securenow 7.7.6 → 7.7.8

package/NPM_README.md

@@ -186,7 +186,7 @@ codex mcp add securenow -- npx securenow mcp
 npx -p securenow securenow-mcp
 ```
 
-The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason.
+The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
 
 For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
 
@@ -272,7 +272,9 @@ npx securenow ip traces 203.0.113.42
 # Manage the blocklist
 npx securenow blocklist
 npx securenow blocklist add 203.0.113.42 --reason "Brute force scanner"
-npx securenow blocklist remove <id>
+npx securenow blocklist unblock <id> --reason "Reviewed as safe"
+npx securenow blocklist remove <id>          # compatibility alias
+npx securenow blocklist list --status removed
 npx securenow blocklist stats
 
 # Manage trusted IPs
@@ -520,7 +522,8 @@ npx securenow logs --json --level error | jq '.logs'
 | | `automation dry-run <id>` | Preview automation matches without writing blocks |
 | | `automation execute <id> --yes` | Run an automation rule now |
 | | `blocklist add <ip>` | Block IP |
-| | `blocklist remove <id>` | Unblock IP |
+| | `blocklist unblock <id>` | Unblock IP and retain report/history |
+| | `blocklist remove <id>` | Compatibility alias for unblock |
 | | `blocklist stats` | Block stats |
 | | `allowlist` | Allowed IPs (restrict-mode) |
 | | `allowlist add <ip>` | Allow IP (`--label`, `--reason`) |

package/README.md

@@ -191,6 +191,7 @@ npx securenow doctor                # diagnose config + connectivity
 # Security
 npx securenow firewall status --env production
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
+npx securenow blocklist unblock <id> --reason "reviewed safe"
 npx securenow fp ai-fill --description "Stripe webhook POST /api/stripe/webhook"
 
 # Telemetry from shell (no SDK boot)
@@ -357,6 +358,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 |---|---|
 | `securenow blocklist` | List blocked IPs |
 | `securenow blocklist add <ip> [--reason ...]` | Block an IP |
+| `securenow blocklist unblock <id> [--reason ...]` | Stop enforcement and keep block history |
 | `securenow allowlist add <ip>` | Allow an IP (restrict-mode) |
 | `securenow trusted add <ip>` | Mark an IP as trusted |
 

package/SKILL-API.md

@@ -66,9 +66,25 @@ npx securenow api-key set snk_live_abc123...
 
 Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json`.
 
-The firewall syncs your blocklist and enforces it on every request — zero code changes.
-
----
+The firewall syncs your blocklist and enforces it on every request — zero code changes.
+
+Blocklist unblocks are audit-preserving: dashboard/API/CLI/MCP unblock actions
+mark the active block as `removed`, invalidate firewall sync, clear expiry to
+avoid TTL deletion, and retain block reports/history for future review or
+reblock context.
+
+For near-realtime propagation after a block/unblock, set
+`SECURENOW_FIREWALL_VERSION_INTERVAL=1` or `2` in the protected app. The SDK
+polls `/firewall/sync` with ETag/304, so unchanged checks are lightweight; keep
+`SECURENOW_FIREWALL_SYNC_INTERVAL` high as a safety-net full refresh.
+
+Default automation is active for new and existing customers. The API
+idempotently provisions risk-score rules for all apps/environments:
+`riskScore >= 95` blocks for 7 days, `90-94` for 72h, and `85-89` for 24h.
+Run `securenow automation defaults --yes` or the API backfill script when an
+operator needs to ensure those defaults immediately.
+
+---
 
 ## Import Map
 

package/SKILL-CLI.md

@@ -300,13 +300,21 @@ securenow firewall test-ip <ip> --app <key> --env local  # check if IP would be
 securenow blocklist                          # list blocked IPs
 securenow blocklist list
 securenow blocklist add <ip> --app <key> --env production --reason "Brute force"
-securenow blocklist remove <id>
+securenow blocklist unblock <id> --reason "False alarm after review"
+securenow blocklist remove <id>              # compatibility alias for unblock
+securenow blocklist list --status removed    # audit retained unblocks
 securenow blocklist stats                    # block counts, top reasons
 ```
 
+Unblock stops firewall enforcement but preserves the block report, history, and
+unblock audit fields. Reblocking the same IP later creates a fresh active block
+without erasing the previous investigation trail.
+
 MCP exposes legacy pending-block cleanup separately from current Requires Human
 work:
 
+- `securenow_blocklist_unblock`
+- `securenow_blocklist_remove` (compatibility alias for unblock)
 - `securenow_blocklist_pending_list`
 - `securenow_blocklist_pending_approve`
 - `securenow_blocklist_pending_reject`
@@ -318,15 +326,17 @@ work:
 
 ```bash
 securenow automation                         # list blocklist automation rules
+securenow automation defaults --yes          # ensure built-in default risk-score rules
 securenow automation show <id>
 securenow automation dry-run <id> --limit 500
 securenow automation execute <id> --yes
 ```
 
-For default automation, prefer production-scoped `riskScore` policies:
-`riskScore >= 90` for autonomous AI malicious blocking, `riskScore >= 80`
-plus `alertTag in xss` for short-lived XSS blocks, and keep raw SecureNow IPDB
-confidence as supporting reputation evidence.
+Built-in default automation is enabled by default for all apps/environments and
+uses the canonical `riskScore`: 95-100 blocks for 7 days, 90-94 blocks for 72h,
+85-89 blocks for 24h, and scores below 85 stay in investigation/review unless
+the customer adds a stricter custom rule. Raw SecureNow IPDB confidence remains
+supporting evidence, not the primary automation score.
 
 ### Allowlist — Restrict to Known IPs
 

package/cli/automation.js

@@ -249,6 +249,34 @@ async function execute(args, flags) {
   }
 }
 
+async function defaults(args, flags) {
+  requireAuth();
+  if ((flags['force-enable'] || flags.force) && !flags.yes) {
+    const ok = await ui.confirm('Re-enable existing SecureNow default automation rules that were disabled?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Ensuring default automation rules');
+  try {
+    const data = await api.post('/automation-rules/defaults/ensure', {
+      forceEnableExisting: !!(flags['force-enable'] || flags.force),
+    });
+    s.stop('Default automation rules ensured');
+    if (flags.json) { ui.json(data); return; }
+
+    const result = data.result || {};
+    ui.keyValue([
+      ['Version', String(result.version ?? '-')],
+      ['Created', String(result.created ?? 0)],
+      ['Updated', String(result.updated ?? 0)],
+      ['Already present', String(result.alreadyProvisioned ?? 0)],
+    ]);
+  } catch (err) {
+    s.fail('Failed to ensure default automation rules');
+    throw err;
+  }
+}
+
 async function remove(args, flags) {
   requireAuth();
   const id = args[0];
@@ -272,4 +300,4 @@ async function remove(args, flags) {
   }
 }
 
-module.exports = { list, show, create, update, dryRun, execute, remove };
+module.exports = { list, show, create, update, dryRun, execute, defaults, remove };

package/cli/firewall.js

@@ -36,10 +36,11 @@ async function status(args, flags) {
       ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
-      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
-      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
-      ['Sync TTL', `${data.ttl || 60}s`],
-    ]);
+      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
+      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
+      ['Rate limit rules', String(data.rateLimitCount ?? 0)],
+      ['Sync TTL', `${data.ttl || 60}s`],
+    ]);
     if (data.allowlistCount > 0) {
       console.log('');
       console.log(`  ${ui.c.yellow('!')} Allowlist is active — only ${data.allowlistCount} IP(s) can reach your app`);

package/cli/rateLimits.js

@@ -0,0 +1,245 @@
+'use strict';
+
+const { api, requireAuth } = require('./client');
+const config = require('./config');
+const ui = require('./ui');
+
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags, fallback = null) {
+  return flags.env || flags.environment || fallback;
+}
+
+function parseWindow(value) {
+  if (value == null || value === '') return 60;
+  if (/^\d+$/.test(String(value))) return Number(value);
+  const raw = String(value).trim().toLowerCase();
+  const match = raw.match(/^(\d+)\s*(s|sec|second|seconds|m|min|minute|minutes|h|hr|hour|hours)$/);
+  if (!match) {
+    ui.error('Window must be seconds or look like 30s, 1m, or 1h.');
+    process.exit(1);
+  }
+  const n = Number(match[1]);
+  const unit = match[2][0];
+  return unit === 'h' ? n * 3600 : unit === 'm' ? n * 60 : n;
+}
+
+function buildQuery(flags) {
+  const query = {};
+  if (flags.page) query.page = flags.page;
+  if (flags.limit) query.limit = flags.limit;
+  if (flags.status) query.status = flags.status;
+  if (flags.search) query.search = flags.search;
+  const appKey = resolveApp(flags);
+  if (appKey) query.appKey = appKey;
+  const environment = resolveEnvironment(flags, null);
+  if (environment) query.environment = environment;
+  return query;
+}
+
+function describeTarget(rule) {
+  const parts = [];
+  if (rule.ip) parts.push(rule.ip);
+  if (rule.method && rule.method !== 'ALL') parts.push(rule.method);
+  if (rule.pathPattern) parts.push(`${rule.pathMatchMode || 'prefix'}:${rule.pathPattern}`);
+  return parts.join(' ') || 'all traffic';
+}
+
+async function list(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching rate limits');
+  try {
+    const data = await api.get('/rate-limits', { query: buildQuery(flags) });
+    const rules = data.rateLimits || [];
+    s.stop(`Found ${rules.length} rate-limit rule${rules.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = rules.map((r) => [
+      ui.c.dim(ui.truncate(r.id || r._id, 12)),
+      r.status === 'active' ? ui.statusBadge('active') : ui.statusBadge(r.status || 'unknown'),
+      describeTarget(r),
+      `${r.limit}/${r.windowSeconds}s`,
+      r.applicationKey || ui.c.dim('all apps'),
+      r.environment || ui.c.dim('all envs'),
+      r.expiresAt ? new Date(r.expiresAt).toLocaleString() : ui.c.dim('permanent'),
+      ui.timeAgo(r.createdAt),
+    ]);
+    ui.table(['ID', 'Status', 'Target', 'Limit', 'App', 'Env', 'Expires', 'Created'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch rate limits');
+    throw err;
+  }
+}
+
+async function show(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow ratelimit show <id>');
+    process.exit(1);
+  }
+  const s = ui.spinner('Fetching rate limit');
+  try {
+    const data = await api.get(`/rate-limits/${id}`);
+    const r = data.rateLimit;
+    s.stop('Rate limit loaded');
+    if (flags.json) { ui.json(r); return; }
+    console.log('');
+    ui.heading(r.name || 'Rate limit');
+    console.log('');
+    ui.keyValue([
+      ['ID', r.id || r._id || id],
+      ['Status', r.status || '-'],
+      ['Target', describeTarget(r)],
+      ['Limit', `${r.limit}/${r.windowSeconds}s`],
+      ['Key by', r.keyBy || 'ip'],
+      ['App', r.applicationKey || 'all apps'],
+      ['Environment', r.environment || 'all envs'],
+      ['Reason', r.reason || '-'],
+      ['Expires', r.expiresAt || 'permanent'],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch rate limit');
+    throw err;
+  }
+}
+
+async function add(args, flags) {
+  requireAuth();
+  const ip = args[0] || flags.ip || '';
+  const pathPattern = flags.route || flags.path || flags.pattern || '';
+
+  if (!ip && !pathPattern) {
+    ui.error('Provide an IP/CIDR, --route, or both.');
+    ui.info('Example: securenow ratelimit add 203.0.113.10 --limit 30 --window 1m --duration 24h');
+    process.exit(1);
+  }
+  if (!flags.limit) {
+    ui.error('Pass --limit <count>.');
+    process.exit(1);
+  }
+
+  const appKey = resolveApp(flags);
+  const environment = resolveEnvironment(flags, 'production');
+  const body = {
+    ip,
+    pathPattern,
+    pathMatchMode: flags.mode || flags['path-mode'] || (pathPattern ? 'prefix' : 'prefix'),
+    method: flags.method || 'ALL',
+    keyBy: flags['key-by'] || flags.keyBy || 'ip',
+    limit: Number(flags.limit),
+    windowSeconds: parseWindow(flags.window || flags['window-seconds']),
+    reason: flags.reason || '',
+    name: flags.name || '',
+    duration: flags.duration || '',
+    expiresAt: flags.expiresAt || flags.expires || '',
+  };
+  if (appKey) body.appKey = appKey;
+  if (environment) body.environment = environment;
+
+  const s = ui.spinner('Creating rate limit');
+  try {
+    const data = await api.post('/rate-limits', body);
+    s.stop('Rate limit created');
+    if (flags.json) { ui.json(data); return; }
+    const r = data.rateLimit;
+    console.log('');
+    console.log(`  ${ui.c.green('ACTIVE')} ${describeTarget(r)} at ${r.limit}/${r.windowSeconds}s`);
+    console.log(`  ${ui.c.dim('ID:')} ${r.id || r._id}`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to create rate limit');
+    throw err;
+  }
+}
+
+async function setStatus(args, flags, status) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error(`Usage: securenow ratelimit ${status === 'active' ? 'enable' : 'disable'} <id>`);
+    process.exit(1);
+  }
+  const s = ui.spinner(`${status === 'active' ? 'Enabling' : 'Disabling'} rate limit`);
+  try {
+    const data = await api.put(`/rate-limits/${id}`, { status });
+    s.stop(status === 'active' ? 'Rate limit enabled' : 'Rate limit disabled');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to update rate limit');
+    throw err;
+  }
+}
+
+async function enable(args, flags) { return setStatus(args, flags, 'active'); }
+async function disable(args, flags) { return setStatus(args, flags, 'disabled'); }
+
+async function remove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow ratelimit remove <id> [--reason "..."]');
+    process.exit(1);
+  }
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this rate-limit rule?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const s = ui.spinner('Removing rate limit');
+  try {
+    const opts = flags.reason ? { query: { reason: flags.reason } } : undefined;
+    const data = await api.delete(`/rate-limits/${id}`, opts);
+    s.stop('Rate limit removed');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to remove rate limit');
+    throw err;
+  }
+}
+
+async function test(args, flags) {
+  requireAuth();
+  const ip = args[0] || flags.ip;
+  if (!ip) {
+    ui.error('Usage: securenow ratelimit test <ip> --path /api/login [--method POST]');
+    process.exit(1);
+  }
+  const query = {
+    ip,
+    path: flags.path || flags.route || '/',
+    method: flags.method || 'GET',
+  };
+  const appKey = resolveApp(flags);
+  if (appKey) query.appKey = appKey;
+  const environment = resolveEnvironment(flags, 'production');
+  if (environment) query.environment = environment;
+
+  const s = ui.spinner('Testing rate-limit match');
+  try {
+    const data = await api.get('/rate-limits/check', { query });
+    s.stop('Rate-limit check complete');
+    if (flags.json) { ui.json(data); return; }
+    console.log('');
+    if (data.limited) {
+      console.log(`  ${ui.c.bold(ui.c.yellow('RATE LIMITED'))} - ${data.matches.length} matching rule${data.matches.length !== 1 ? 's' : ''}`);
+      for (const r of data.matches.slice(0, 5)) {
+        console.log(`  ${ui.c.dim(r.id || r._id)}  ${describeTarget(r)}  ${r.limit}/${r.windowSeconds}s`);
+      }
+    } else {
+      console.log(`  ${ui.c.bold(ui.c.green('NOT LIMITED'))} - no matching rate-limit rules`);
+    }
+    console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} - Environment: ${data.environment || environment}`)}`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to test rate limit');
+    throw err;
+  }
+}
+
+module.exports = { list, show, add, enable, disable, remove, test };

package/cli/security.js

@@ -339,6 +339,12 @@ async function blocklistList(args, flags) {
     if (flags.limit) query.limit = flags.limit;
     if (flags.app) query.appKey = flags.app;
     if (flags.env || flags.environment) query.environment = flags.env || flags.environment;
+    if (flags.status) query.status = flags.status;
+    if (flags.search) query.search = flags.search;
+    if (flags.view) query.view = flags.view;
+    if (flags.approvalStatus || flags['approval-status']) {
+      query.approvalStatus = flags.approvalStatus || flags['approval-status'];
+    }
     const data = await api.get('/blocklist', { query });
     const items = data.blockedIps || [];
     s.stop(`Found ${items.length} blocked IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
@@ -348,15 +354,17 @@ async function blocklistList(args, flags) {
     console.log('');
     const rows = items.map(b => [
       ui.c.dim(ui.truncate(b._id, 12)),
-      ui.c.red(b.ip || b.cidr || '—'),
-      ui.truncate(b.reason || '', 40),
+      ui.c.red(b.ip || b.cidr || '—'),
+      ui.truncate(b.reason || '', 40),
       b.source || '—',
+      b.status || 'active',
       b.applicationKey || ui.c.dim('all apps'),
       b.environment || ui.c.dim('all envs'),
       ui.timeAgo(b.createdAt),
+      b.unblockedAt ? ui.timeAgo(b.unblockedAt) : ui.c.dim('—'),
       b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
     ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'App', 'Env', 'Added', 'Expires'], rows);
+    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -390,26 +398,28 @@ async function blocklistAdd(args, flags) {
 
 async function blocklistRemove(args, flags) {
   requireAuth();
-  const id = args[0];
-  if (!id) {
-    ui.error('Blocklist entry ID required. Usage: securenow blocklist remove <id>');
-    process.exit(1);
-  }
-
-  if (!flags.force && !flags.yes) {
-    const ok = await ui.confirm('Remove this IP from blocklist?');
-    if (!ok) { ui.info('Cancelled'); return; }
-  }
-
-  const s = ui.spinner('Removing from blocklist');
-  try {
-    await api.delete(`/blocklist/${id}`);
-    s.stop('Removed from blocklist');
-  } catch (err) {
-    s.fail('Failed to remove from blocklist');
-    throw err;
-  }
-}
+  const id = args[0];
+  if (!id) {
+    ui.error('Blocklist entry ID required. Usage: securenow blocklist unblock <id> [--reason <reason>]');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Unblock this IP? Firewall enforcement stops, but block report and history stay saved.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Unblocking IP');
+  try {
+    const body = {};
+    if (flags.reason) body.reason = flags.reason;
+    await api.post(`/blocklist/${id}/unblock`, body);
+    s.stop('Unblocked; block report and history retained');
+  } catch (err) {
+    s.fail('Failed to unblock IP');
+    throw err;
+  }
+}
 
 async function blocklistStats(args, flags) {
   requireAuth();

package/cli.js

@@ -253,9 +253,51 @@ const COMMANDS = {
     },
     defaultSub: 'status',
   },
+  ratelimit: {
+    desc: 'Manage soft rate-limit remediation rules',
+    usage: 'securenow ratelimit <list|add|show|test|enable|disable|remove> [options]',
+    flags: {
+      app: 'Scope to app key (defaults to logged-in app)',
+      env: 'Scope to environment (default for create/test: production)',
+      environment: 'Alias for --env',
+      json: 'Output as JSON',
+      limit: 'Allowed requests per window',
+      window: 'Window size, e.g. 30s, 1m, 1h',
+      duration: 'Expiry, e.g. 24h or 7d',
+      route: 'Path pattern such as /api/login',
+      path: 'Alias for --route',
+      mode: 'Path mode: exact, prefix, or regex',
+      method: 'HTTP method, or ALL',
+      reason: 'Audit reason',
+    },
+    sub: {
+      list: { desc: 'List rate-limit remediation rules', run: (a, f) => require('./cli/rateLimits').list(a, f) },
+      add: { desc: 'Create a rate-limit rule', usage: 'securenow ratelimit add [ip] --route /api/login --limit 5 --window 1m --duration 24h', run: (a, f) => require('./cli/rateLimits').add(a, f) },
+      show: { desc: 'Show one rate-limit rule', usage: 'securenow ratelimit show <id>', run: (a, f) => require('./cli/rateLimits').show(a, f) },
+      test: { desc: 'Check whether a request would match rate-limit rules', usage: 'securenow ratelimit test <ip> --path /api/login --method POST', run: (a, f) => require('./cli/rateLimits').test(a, f) },
+      enable: { desc: 'Enable a rate-limit rule', usage: 'securenow ratelimit enable <id>', run: (a, f) => require('./cli/rateLimits').enable(a, f) },
+      disable: { desc: 'Disable a rate-limit rule', usage: 'securenow ratelimit disable <id>', run: (a, f) => require('./cli/rateLimits').disable(a, f) },
+      remove: { desc: 'Remove a rate-limit rule', usage: 'securenow ratelimit remove <id> [--reason "..."]', run: (a, f) => require('./cli/rateLimits').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  'rate-limit': {
+    desc: 'Alias for ratelimit',
+    usage: 'securenow rate-limit <list|add|show|test|enable|disable|remove> [options]',
+    sub: {
+      list: { desc: 'List rate-limit remediation rules', run: (a, f) => require('./cli/rateLimits').list(a, f) },
+      add: { desc: 'Create a rate-limit rule', usage: 'securenow rate-limit add [ip] --route /api/login --limit 5 --window 1m --duration 24h', run: (a, f) => require('./cli/rateLimits').add(a, f) },
+      show: { desc: 'Show one rate-limit rule', usage: 'securenow rate-limit show <id>', run: (a, f) => require('./cli/rateLimits').show(a, f) },
+      test: { desc: 'Check whether a request would match rate-limit rules', usage: 'securenow rate-limit test <ip> --path /api/login --method POST', run: (a, f) => require('./cli/rateLimits').test(a, f) },
+      enable: { desc: 'Enable a rate-limit rule', usage: 'securenow rate-limit enable <id>', run: (a, f) => require('./cli/rateLimits').enable(a, f) },
+      disable: { desc: 'Disable a rate-limit rule', usage: 'securenow rate-limit disable <id>', run: (a, f) => require('./cli/rateLimits').disable(a, f) },
+      remove: { desc: 'Remove a rate-limit rule', usage: 'securenow rate-limit remove <id> [--reason "..."]', run: (a, f) => require('./cli/rateLimits').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
   automation: {
     desc: 'Manage automation rules for blocklist actions',
-    usage: 'securenow automation <list|show|create|update|dry-run|execute|delete> [rule-id] [options]',
+    usage: 'securenow automation <list|defaults|show|create|update|dry-run|execute|delete> [rule-id] [options]',
     flags: {
       json: 'Output as JSON',
       body: 'Full JSON body for create/update',
@@ -280,6 +322,7 @@ const COMMANDS = {
     },
     sub: {
       list: { desc: 'List automation rules', run: (a, f) => require('./cli/automation').list(a, f) },
+      defaults: { desc: 'Ensure SecureNow default risk-score automation rules', usage: 'securenow automation defaults [--force-enable] [--yes]', run: (a, f) => require('./cli/automation').defaults(a, f) },
       show: { desc: 'Show automation rule details', usage: 'securenow automation show <rule-id>', run: (a, f) => require('./cli/automation').show(a, f) },
       create: { desc: 'Create automation rule', usage: 'securenow automation create --name "..." --conditions \'[...]\' --actions \'[...]\'', run: (a, f) => require('./cli/automation').create(a, f) },
       update: { desc: 'Update automation rule', usage: 'securenow automation update <rule-id> --body \'{...}\'', run: (a, f) => require('./cli/automation').update(a, f) },
@@ -292,13 +335,14 @@ const COMMANDS = {
   blocklist: {
     desc: 'Manage IP blocklist',
     usage: 'securenow blocklist <subcommand> [options]',
-    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', json: 'Output as JSON' },
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', json: 'Output as JSON' },
     sub: {
       list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
       add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
-      remove: { desc: 'Unblock an IP', usage: 'securenow blocklist remove <id>', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
-      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
-    },
+      unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
+    },
     defaultSub: 'list',
   },
   allowlist: {
@@ -553,7 +597,7 @@ function showHelp(commandName) {
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
     'Firewall': ['firewall'],
-    'Remediation': ['automation', 'blocklist', 'allowlist', 'trusted'],
+    'Remediation': ['automation', 'ratelimit', 'blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],

package/firewall.js

@@ -30,11 +30,16 @@ let _remoteEnabled = true;
 let _lastRemoteEnabled = null;
 
 // Allowlist state
-let _allowlistMatcher = null;
-let _allowlistRawIps = [];
-let _lastAllowlistModified = null;
-let _lastAllowlistVersion = null;
-let _lastAllowlistSyncEtag = null;
+let _allowlistMatcher = null;
+let _allowlistRawIps = [];
+let _lastAllowlistModified = null;
+let _lastAllowlistVersion = null;
+let _lastAllowlistSyncEtag = null;
+
+// Rate-limit policy state is synced in Phase 1 for forward compatibility.
+// Enforcement is intentionally added in the next SDK phase.
+let _rateLimitRules = [];
+let _lastRateLimitVersion = null;
 
 // Circuit breaker
 const CIRCUIT_OPEN_THRESHOLD = 5;
@@ -295,6 +300,7 @@ function doUnifiedSync(callback) {
   if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
   if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
+  if (_lastRateLimitVersion) headers['X-Rate-Limit-Version'] = _lastRateLimitVersion;
   if (_lastUnifiedEtag) headers['If-None-Match'] = _lastUnifiedEtag;
 
   httpGet(url, headers, 8000, (err, res, data) => {
@@ -364,13 +370,24 @@ function doUnifiedSync(callback) {
         }
       }
 
-      if (body.allowlistIps) {
-        _allowlistRawIps = body.allowlistIps;
-        _allowlistMatcher = createMatcher(body.allowlistIps);
-        alChanged = true;
-      }
-
-      callback(null, { blChanged, alChanged });
+      if (body.allowlistIps) {
+        _allowlistRawIps = body.allowlistIps;
+        _allowlistMatcher = createMatcher(body.allowlistIps);
+        alChanged = true;
+      }
+
+      if (body.rateLimits) {
+        const newVer = body.rateLimits.version;
+        if (newVer !== _lastRateLimitVersion) {
+          _lastRateLimitVersion = newVer;
+        }
+      }
+
+      if (Array.isArray(body.rateLimitRules)) {
+        _rateLimitRules = body.rateLimitRules;
+      }
+
+      callback(null, { blChanged, alChanged, rlChanged: Array.isArray(body.rateLimitRules) });
     } catch (e) {
       callback(new Error(`Failed to parse sync response: ${e.message}`));
     }
@@ -557,11 +574,14 @@ function pollOnce(callback) {
         const s = _matcher.stats();
         fwLog('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
-      if (result.alChanged && _options.log && _allowlistMatcher) {
-        const s = _allowlistMatcher.stats();
-        fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
-    }
+      if (result.alChanged && _options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        fwLog('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (result.rlChanged && _options.log) {
+        fwLog('[securenow] Firewall: re-synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+      }
+    }
     callback(null);
   };
 
@@ -639,12 +659,15 @@ function startSyncLoop() {
         const s = _matcher.stats();
         fwLog('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
-      if (_options.log && _allowlistMatcher) {
-        const s = _allowlistMatcher.stats();
-        if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
-      }
-    });
-  }
+      if (_options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        if (s.total > 0) fwLog('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (_options.log && _rateLimitRules.length > 0) {
+        fwLog('[securenow] Firewall: synced %d rate-limit rules (enforcement pending SDK phase 2)', _rateLimitRules.length);
+      }
+    });
+  }
 
   initialSync();
   scheduleNextPoll();
@@ -655,14 +678,17 @@ function startSyncLoop() {
     // Force a full re-fetch by clearing versions so unified endpoint returns full data
     const savedBlVer = _lastVersion;
     const savedAlVer = _lastAllowlistVersion;
+    const savedRlVer = _lastRateLimitVersion;
     const savedUnifiedEtag = _lastUnifiedEtag;
     _lastVersion = null;
     _lastAllowlistVersion = null;
+    _lastRateLimitVersion = null;
     _lastUnifiedEtag = null;
     pollOnce((err) => {
       if (err) {
         _lastVersion = savedBlVer;
         _lastAllowlistVersion = savedAlVer;
+        _lastRateLimitVersion = savedRlVer;
         _lastUnifiedEtag = savedUnifiedEtag;
       }
     });
@@ -912,9 +938,10 @@ function shutdown() {
 function getStats() {
   return {
     ..._stats,
-    matcher: _matcher ? _matcher.stats() : null,
-    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
-    initialized: _initialized,
+    matcher: _matcher ? _matcher.stats() : null,
+    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
+    rateLimitRules: _rateLimitRules.length,
+    initialized: _initialized,
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,
     unifiedSync: _useUnifiedSync,
@@ -927,8 +954,9 @@ function getStats() {
 // Layers (TCP / iptables / cloud) read the matcher to populate kernel-level
 // rules. When the remote toggle is off, return null so they treat the policy
 // as "no IPs to block" without us mutating the cached matcher.
-function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
-function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
-function isRemoteEnabled() { return _remoteEnabled !== false; }
-
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, isRemoteEnabled };
+function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
+function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function getRateLimitRules() { return _remoteEnabled === false ? [] : _rateLimitRules.slice(); }
+function isRemoteEnabled() { return _remoteEnabled !== false; }
+
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, getRateLimitRules, isRemoteEnabled };

package/mcp/catalog.js

@@ -676,6 +676,21 @@ const TOOLS = [
     endpoint: '/automation-rules',
     inputSchema: objectSchema({}),
   },
+  {
+    name: 'securenow_automation_defaults_ensure',
+    title: 'Ensure Default Automation Rules',
+    description: 'Create or refresh SecureNow default risk-score automation rules for the current account. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules/defaults/ensure',
+    bodyFields: ['forceEnableExisting'],
+    inputSchema: objectSchema({
+      forceEnableExisting: boolean('Re-enable existing SecureNow default rules if the customer disabled them. Defaults to false.'),
+      ...confirmSchema,
+    }, ['confirm', 'reason']),
+  },
   {
     name: 'securenow_automation_rule_get',
     title: 'Get Automation Rule',
@@ -1040,14 +1055,31 @@ const TOOLS = [
   },
   {
     name: 'securenow_blocklist_remove',
-    title: 'Remove Blocked IP',
-    description: 'Remove a blocklist entry. Write action; requires confirmation.',
+    title: 'Unblock IP (Compat Alias)',
+    description: 'Compatibility alias for unblocking a blocklist entry while retaining block report/history. Write action; requires confirmation.',
     scope: 'blocklist:write',
     readOnly: false,
     confirm: true,
-    method: 'DELETE',
-    endpoint: '/blocklist/:id',
+    method: 'POST',
+    endpoint: '/blocklist/:id/unblock',
     pathParams: ['id'],
+    bodyFields: ['reason'],
+    inputSchema: objectSchema({
+      id: string('Blocklist entry id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_blocklist_unblock',
+    title: 'Unblock IP And Keep History',
+    description: 'Unblock a blocklist entry so firewall enforcement stops, while retaining the block report, history, and unblock audit trail. Write action; requires confirmation.',
+    scope: 'blocklist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/blocklist/:id/unblock',
+    pathParams: ['id'],
+    bodyFields: ['reason'],
     inputSchema: objectSchema({
       id: string('Blocklist entry id.'),
       ...confirmSchema,
@@ -1428,16 +1460,16 @@ function promptMessages(name, args = {}) {
           type: 'text',
           text: [
             'Configure SecureNow default automation using the MCP tools.',
-            `Default environment scope: ${environment}.`,
-            'Use one canonical product score for automation decisions: riskScore. Treat SecureNow IPDB / AbuseIPDB score and AI confidence as supporting evidence, not the primary UI score.',
-            'Desired defaults:',
-            '- Auto-block High-Confidence AI Malicious IPs: aiDecision=pending_approval AND isMalicious=true AND riskScore>=90, TTL 168h.',
-            '- Auto-block High-Confidence XSS IPs: alertTag in xss AND riskScore>=80, TTL 24h.',
-            '- High-reputation IPDB automation may remain enabled only as an explicit reputation policy: abuseConfidenceScore>=80.',
-            'Start with securenow_automation_rules_list. Reuse/update existing rules where names/conditions match instead of creating duplicates.',
-            'Create new rules with status=disabled when possible, dry-run each changed or created rule with securenow_automation_rule_dry_run, then enable only after the sample matches look safe.',
+            `Review environment context: ${environment}. Built-in defaults apply to all apps and all environments unless the customer narrows them later.`,
+            'Use one canonical product score for automation decisions: riskScore. SecureNow IPDB / AbuseIPDB score and AI confidence remain supporting evidence.',
+            'Built-in defaults are active by default:',
+            '- Critical Risk Auto-Block: riskScore>=95, TTL 168h.',
+            '- High Risk Auto-Block: riskScore>=90 AND riskScore<95, TTL 72h.',
+            '- Elevated Risk Auto-Block: riskScore>=85 AND riskScore<90, TTL 24h.',
+            'Start with securenow_automation_defaults_ensure({ confirm:true, reason:"Provision SecureNow default risk-score automation" }) when writes are confirmed, otherwise start with securenow_automation_rules_list and report what would be ensured.',
+            'After ensuring defaults, dry-run each default rule with securenow_automation_rule_dry_run to inspect sample matches. Disable or tune only if evidence shows customer-specific false positives.',
             confirmWrites
-              ? 'The user requested execution. Create/update rules with confirm:true, production scope, clear names, and precise reasons. For new rules, prefer status=disabled, dry-run, then update status=active after review. Re-list rules after writes.'
+              ? 'The user requested execution. Ensure defaults with confirm:true, do not force-enable previously disabled defaults unless the user explicitly asked, and re-list rules after writes.'
               : 'Do not execute writes yet. Return exact MCP update/create calls and dry-run calls for approval.',
             'End with active rules, disabled rules that should stay disabled, and any risk from automation scope.',
           ].join('\n'),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.6",
+  "version": "7.7.8",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",