securenow 7.7.6 → 7.7.7

package/NPM_README.md

@@ -186,7 +186,7 @@ codex mcp add securenow -- npx securenow mcp
 npx -p securenow securenow-mcp
 ```
 
-The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason.
+The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
 
 For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
 
@@ -272,7 +272,9 @@ npx securenow ip traces 203.0.113.42
 # Manage the blocklist
 npx securenow blocklist
 npx securenow blocklist add 203.0.113.42 --reason "Brute force scanner"
-npx securenow blocklist remove <id>
+npx securenow blocklist unblock <id> --reason "Reviewed as safe"
+npx securenow blocklist remove <id>          # compatibility alias
+npx securenow blocklist list --status removed
 npx securenow blocklist stats
 
 # Manage trusted IPs
@@ -520,7 +522,8 @@ npx securenow logs --json --level error | jq '.logs'
 | | `automation dry-run <id>` | Preview automation matches without writing blocks |
 | | `automation execute <id> --yes` | Run an automation rule now |
 | | `blocklist add <ip>` | Block IP |
-| | `blocklist remove <id>` | Unblock IP |
+| | `blocklist unblock <id>` | Unblock IP and retain report/history |
+| | `blocklist remove <id>` | Compatibility alias for unblock |
 | | `blocklist stats` | Block stats |
 | | `allowlist` | Allowed IPs (restrict-mode) |
 | | `allowlist add <ip>` | Allow IP (`--label`, `--reason`) |

package/README.md

@@ -191,6 +191,7 @@ npx securenow doctor                # diagnose config + connectivity
 # Security
 npx securenow firewall status --env production
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
+npx securenow blocklist unblock <id> --reason "reviewed safe"
 npx securenow fp ai-fill --description "Stripe webhook POST /api/stripe/webhook"
 
 # Telemetry from shell (no SDK boot)
@@ -357,6 +358,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 |---|---|
 | `securenow blocklist` | List blocked IPs |
 | `securenow blocklist add <ip> [--reason ...]` | Block an IP |
+| `securenow blocklist unblock <id> [--reason ...]` | Stop enforcement and keep block history |
 | `securenow allowlist add <ip>` | Allow an IP (restrict-mode) |
 | `securenow trusted add <ip>` | Mark an IP as trusted |
 

package/SKILL-API.md

@@ -66,9 +66,25 @@ npx securenow api-key set snk_live_abc123...
 
 Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json`.
 
-The firewall syncs your blocklist and enforces it on every request — zero code changes.
-
----
+The firewall syncs your blocklist and enforces it on every request — zero code changes.
+
+Blocklist unblocks are audit-preserving: dashboard/API/CLI/MCP unblock actions
+mark the active block as `removed`, invalidate firewall sync, clear expiry to
+avoid TTL deletion, and retain block reports/history for future review or
+reblock context.
+
+For near-realtime propagation after a block/unblock, set
+`SECURENOW_FIREWALL_VERSION_INTERVAL=1` or `2` in the protected app. The SDK
+polls `/firewall/sync` with ETag/304, so unchanged checks are lightweight; keep
+`SECURENOW_FIREWALL_SYNC_INTERVAL` high as a safety-net full refresh.
+
+Default automation is active for new and existing customers. The API
+idempotently provisions risk-score rules for all apps/environments:
+`riskScore >= 95` blocks for 7 days, `90-94` for 72h, and `85-89` for 24h.
+Run `securenow automation defaults --yes` or the API backfill script when an
+operator needs to ensure those defaults immediately.
+
+---
 
 ## Import Map
 

package/SKILL-CLI.md

@@ -300,13 +300,21 @@ securenow firewall test-ip <ip> --app <key> --env local  # check if IP would be
 securenow blocklist                          # list blocked IPs
 securenow blocklist list
 securenow blocklist add <ip> --app <key> --env production --reason "Brute force"
-securenow blocklist remove <id>
+securenow blocklist unblock <id> --reason "False alarm after review"
+securenow blocklist remove <id>              # compatibility alias for unblock
+securenow blocklist list --status removed    # audit retained unblocks
 securenow blocklist stats                    # block counts, top reasons
 ```
 
+Unblock stops firewall enforcement but preserves the block report, history, and
+unblock audit fields. Reblocking the same IP later creates a fresh active block
+without erasing the previous investigation trail.
+
 MCP exposes legacy pending-block cleanup separately from current Requires Human
 work:
 
+- `securenow_blocklist_unblock`
+- `securenow_blocklist_remove` (compatibility alias for unblock)
 - `securenow_blocklist_pending_list`
 - `securenow_blocklist_pending_approve`
 - `securenow_blocklist_pending_reject`
@@ -318,15 +326,17 @@ work:
 
 ```bash
 securenow automation                         # list blocklist automation rules
+securenow automation defaults --yes          # ensure built-in default risk-score rules
 securenow automation show <id>
 securenow automation dry-run <id> --limit 500
 securenow automation execute <id> --yes
 ```
 
-For default automation, prefer production-scoped `riskScore` policies:
-`riskScore >= 90` for autonomous AI malicious blocking, `riskScore >= 80`
-plus `alertTag in xss` for short-lived XSS blocks, and keep raw SecureNow IPDB
-confidence as supporting reputation evidence.
+Built-in default automation is enabled by default for all apps/environments and
+uses the canonical `riskScore`: 95-100 blocks for 7 days, 90-94 blocks for 72h,
+85-89 blocks for 24h, and scores below 85 stay in investigation/review unless
+the customer adds a stricter custom rule. Raw SecureNow IPDB confidence remains
+supporting evidence, not the primary automation score.
 
 ### Allowlist — Restrict to Known IPs
 

package/cli/automation.js

@@ -249,6 +249,34 @@ async function execute(args, flags) {
   }
 }
 
+async function defaults(args, flags) {
+  requireAuth();
+  if ((flags['force-enable'] || flags.force) && !flags.yes) {
+    const ok = await ui.confirm('Re-enable existing SecureNow default automation rules that were disabled?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Ensuring default automation rules');
+  try {
+    const data = await api.post('/automation-rules/defaults/ensure', {
+      forceEnableExisting: !!(flags['force-enable'] || flags.force),
+    });
+    s.stop('Default automation rules ensured');
+    if (flags.json) { ui.json(data); return; }
+
+    const result = data.result || {};
+    ui.keyValue([
+      ['Version', String(result.version ?? '-')],
+      ['Created', String(result.created ?? 0)],
+      ['Updated', String(result.updated ?? 0)],
+      ['Already present', String(result.alreadyProvisioned ?? 0)],
+    ]);
+  } catch (err) {
+    s.fail('Failed to ensure default automation rules');
+    throw err;
+  }
+}
+
 async function remove(args, flags) {
   requireAuth();
   const id = args[0];
@@ -272,4 +300,4 @@ async function remove(args, flags) {
   }
 }
 
-module.exports = { list, show, create, update, dryRun, execute, remove };
+module.exports = { list, show, create, update, dryRun, execute, defaults, remove };

package/cli/security.js

@@ -339,6 +339,12 @@ async function blocklistList(args, flags) {
     if (flags.limit) query.limit = flags.limit;
     if (flags.app) query.appKey = flags.app;
     if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    if (flags.status) query.status = flags.status;
+    if (flags.search) query.search = flags.search;
+    if (flags.view) query.view = flags.view;
+    if (flags.approvalStatus || flags['approval-status']) {
+      query.approvalStatus = flags.approvalStatus || flags['approval-status'];
+    }
     const data = await api.get('/blocklist', { query });
     const items = data.blockedIps || [];
     s.stop(`Found ${items.length} blocked IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
@@ -348,15 +354,17 @@ async function blocklistList(args, flags) {
     console.log('');
     const rows = items.map(b => [
       ui.c.dim(ui.truncate(b._id, 12)),
-      ui.c.red(b.ip || b.cidr || '—'),
-      ui.truncate(b.reason || '', 40),
+      ui.c.red(b.ip || b.cidr || '—'),
+      ui.truncate(b.reason || '', 40),
       b.source || '—',
+      b.status || 'active',
       b.applicationKey || ui.c.dim('all apps'),
       b.environment || ui.c.dim('all envs'),
       ui.timeAgo(b.createdAt),
+      b.unblockedAt ? ui.timeAgo(b.unblockedAt) : ui.c.dim('—'),
       b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
     ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'App', 'Env', 'Added', 'Expires'], rows);
+    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -390,26 +398,28 @@ async function blocklistAdd(args, flags) {
 
 async function blocklistRemove(args, flags) {
   requireAuth();
-  const id = args[0];
-  if (!id) {
-    ui.error('Blocklist entry ID required. Usage: securenow blocklist remove <id>');
-    process.exit(1);
-  }
-
-  if (!flags.force && !flags.yes) {
-    const ok = await ui.confirm('Remove this IP from blocklist?');
-    if (!ok) { ui.info('Cancelled'); return; }
-  }
-
-  const s = ui.spinner('Removing from blocklist');
-  try {
-    await api.delete(`/blocklist/${id}`);
-    s.stop('Removed from blocklist');
-  } catch (err) {
-    s.fail('Failed to remove from blocklist');
-    throw err;
-  }
-}
+  const id = args[0];
+  if (!id) {
+    ui.error('Blocklist entry ID required. Usage: securenow blocklist unblock <id> [--reason <reason>]');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Unblock this IP? Firewall enforcement stops, but block report and history stay saved.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Unblocking IP');
+  try {
+    const body = {};
+    if (flags.reason) body.reason = flags.reason;
+    await api.post(`/blocklist/${id}/unblock`, body);
+    s.stop('Unblocked; block report and history retained');
+  } catch (err) {
+    s.fail('Failed to unblock IP');
+    throw err;
+  }
+}
 
 async function blocklistStats(args, flags) {
   requireAuth();

package/cli.js

@@ -255,7 +255,7 @@ const COMMANDS = {
   },
   automation: {
     desc: 'Manage automation rules for blocklist actions',
-    usage: 'securenow automation <list|show|create|update|dry-run|execute|delete> [rule-id] [options]',
+    usage: 'securenow automation <list|defaults|show|create|update|dry-run|execute|delete> [rule-id] [options]',
     flags: {
       json: 'Output as JSON',
       body: 'Full JSON body for create/update',
@@ -280,6 +280,7 @@ const COMMANDS = {
     },
     sub: {
       list: { desc: 'List automation rules', run: (a, f) => require('./cli/automation').list(a, f) },
+      defaults: { desc: 'Ensure SecureNow default risk-score automation rules', usage: 'securenow automation defaults [--force-enable] [--yes]', run: (a, f) => require('./cli/automation').defaults(a, f) },
       show: { desc: 'Show automation rule details', usage: 'securenow automation show <rule-id>', run: (a, f) => require('./cli/automation').show(a, f) },
       create: { desc: 'Create automation rule', usage: 'securenow automation create --name "..." --conditions \'[...]\' --actions \'[...]\'', run: (a, f) => require('./cli/automation').create(a, f) },
       update: { desc: 'Update automation rule', usage: 'securenow automation update <rule-id> --body \'{...}\'', run: (a, f) => require('./cli/automation').update(a, f) },
@@ -292,13 +293,14 @@ const COMMANDS = {
   blocklist: {
     desc: 'Manage IP blocklist',
     usage: 'securenow blocklist <subcommand> [options]',
-    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', json: 'Output as JSON' },
     sub: {
       list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
       add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
-      remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
-      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
-    },
+      unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
+    },
     defaultSub: 'list',
   },
   allowlist: {

package/mcp/catalog.js

@@ -676,6 +676,21 @@ const TOOLS = [
     endpoint: '/automation-rules',
     inputSchema: objectSchema({}),
   },
+  {
+    name: 'securenow_automation_defaults_ensure',
+    title: 'Ensure Default Automation Rules',
+    description: 'Create or refresh SecureNow default risk-score automation rules for the current account. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules/defaults/ensure',
+    bodyFields: ['forceEnableExisting'],
+    inputSchema: objectSchema({
+      forceEnableExisting: boolean('Re-enable existing SecureNow default rules if the customer disabled them. Defaults to false.'),
+      ...confirmSchema,
+    }, ['confirm', 'reason']),
+  },
   {
     name: 'securenow_automation_rule_get',
     title: 'Get Automation Rule',
@@ -1040,14 +1055,31 @@ const TOOLS = [
   },
   {
     name: 'securenow_blocklist_remove',
-    title: 'Remove Blocked IP',
-    description: 'Remove a blocklist entry. Write action; requires confirmation.',
+    title: 'Unblock IP (Compat Alias)',
+    description: 'Compatibility alias for unblocking a blocklist entry while retaining block report/history. Write action; requires confirmation.',
     scope: 'blocklist:write',
     readOnly: false,
     confirm: true,
-    method: 'DELETE',
-    endpoint: '/blocklist/:id',
+    method: 'POST',
+    endpoint: '/blocklist/:id/unblock',
     pathParams: ['id'],
+    bodyFields: ['reason'],
+    inputSchema: objectSchema({
+      id: string('Blocklist entry id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_blocklist_unblock',
+    title: 'Unblock IP And Keep History',
+    description: 'Unblock a blocklist entry so firewall enforcement stops, while retaining the block report, history, and unblock audit trail. Write action; requires confirmation.',
+    scope: 'blocklist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/blocklist/:id/unblock',
+    pathParams: ['id'],
+    bodyFields: ['reason'],
     inputSchema: objectSchema({
       id: string('Blocklist entry id.'),
       ...confirmSchema,
@@ -1428,16 +1460,16 @@ function promptMessages(name, args = {}) {
           type: 'text',
           text: [
             'Configure SecureNow default automation using the MCP tools.',
-            `Default environment scope: ${environment}.`,
-            'Use one canonical product score for automation decisions: riskScore. Treat SecureNow IPDB / AbuseIPDB score and AI confidence as supporting evidence, not the primary UI score.',
-            'Desired defaults:',
-            '- Auto-block High-Confidence AI Malicious IPs: aiDecision=pending_approval AND isMalicious=true AND riskScore>=90, TTL 168h.',
-            '- Auto-block High-Confidence XSS IPs: alertTag in xss AND riskScore>=80, TTL 24h.',
-            '- High-reputation IPDB automation may remain enabled only as an explicit reputation policy: abuseConfidenceScore>=80.',
-            'Start with securenow_automation_rules_list. Reuse/update existing rules where names/conditions match instead of creating duplicates.',
-            'Create new rules with status=disabled when possible, dry-run each changed or created rule with securenow_automation_rule_dry_run, then enable only after the sample matches look safe.',
+            `Review environment context: ${environment}. Built-in defaults apply to all apps and all environments unless the customer narrows them later.`,
+            'Use one canonical product score for automation decisions: riskScore. SecureNow IPDB / AbuseIPDB score and AI confidence remain supporting evidence.',
+            'Built-in defaults are active by default:',
+            '- Critical Risk Auto-Block: riskScore>=95, TTL 168h.',
+            '- High Risk Auto-Block: riskScore>=90 AND riskScore<95, TTL 72h.',
+            '- Elevated Risk Auto-Block: riskScore>=85 AND riskScore<90, TTL 24h.',
+            'Start with securenow_automation_defaults_ensure({ confirm:true, reason:"Provision SecureNow default risk-score automation" }) when writes are confirmed, otherwise start with securenow_automation_rules_list and report what would be ensured.',
+            'After ensuring defaults, dry-run each default rule with securenow_automation_rule_dry_run to inspect sample matches. Disable or tune only if evidence shows customer-specific false positives.',
             confirmWrites
-              ? 'The user requested execution. Create/update rules with confirm:true, production scope, clear names, and precise reasons. For new rules, prefer status=disabled, dry-run, then update status=active after review. Re-list rules after writes.'
+              ? 'The user requested execution. Ensure defaults with confirm:true, do not force-enable previously disabled defaults unless the user explicitly asked, and re-list rules after writes.'
               : 'Do not execute writes yet. Return exact MCP update/create calls and dry-run calls for approval.',
             'End with active rules, disabled rules that should stay disabled, and any risk from automation scope.',
           ].join('\n'),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.6",
+  "version": "7.7.7",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",