securenow 8.0.3 → 8.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/NPM_README.md +37 -1
- package/SKILL-CLI.md +237 -229
- package/cli/diagnostics.js +48 -1
- package/cli/security.js +467 -374
- package/cli.js +451 -418
- package/events.d.ts +29 -0
- package/events.js +160 -0
- package/package.json +7 -1
package/NPM_README.md
CHANGED
|
@@ -259,8 +259,42 @@ npx securenow notifications read-all
|
|
|
259
259
|
|
|
260
260
|
### Alerting
|
|
261
261
|
|
|
262
|
+
### Emit custom security events (new in 8.2)
|
|
263
|
+
|
|
264
|
+
```js
|
|
265
|
+
const { track } = require('securenow/events');
|
|
266
|
+
|
|
267
|
+
// Fire-and-forget — batched, async, never throws into your app.
|
|
268
|
+
track('auth.login.success', {
|
|
269
|
+
userId, // enduser.id (durable identity for correlation)
|
|
270
|
+
sessionId, // session.id
|
|
271
|
+
ip, // end-user IP (enriched to geo/ASN server-side)
|
|
272
|
+
attributes: { method: 'magic_link', new_device: true },
|
|
273
|
+
});
|
|
274
|
+
```
|
|
275
|
+
|
|
276
|
+
Events become queryable by alert rules immediately (`attributes_string['event.type']`, `['enduser.id']`, `['session.id']`, `['http.client_ip']`). Non-JS apps emit the same thing with a plain POST to `/v1/events`:
|
|
277
|
+
|
|
278
|
+
```
|
|
279
|
+
POST https://<your-ingest-host>/v1/events
|
|
280
|
+
Authorization: Bearer snk_live_...
|
|
281
|
+
X-SecureNow-App-Key: <app-uuid>
|
|
282
|
+
|
|
283
|
+
{ "events": [ { "type": "auth.login.success", "user_id": "u_1", "session_id": "s_1", "ip": "1.2.3.4" } ] }
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
CLI: `npx securenow event send auth.login.failure --user u_1 --ip 1.2.3.4 --attrs reason=bad_token`
|
|
287
|
+
|
|
262
288
|
```bash
|
|
263
|
-
#
|
|
289
|
+
# Create a custom detection rule from your own SQL (new in 8.1)
|
|
290
|
+
npx securenow alerts rules create \
|
|
291
|
+
--name "Auth: magic-link brute force" \
|
|
292
|
+
--sql @rule.sql \
|
|
293
|
+
--apps <app-key> \
|
|
294
|
+
--severity high \
|
|
295
|
+
--nlp "single IP flooding /api/auth/signin or /api/auth/callback"
|
|
296
|
+
|
|
297
|
+
# View / manage alert rules, channels, and history
|
|
264
298
|
npx securenow alerts rules
|
|
265
299
|
npx securenow alerts rules show <rule-id>
|
|
266
300
|
npx securenow alerts rules update <rule-id> --applications-all
|
|
@@ -271,6 +305,8 @@ npx securenow alerts channels
|
|
|
271
305
|
npx securenow alerts history --limit 20
|
|
272
306
|
```
|
|
273
307
|
|
|
308
|
+
Your detection SQL scopes app keys with the `__USER_APP_KEYS__` placeholder and selects an `ip` column for per-IP aggregation and remediation. SecureNow stores the query, runs it on the rule's schedule (default every 15 min), and routes matches to your in-app channel (override with `--channel <id>`). Requires an API key with `alerts:write`.
|
|
309
|
+
|
|
274
310
|
### IP Intelligence & Blocklist
|
|
275
311
|
|
|
276
312
|
```bash
|