securenow 8.0.2 → 8.1.0

package/NPM_README.md

@@ -260,7 +260,15 @@ npx securenow notifications read-all
 ### Alerting
 
 ```bash
-# View alert rules, channels, and history
+# Create a custom detection rule from your own SQL (new in 8.1)
+npx securenow alerts rules create \
+  --name "Auth: magic-link brute force" \
+  --sql @rule.sql \
+  --apps <app-key> \
+  --severity high \
+  --nlp "single IP flooding /api/auth/signin or /api/auth/callback"
+
+# View / manage alert rules, channels, and history
 npx securenow alerts rules
 npx securenow alerts rules show <rule-id>
 npx securenow alerts rules update <rule-id> --applications-all
@@ -271,6 +279,8 @@ npx securenow alerts channels
 npx securenow alerts history --limit 20
 ```
 
+Your detection SQL scopes app keys with the `__USER_APP_KEYS__` placeholder and selects an `ip` column for per-IP aggregation and remediation. SecureNow stores the query, runs it on the rule's schedule (default every 15 min), and routes matches to your in-app channel (override with `--channel <id>`). Requires an API key with `alerts:write`.
+
 ### IP Intelligence & Blocklist
 
 ```bash

package/README.md

@@ -66,7 +66,7 @@ Runtime credentials look like:
 }
 ```
 
-The SDK reads the runtime file at boot, sends traces/logs through the SecureNow ingest gateway, routes by `app.key`, and authenticates with the runtime API key. When you rotate with `npx securenow api-key create`, the CLI defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into runtime credentials. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. Local credential files are auto-added to `.gitignore` so they never land in git.
+The SDK reads the runtime file at boot, sends traces/logs through the SecureNow ingest gateway, routes by `app.key`, and authenticates with the runtime API key. When you rotate with `npx securenow api-key create`, the CLI defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into runtime credentials. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does.
 
 ---
 
@@ -81,7 +81,7 @@ npx securenow login
 Then ask your coding agent to wire each app with this prompt:
 
 ```text
-I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json, gitignore only SecureNow credential files, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json for secret-file deployment, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
 ```
 
 For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
@@ -169,7 +169,7 @@ SecureNow does not export metrics by default. The preload sets `OTEL_METRICS_EXP
 
 ## Production Without Env Vars
 
-Production uses the same file structure. Do not commit `.securenow/`; instead deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
+Production uses the same file structure. Deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
 
 ```text
 <app-root>/.securenow/credentials.json

package/SKILL-API.md

@@ -70,7 +70,7 @@ npx securenow app connect        # pick/create app; runtime API key is minted au
 npx securenow api-key set snk_live_abc123...
 ```
 
-Both paths write the key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
+Both paths write the key to `.securenow/runtime.json` and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
 
 The automatically created key is scoped to the selected app only. Its
 `runtime_app` scopes are `traces:write`, `logs:write`, `firewall:read`,
@@ -224,7 +224,7 @@ On Vercel it uses `@vercel/otel`; self-hosted uses vanilla `@opentelemetry/sdk-n
 }
 ```
 
-Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled and gitignored. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
+Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled with runtime credentials and secure defaults. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
 
 #### Next.js Body Capture
 
@@ -595,7 +595,7 @@ npm install securenow@latest
 npx securenow login
 ```
 
-No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
+No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and secure SDK defaults.
 
 Update `package.json`:
 ```json
@@ -611,7 +611,7 @@ npm install securenow@latest
 npx securenow app connect        # pick/create app; runtime API key is minted automatically
 ```
 
-`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
+`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json`. Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
 
 ### Enable Firewall With Zero Tracing Overhead