false positives or trusted traffic; allowlist is deny-by-default and blocks all non-listed IPs.',
           ].filter(Boolean).join('\n'),
         },
       },
@@ -1458,11 +1982,16 @@ function promptMessages(name, args = {}) {
             `Fetch page=${page}, limit=${limit} with securenow_human_actions_list, select row ${rowNumber}, then call securenow_notifications_get and securenow_human_action_report for that notificationId and IP.`,
             'Read the AI report, finalDecision, investigation steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
             'Open trace evidence with securenow_traces_show and correlated logs with securenow_logs_for_trace when trace IDs are available.',
-            'Return one clear outcome: Block IP, Rate Limit, False Positive, Rule Tuning Needed, or Ambiguous. If evidence is ambiguous, stop and explain what is missing.',
+            'Return one clear outcome: Block IP, Rate Limit, False Positive, Rule Tuning Applied/Needed, New Alert Rule Needed, Case Action Approved/Rejected, or Ambiguous/Skipped with exact missing proof.',
+            'A row can be finished without an enforcement write when no write is safe. In that case record or prepare a structured no-write decision report explaining the missing proof, missing permission, or vague guard.',
+            'If evidence is mixed, split the decision by IP/cluster. Block only proven malicious IPs, false-positive only exact benign shapes, rate-limit only route-specific volume abuse, and leave ambiguous members with missing proof.',
+            'If the right fix is global/system rule tuning and the MCP tool returns access denied, do not create customer-specific false positives. Prepare the exact attack-preserving guard/SQL, dry-run it if possible, and record outcome=rule_tuning with missingProof naming the missing permission.',
+            'If an AI proposed action says to use a shared benign shape but does not provide exact path/method/status/user-agent/body/header conditions, do not execute it. Record the missing guard fields instead.',
             'Use rate limiting only as temporary soft remediation for repeated route-specific abuse such as login brute force, credential stuffing, scraping/API bursts, enumeration, recon/probing, or repeated noisy payloads where risk/impact evidence is below the block threshold.',
             'Do not rate-limit instead of blocking when there is confirmed exploit success, token/data exposure, SSRF reachability, file read, RCE, persistence, malware/C2, or riskScore >= 85 with high-confidence malicious evidence. Do not rate-limit benign false positives, trusted monitors, app-server/proxy attribution problems, isolated one-off requests, or broad noisy rules that need alert tuning.',
+            'Do not create or recommend IP Allowlist entries during investigations unless the user explicitly asks to lock the app/environment to a known set of IPs. For safe monitors, offices, VPNs, or false positives, use Trusted IPs or scoped false-positive exclusions instead.',
             confirmWrites
-              ? 'The user requested execution. If evidence supports the decision, call securenow_human_action_block, securenow_rate_limit_create_from_text plus securenow_human_action_decision_report_add(outcome=rate_limited), or securenow_human_action_false_positive with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant. If you skip/mark ambiguous but still need to record the audit trail, call securenow_human_action_decision_report_add.'
+              ? 'The user requested execution. If evidence supports the decision, call securenow_human_action_block, securenow_rate_limit_create_from_text plus securenow_human_action_decision_report_add(outcome=rate_limited), or securenow_human_action_false_positive with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant. If no enforcement write is safe, call securenow_human_action_decision_report_add with outcome=rule_tuning, new_alert_rule, ambiguous, skipped, or other so the audit trail is complete without changing IP status.'
               : 'Do not execute write tools yet. Prepare the recommended decision and exact tool call the user can approve.',
             'If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
             'False positives must be narrow: app + alert rule + path + method/status/user-agent/body evidence where possible. Never globally trust an IP by default.',
@@ -1484,14 +2013,19 @@ function promptMessages(name, args = {}) {
             'Work my SecureNow Requires Human queue like a senior security analyst using the MCP tools.',
             `Review up to ${limit} row(s), most urgent first.${args.search ? ` Search filter: ${args.search}.` : ''}`,
             'Start with securenow_human_actions_list. For each row, call securenow_notifications_get and securenow_human_action_report, inspect the AI report/investigation steps/proofs/trace IDs, and fetch trace/log evidence where useful.',
-            'For each row choose exactly one outcome: Block IP, Rate Limit, False Positive, Rule Tuning Needed, or Skip because evidence is insufficient. Explain skipped rows.',
+            'For each row choose exactly one outcome: Block IP, Rate Limit, False Positive, Rule Tuning Applied/Needed, New Alert Rule Needed, Case Action Approved/Rejected, or Ambiguous/Skipped with exact missing proof.',
+            'Finished does not always mean enforcement changed. A row is also finished when a structured no-write decision report records the exact proof gap, missing permission, or vague guard and no weaker substitute write is used.',
+            'If a global/system rule update is the right fix but access is denied, do not mark customer-specific false positives just to clear the row. Prepare the exact attack-preserving guard/SQL, dry-run it when possible, and record outcome=rule_tuning with missingProof.',
+            'If evidence is mixed, do partial resolution: block proven malicious IPs, false-positive exact benign shapes, rate-limit route-specific volume abuse, and leave ambiguous IPs with their missing proof.',
+            'Reject vague AI proposed actions. If the prompt/action lacks concrete rule id, path, method, status, user-agent/body/header guard, benign samples, and attack examples that still match, record it as ambiguous or rule_tuning needed.',
             'Use Rate Limit only for repeated route-specific abuse where temporary friction is safer than blocking: login brute force/credential stuffing, password reset/account enumeration, scraping/API bursts, path or ID enumeration, recon/probing, or repeated noisy payloads without confirmed exploit success.',
             'Do not rate-limit confirmed high-risk attacks that should be blocked, benign traffic that should be false-positive scoped, broad noisy rules that need tuning, app-server/proxy attribution problems, or isolated one-off requests.',
+            'Do not create or recommend IP Allowlist entries while working this queue unless the user explicitly approves deny-by-default allowlist mode for the whole app/environment. Use Trusted IPs for trusted/bypass cases.',
             confirmWrites
-              ? 'The user requested execution. For supported decisions, call the correct write tool with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant, then continue. For skipped/ambiguous/rule-tuning-needed rows that should be auditable without changing IP status, use securenow_human_action_decision_report_add.'
+              ? 'The user requested execution. For supported decisions, call the correct write tool with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant, then continue. For skipped/ambiguous/rule-tuning-needed/new-rule-needed rows that should be auditable without changing enforcement status, use securenow_human_action_decision_report_add or securenow_human_case_decision_report_add.'
               : 'Do not execute write tools yet. Produce a row-by-row action plan and exact MCP write calls for user approval.',
             'For block decisions, use securenow_human_action_block. For rate-limit decisions, use securenow_rate_limit_create_from_text and then securenow_human_action_decision_report_add with outcome=rate_limited. For false positives, use securenow_human_action_false_positive with restrictive conditions. For case-level tune_rule/create_exclusion rows, inspect securenow_notifications_get and then use securenow_human_case_action_update only when the action is safe to approve/reject.',
-            'End with counts: handled, proposed block, rate limits created/proposed, proposed false positive, rule tuning needed, skipped, still waiting.',
+            'End with counts: handled, blocked/proposed block, rate limits created/proposed, false positives, rule tuning/admin permission blockers with exact guard, partial resolutions, skipped with missing proof, and still waiting.',
           ].join('\n'),
         },
       },
@@ -1513,7 +2047,7 @@ function promptMessages(name, args = {}) {
             'Start with securenow_blocklist_stats, then securenow_blocklist_pending_list({ page: 1, limit, environment }).',
             'For each pending block, inspect id, IP, source, reason, metadata.riskScore, metadata.aiRiskScore, metadata.abuseConfidenceScore, automation rule, linked notification, age, app, and environment.',
             'When investigationNotificationId exists, fetch securenow_notifications_get for that case and use the linked IP report/history as evidence.',
-            'Approve only when the row has clear malicious evidence, riskScore >= 90, or SecureNow IPDB evidence score >= 80 with no false-positive/test signal.',
+            'Approve only when the row has clear malicious evidence, riskScore >= 90, or SecureNow AI IPDB evidence score >= 80 with no false-positive/test signal.',
             'Reject stale, ambiguous, synthetic/test, self-traffic, or false-positive rows. Prefer narrow rule/exclusion tuning when the same benign pattern repeats.',
             confirmWrites
               ? 'The user requested execution. Use securenow_blocklist_pending_approve or securenow_blocklist_pending_reject with confirm:true and a precise reason. Use bulk tools only after every selected row satisfies the same reviewed policy.'
@@ -1537,7 +2071,7 @@ function promptMessages(name, args = {}) {
           text: [
             'Configure SecureNow default automation using the MCP tools.',
             `Review environment context: ${environment}. Built-in defaults apply to all apps and all environments unless the customer narrows them later.`,
-            'Use one canonical product score for automation decisions: riskScore. SecureNow IPDB / AbuseIPDB score and AI confidence remain supporting evidence.',
+            'Use one canonical product score for automation decisions: riskScore. SecureNow AI IPDB score and AI confidence remain supporting evidence.',
             'Built-in defaults are active by default:',
             '- Critical Risk Auto-Block: riskScore>=95, TTL 168h.',
             '- High Risk Auto-Block: riskScore>=90 AND riskScore<95, TTL 72h.',
@@ -1595,6 +2129,9 @@ function assertConfirmed(tool, args = {}) {
   if (!args.reason || !String(args.reason).trim()) {
     throw new Error(`${tool.name} requires a non-empty reason.`);
   }
+  if (tool.name === 'securenow_allowlist_add' && args.allowlistDenyAllApproved !== true) {
+    throw new Error('securenow_allowlist_add is deny-by-default: it blocks every non-listed IP for the scoped app/environment. Pass allowlistDenyAllApproved:true only after explicit human approval. Use securenow_trusted_add for trusted IPs or false positives.');
+  }
 }
 
 function buildApiRequest(tool, rawArgs = {}) {
@@ -1606,7 +2143,7 @@ function buildApiRequest(tool, rawArgs = {}) {
     endpoint = endpoint.replace(`:${key}`, encodeURIComponent(String(args[key])));
   }
 
-  const query = {};
+  const query = { ...(tool.fixedQuery || {}) };
   for (const key of tool.queryFields || []) {
     let value = args[key];
     if (tool.normalize && typeof tool.normalize[key] === 'function') {