npm - securenow - Versions diffs - 8.0.3 → 8.2.0 - Mend

securenow 8.0.3 → 8.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/cli.js CHANGED Viewed

@@ -1,44 +1,44 @@
 #!/usr/bin/env node
-'use strict';
-const ui = require('./cli/ui');
-// ── Argument Parser ──
-function parseArgs(argv) {
-  const positional = [];
-  const flags = {};
-  for (let i = 0; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg.startsWith('--')) {
-      const eqIdx = arg.indexOf('=');
-      if (eqIdx !== -1) {
-        flags[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);
-      } else {
-        const next = argv[i + 1];
-        if (next && !next.startsWith('-')) {
-          flags[arg.slice(2)] = next;
-          i++;
-        } else {
-          flags[arg.slice(2)] = true;
-        }
-      }
-    } else if (arg.startsWith('-') && arg.length === 2) {
-      const shortMap = { f: 'force', y: 'yes', v: 'verbose', j: 'json' };
-      const long = shortMap[arg[1]] || arg[1];
-      flags[long] = true;
-    } else {
-      positional.push(arg);
-    }
-  }
-  return { positional, flags };
-}
-// ── Command Registry ──
-const COMMANDS = {
+'use strict';
+const ui = require('./cli/ui');
+// ── Argument Parser ──
+function parseArgs(argv) {
+  const positional = [];
+  const flags = {};
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith('--')) {
+      const eqIdx = arg.indexOf('=');
+      if (eqIdx !== -1) {
+        flags[arg.slice(2, eqIdx)] = arg.slice(eqIdx + 1);
+      } else {
+        const next = argv[i + 1];
+        if (next && !next.startsWith('-')) {
+          flags[arg.slice(2)] = next;
+          i++;
+        } else {
+          flags[arg.slice(2)] = true;
+        }
+      }
+    } else if (arg.startsWith('-') && arg.length === 2) {
+      const shortMap = { f: 'force', y: 'yes', v: 'verbose', j: 'json' };
+      const long = shortMap[arg[1]] || arg[1];
+      flags[long] = true;
+    } else {
+      positional.push(arg);
+    }
+  }
+  return { positional, flags };
+}
+// ── Command Registry ──
+const COMMANDS = {
   init: {
     desc: 'Set up SecureNow in the current project (instrumentation + runtime credentials)',
     usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
@@ -46,21 +46,21 @@ const COMMANDS = {
       env: 'Deployment environment to write into .securenow/runtime.json (default: local)',
       environment: 'Alias for --env',
       key: 'Firewall API key to write to .securenow/runtime.json',
-      'api-key': 'Alias for --key',
-      typescript: 'Force TypeScript',
-      javascript: 'Force JavaScript',
-      src: 'Create in src/',
-      root: 'Create in root',
-      force: 'Overwrite existing',
-    },
-    run: (a, f) => require('./cli/init').init(a, f),
-  },
+      'api-key': 'Alias for --key',
+      typescript: 'Force TypeScript',
+      javascript: 'Force JavaScript',
+      src: 'Create in src/',
+      root: 'Create in root',
+      force: 'Overwrite existing',
+    },
+    run: (a, f) => require('./cli/init').init(a, f),
+  },
   login: {
     desc: 'Onboard SecureNow admin auth and app runtime config',
     usage: 'securenow login [--token <TOKEN>] [--global]',
-    flags: {
-      token: 'Authenticate with a token directly',
-      global: 'Save credentials to ~/.securenow/ (shared across all projects)',
+    flags: {
+      token: 'Authenticate with a token directly',
+      global: 'Save credentials to ~/.securenow/ (shared across all projects)',
     },
     run: (a, f) => require('./cli/auth').login(a, f),
   },
@@ -107,8 +107,8 @@ const COMMANDS = {
   },
   whoami: {
     desc: 'Show admin auth and SDK runtime status',
-    usage: 'securenow whoami',
-    run: () => require('./cli/auth').whoami(),
+    usage: 'securenow whoami',
+    run: () => require('./cli/auth').whoami(),
   },
   'api-key': {
     desc: 'Manage the runtime API key stored in runtime credentials',
@@ -128,21 +128,21 @@ const COMMANDS = {
       set: {
         desc: 'Save an API key (snk_live_...) to runtime credentials',
         usage: 'securenow api-key set <snk_live_...> [--global]',
-        flags: { global: 'Save to ~/.securenow/ instead of project-local' },
-        run: (a, f) => require('./cli/apiKey').set(a, f),
-      },
-      clear: {
-        desc: 'Remove the stored API key',
-        usage: 'securenow api-key clear [--global]',
-        flags: { global: 'Clear from ~/.securenow/ instead of project-local' },
-        run: (a, f) => require('./cli/apiKey').clear(a, f),
-      },
-      show: {
-        desc: 'Print the masked API key currently in use',
-        usage: 'securenow api-key show',
-        run: () => require('./cli/apiKey').show(),
-      },
-    },
+        flags: { global: 'Save to ~/.securenow/ instead of project-local' },
+        run: (a, f) => require('./cli/apiKey').set(a, f),
+      },
+      clear: {
+        desc: 'Remove the stored API key',
+        usage: 'securenow api-key clear [--global]',
+        flags: { global: 'Clear from ~/.securenow/ instead of project-local' },
+        run: (a, f) => require('./cli/apiKey').clear(a, f),
+      },
+      show: {
+        desc: 'Print the masked API key currently in use',
+        usage: 'securenow api-key show',
+        run: () => require('./cli/apiKey').show(),
+      },
+    },
     defaultSub: 'show',
   },
   credentials: {
@@ -164,47 +164,47 @@ const COMMANDS = {
     },
     defaultSub: 'runtime',
   },
-  apps: {
-    desc: 'Manage applications',
-    usage: 'securenow apps <subcommand> [options]',
-    sub: {
-      list: { desc: 'List all applications', run: (a, f) => require('./cli/apps').list(a, f) },
-      create: { desc: 'Create a new application (interactive instance picker)', usage: 'securenow apps create <name> [--hosts host1,host2] [--instance <id>]', run: (a, f) => require('./cli/apps').create(a, f) },
-      info: { desc: 'Show application details', usage: 'securenow apps info <id>', run: (a, f) => require('./cli/apps').info(a, f) },
-      delete: { desc: 'Delete an application', usage: 'securenow apps delete <id> [--force]', run: (a, f) => require('./cli/apps').remove(a, f) },
-      default: { desc: 'Set default application', usage: 'securenow apps default <key>', run: (a, f) => require('./cli/apps').setDefault(a, f) },
-      discover: { desc: 'Discover subdomains and add as apps', usage: 'securenow apps discover [appId] [--domain example.com]', run: (a, f) => require('./cli/apps').discover(a, f) },
-      scan: { desc: 'Scan all app domains for new subdomains', usage: 'securenow apps scan [--yes]', run: (a, f) => require('./cli/apps').scan(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  traces: {
-    desc: 'View and analyze traces',
-    usage: 'securenow traces <subcommand> [options]',
-    sub: {
+  apps: {
+    desc: 'Manage applications',
+    usage: 'securenow apps <subcommand> [options]',
+    sub: {
+      list: { desc: 'List all applications', run: (a, f) => require('./cli/apps').list(a, f) },
+      create: { desc: 'Create a new application (interactive instance picker)', usage: 'securenow apps create <name> [--hosts host1,host2] [--instance <id>]', run: (a, f) => require('./cli/apps').create(a, f) },
+      info: { desc: 'Show application details', usage: 'securenow apps info <id>', run: (a, f) => require('./cli/apps').info(a, f) },
+      delete: { desc: 'Delete an application', usage: 'securenow apps delete <id> [--force]', run: (a, f) => require('./cli/apps').remove(a, f) },
+      default: { desc: 'Set default application', usage: 'securenow apps default <key>', run: (a, f) => require('./cli/apps').setDefault(a, f) },
+      discover: { desc: 'Discover subdomains and add as apps', usage: 'securenow apps discover [appId] [--domain example.com]', run: (a, f) => require('./cli/apps').discover(a, f) },
+      scan: { desc: 'Scan all app domains for new subdomains', usage: 'securenow apps scan [--yes]', run: (a, f) => require('./cli/apps').scan(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  traces: {
+    desc: 'View and analyze traces',
+    usage: 'securenow traces <subcommand> [options]',
+    sub: {
       list: { desc: 'List recent traces', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
       show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
       analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  logs: {
-    desc: 'View application logs',
-    usage: 'securenow logs [options]',
-    sub: {
+    },
+    defaultSub: 'list',
+  },
+  logs: {
+    desc: 'View application logs',
+    usage: 'securenow logs [options]',
+    sub: {
       list: { desc: 'List recent logs', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
       trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
-    },
-    defaultSub: 'list',
-  },
+    },
+    defaultSub: 'list',
+  },
   notifications: {
     desc: 'Manage notifications',
     usage: 'securenow notifications <subcommand> [options]',
-    sub: {
-      list: { desc: 'List notifications', flags: { limit: 'Max results', page: 'Page number' }, run: (a, f) => require('./cli/monitor').notificationsList(a, f) },
-      read: { desc: 'Mark notification as read', usage: 'securenow notifications read <id>', run: (a, f) => require('./cli/monitor').notificationsRead(a, f) },
-      'read-all': { desc: 'Mark all as read', run: () => require('./cli/monitor').notificationsReadAll() },
-      unread: { desc: 'Show unread count', run: () => require('./cli/monitor').notificationsUnread() },
+    sub: {
+      list: { desc: 'List notifications', flags: { limit: 'Max results', page: 'Page number' }, run: (a, f) => require('./cli/monitor').notificationsList(a, f) },
+      read: { desc: 'Mark notification as read', usage: 'securenow notifications read <id>', run: (a, f) => require('./cli/monitor').notificationsRead(a, f) },
+      'read-all': { desc: 'Mark all as read', run: () => require('./cli/monitor').notificationsReadAll() },
+      unread: { desc: 'Show unread count', run: () => require('./cli/monitor').notificationsUnread() },
     },
     defaultSub: 'list',
   },
@@ -253,20 +253,32 @@ const COMMANDS = {
   alerts: {
     desc: 'Manage alerting',
     usage: 'securenow alerts <subcommand> [options]',
-    sub: {
+    sub: {
       rules: {
-        desc: 'List, show, update, test, or tune alert rules',
+        desc: 'Create, list, show, update, test, or tune alert rules',
         flags: {
           json: 'Output as JSON',
-          'applications-all': 'With update: scope rule to all apps',
+          name: 'With create: rule name',
+          description: 'With create: rule description',
+          nlp: 'With create: plain-English intent stored on the query',
+          text: 'Alias for --nlp',
+          category: 'With create: query category (default: custom)',
+          severity: 'With create: critical | high | medium | low',
+          schedule: 'With create: cron expression (default */15 * * * *)',
+          'throttle-minutes': 'With create: notification throttle window in minutes',
+          'no-throttle': 'With create: disable throttling',
+          'execution-mode': 'With create: scheduled | instant | hybrid',
+          channel: 'With create: comma-separated alert channel ids (default: in-app)',
+          'query-mapping-id': 'With create: reuse an existing saved query instead of --sql',
+          'applications-all': 'With create/update: scope rule to all apps',
           'no-applications-all': 'With update: scope to explicit --apps list',
-          apps: 'Comma-separated app keys (with update)',
+          apps: 'Comma-separated app keys (with create/update)',
           app: 'Application key for rule tests',
           mode: 'Rule test mode: dry_run or live',
           wait: 'Wait for rule test completion',
-          sql: 'Candidate/replacement SQL, @file, or - for stdin',
+          sql: 'Detection/candidate/replacement SQL, @file, or - for stdin',
           query: 'Alias for --sql',
-          file: 'Read candidate/replacement SQL from a file',
+          file: 'Read SQL from a file',
           reason: 'Audit reason for a write',
           'apply-globally': 'Required for system query tuning',
           'reactivate-paused': 'Reactivate paused system copies after tuning',
@@ -278,35 +290,35 @@ const COMMANDS = {
         },
         run: (a, f) => require('./cli/security').alertRulesRoute(a, f),
       },
-      channels: { desc: 'List alert channels', run: (a, f) => require('./cli/security').alertChannelsList(a, f) },
-      history: { desc: 'View alert history', flags: { limit: 'Max results' }, run: (a, f) => require('./cli/security').alertHistoryList(a, f) },
-    },
-    defaultSub: 'rules',
-  },
-  fp: {
-    desc: 'Manage false-positive exclusion rules',
-    usage: 'securenow fp <subcommand> [options]',
-    flags: { json: 'Output as JSON', conditions: 'JSON array of conditions', 'match-mode': 'Match mode: all (AND) or any (OR)', 'rule-scope': 'Scope: this_rule | specific_rules | all_existing | any_rule', 'target-rules': 'Comma-separated rule IDs (when --rule-scope specific_rules)', 'path-safe': 'Add path_safe_values condition (standard|strict)', 'query-safe': 'Add query_safe_values condition (standard|strict)', 'query-keys': 'Allowed query param names (comma-separated)', 'ua-safe': 'Add ua_safe_values condition (standard|strict)', 'headers-safe': 'Add headers_safe_values condition (standard|strict)', 'headers-keys': 'Allowed header names (comma-separated)' },
-    sub: {
-      list: { desc: 'List all exclusion rules', run: (a, f) => require('./cli/fp').list(a, f) },
-      show: { desc: 'Show exclusion rule details', usage: 'securenow fp show <id>', run: (a, f) => require('./cli/fp').show(a, f) },
-      create: { desc: 'Create an exclusion rule', usage: 'securenow fp create [--conditions \'[...]\'] [--path /api/event] [--method POST] [--path-safe standard] [--ua-safe standard] [--headers-safe standard] [--query-keys page,limit] [--headers-keys host,content-type] [--reason "..."] [--rule-scope any_rule|specific_rules|all_existing] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').create(a, f) },
-      edit: { desc: 'Edit an exclusion rule', usage: 'securenow fp edit <id> [--active true/false] [--conditions \'[...]\']', run: (a, f) => require('./cli/fp').edit(a, f) },
-      delete: { desc: 'Delete an exclusion rule', usage: 'securenow fp delete <id> [--yes]', run: (a, f) => require('./cli/fp').remove(a, f) },
-      'test-body': { desc: 'Test a request body against conditions', usage: 'securenow fp test-body <body|@file> --conditions \'[...]\'', run: (a, f) => require('./cli/fp').testBody(a, f) },
-      'dry-run': { desc: 'Dry-run conditions against live traces (last 3 days)', usage: 'securenow fp dry-run --conditions \'[...]\'', run: (a, f) => require('./cli/fp').dryRun(a, f) },
-      'ai-fill': { desc: 'AI-generate exclusion conditions', usage: 'securenow fp ai-fill [--description "..."] [--context \'{"method":"POST",...}\']', run: (a, f) => require('./cli/fp').aiFill(a, f) },
-      mark: { desc: 'Mark an IP as false positive on a notification', usage: 'securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').mark(a, f) },
-    },
-    defaultSub: 'list',
-  },
+      channels: { desc: 'List alert channels', run: (a, f) => require('./cli/security').alertChannelsList(a, f) },
+      history: { desc: 'View alert history', flags: { limit: 'Max results' }, run: (a, f) => require('./cli/security').alertHistoryList(a, f) },
+    },
+    defaultSub: 'rules',
+  },
+  fp: {
+    desc: 'Manage false-positive exclusion rules',
+    usage: 'securenow fp <subcommand> [options]',
+    flags: { json: 'Output as JSON', conditions: 'JSON array of conditions', 'match-mode': 'Match mode: all (AND) or any (OR)', 'rule-scope': 'Scope: this_rule | specific_rules | all_existing | any_rule', 'target-rules': 'Comma-separated rule IDs (when --rule-scope specific_rules)', 'path-safe': 'Add path_safe_values condition (standard|strict)', 'query-safe': 'Add query_safe_values condition (standard|strict)', 'query-keys': 'Allowed query param names (comma-separated)', 'ua-safe': 'Add ua_safe_values condition (standard|strict)', 'headers-safe': 'Add headers_safe_values condition (standard|strict)', 'headers-keys': 'Allowed header names (comma-separated)' },
+    sub: {
+      list: { desc: 'List all exclusion rules', run: (a, f) => require('./cli/fp').list(a, f) },
+      show: { desc: 'Show exclusion rule details', usage: 'securenow fp show <id>', run: (a, f) => require('./cli/fp').show(a, f) },
+      create: { desc: 'Create an exclusion rule', usage: 'securenow fp create [--conditions \'[...]\'] [--path /api/event] [--method POST] [--path-safe standard] [--ua-safe standard] [--headers-safe standard] [--query-keys page,limit] [--headers-keys host,content-type] [--reason "..."] [--rule-scope any_rule|specific_rules|all_existing] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').create(a, f) },
+      edit: { desc: 'Edit an exclusion rule', usage: 'securenow fp edit <id> [--active true/false] [--conditions \'[...]\']', run: (a, f) => require('./cli/fp').edit(a, f) },
+      delete: { desc: 'Delete an exclusion rule', usage: 'securenow fp delete <id> [--yes]', run: (a, f) => require('./cli/fp').remove(a, f) },
+      'test-body': { desc: 'Test a request body against conditions', usage: 'securenow fp test-body <body|@file> --conditions \'[...]\'', run: (a, f) => require('./cli/fp').testBody(a, f) },
+      'dry-run': { desc: 'Dry-run conditions against live traces (last 3 days)', usage: 'securenow fp dry-run --conditions \'[...]\'', run: (a, f) => require('./cli/fp').dryRun(a, f) },
+      'ai-fill': { desc: 'AI-generate exclusion conditions', usage: 'securenow fp ai-fill [--description "..."] [--context \'{"method":"POST",...}\']', run: (a, f) => require('./cli/fp').aiFill(a, f) },
+      mark: { desc: 'Mark an IP as false positive on a notification', usage: 'securenow fp mark <notification-id> <ip> [--conditions \'[...]\'] [--reason "..."] [--rule-scope this_rule|specific_rules|all_existing|any_rule] [--target-rules id1,id2]', run: (a, f) => require('./cli/fp').mark(a, f) },
+    },
+    defaultSub: 'list',
+  },
   firewall: {
     desc: 'Firewall status, per-app toggle, and IP testing',
     usage: 'securenow firewall <subcommand> [options]',
     flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
-    sub: {
+    sub: {
       status: { desc: 'Show firewall status, layers, and blocklist info', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').status(a, f) },
-      apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
+      apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
       'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--path /admin/users] [--method GET] [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
@@ -423,8 +435,8 @@ const COMMANDS = {
       remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
     },
-    defaultSub: 'list',
-  },
+    defaultSub: 'list',
+  },
   allowlist: {
     desc: 'Manage IP allowlist (only allow listed IPs)',
     usage: 'securenow allowlist <subcommand> [options]',
@@ -432,11 +444,11 @@ const COMMANDS = {
     sub: {
       list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
       add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--app <key>] [--env local] [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
-      remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
-      stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
-    },
-    defaultSub: 'list',
-  },
+      remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
+      stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
+    },
+    defaultSub: 'list',
+  },
   trusted: {
     desc: 'Manage trusted IPs',
     usage: 'securenow trusted <subcommand> [options]',
@@ -444,43 +456,43 @@ const COMMANDS = {
     sub: {
       list: { desc: 'List trusted IPs', run: (a, f) => require('./cli/security').trustedList(a, f) },
       add: { desc: 'Add trusted IP', usage: 'securenow trusted add <ip> [--app <key>] [--env local] [--label <label>]', run: (a, f) => require('./cli/security').trustedAdd(a, f) },
-      remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  ip: {
-    desc: 'IP intelligence lookup',
-    usage: 'securenow ip <ip-address>',
-    sub: {
-      lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
+      remove: { desc: 'Remove trusted IP', usage: 'securenow trusted remove <id>', run: (a, f) => require('./cli/security').trustedRemove(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  ip: {
+    desc: 'IP intelligence lookup',
+    usage: 'securenow ip <ip-address>',
+    sub: {
+      lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
       traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip> [--env production]', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').ipTraces(a, f) },
-    },
-    defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
-  },
-  forensics: {
-    desc: 'Run forensic queries (natural language → SQL)',
-    usage: 'securenow forensics <query> [--app <key>]',
-    sub: {
+    },
+    defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
+  },
+  forensics: {
+    desc: 'Run forensic queries (natural language → SQL)',
+    usage: 'securenow forensics <query> [--app <key>]',
+    sub: {
       query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
       chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key> [--env production]', flags: { app: 'App key to chat with', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
-      library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
-    },
-    defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
-  },
-  instances: {
-    desc: 'Manage ClickHouse instances',
-    usage: 'securenow instances <subcommand> [options]',
-    sub: {
-      list: { desc: 'List instances', run: (a, f) => require('./cli/security').instancesList(a, f) },
-      test: { desc: 'Test instance connection', usage: 'securenow instances test <id>', run: (a, f) => require('./cli/security').instancesTest(a, f) },
-    },
-    defaultSub: 'list',
-  },
-  analytics: {
-    desc: 'View response analytics',
-    usage: 'securenow analytics [--app <key>]',
-    run: (a, f) => require('./cli/security').analytics(a, f),
-  },
+      library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
+    },
+    defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
+  },
+  instances: {
+    desc: 'Manage ClickHouse instances',
+    usage: 'securenow instances <subcommand> [options]',
+    sub: {
+      list: { desc: 'List instances', run: (a, f) => require('./cli/security').instancesList(a, f) },
+      test: { desc: 'Test instance connection', usage: 'securenow instances test <id>', run: (a, f) => require('./cli/security').instancesTest(a, f) },
+    },
+    defaultSub: 'list',
+  },
+  analytics: {
+    desc: 'View response analytics',
+    usage: 'securenow analytics [--app <key>]',
+    run: (a, f) => require('./cli/security').analytics(a, f),
+  },
   status: {
     desc: 'Dashboard overview',
     usage: 'securenow status [--app <key>] [--env local|production|all]',
@@ -491,89 +503,89 @@ const COMMANDS = {
     },
     run: (a, f) => require('./cli/monitor').status(a, f),
   },
-  config: {
-    desc: 'Manage CLI configuration',
-    usage: 'securenow config <set|get> [key] [value]',
-    sub: {
-      set: {
-        desc: 'Set a config value',
-        usage: 'securenow config set <key> <value>',
-        run: (a) => {
-          const conf = require('./cli/config');
-          const [key, ...rest] = a;
-          const value = rest.join(' ');
-          if (!key || !value) { ui.error('Usage: securenow config set <key> <value>'); process.exit(1); }
-          conf.setConfigValue(key, value);
-          ui.success(`${key} = ${value}`);
-        },
-      },
-      get: {
-        desc: 'Get a config value',
-        usage: 'securenow config get [key]',
-        run: (a) => {
-          const conf = require('./cli/config');
-          const key = a[0];
-          if (key) {
-            const val = conf.getConfigValue(key);
-            console.log(val != null ? val : ui.c.dim('(not set)'));
-          } else {
-            const all = conf.loadConfig();
-            console.log('');
-            ui.keyValue(Object.entries(all).map(([k, v]) => [k, v != null ? String(v) : ui.c.dim('(not set)')]));
-            console.log('');
-          }
-        },
-      },
-      path: {
-        desc: 'Show config file path',
-        run: () => {
-          const conf = require('./cli/config');
-          console.log(`Config:         ${conf.CONFIG_FILE}`);
-          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
-          if (conf.hasLocalCredentials()) {
-            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
-          }
-          console.log(`Auth source:    ${conf.getAuthSource()}`);
-        },
-      },
-    },
-  },
-  run: {
-    desc: 'Run a Node.js app with automatic OTel instrumentation',
-    usage: 'securenow run [node-flags] [--firewall-only] <script> [app-args]',
-    flags: {
-      watch: 'Enable Node.js watch mode',
-      inspect: 'Enable Node.js inspector',
-      'firewall-only': 'Preload firewall without OTel tracing overhead',
-    },
-    rawArgv: true,
-    run: (rawArgs) => require('./cli/run').run(rawArgs),
-  },
-  redact: {
-    desc: 'Redact sensitive fields from a JSON payload',
-    usage: "securenow redact '<json>' [--fields f1,f2] [--json]",
-    flags: { fields: 'Comma-separated extra field names to redact (added to defaults)' },
-    run: (a, f) => require('./cli/utils').redact(a, f),
-  },
-  cidr: {
-    desc: 'CIDR utilities (match and parse)',
-    usage: 'securenow cidr <match|parse> ...',
-    sub: {
-      match: {
-        desc: 'Check if an IP matches a CIDR list',
-        usage: 'securenow cidr match <ip> <cidr1,cidr2,...>',
-        run: (a, f) => require('./cli/utils').cidrMatch(a, f),
-      },
-      parse: {
-        desc: 'Parse a CIDR and show network/broadcast/size',
-        usage: 'securenow cidr parse <cidr>',
-        run: (a, f) => require('./cli/utils').cidrParse(a, f),
-      },
-    },
-  },
-  log: {
-    desc: 'Emit logs via OTLP (for scripts, cron, debugging)',
-    usage: 'securenow log send <message> [--level info|warn|error] [--attrs k=v,k=v]',
+  config: {
+    desc: 'Manage CLI configuration',
+    usage: 'securenow config <set|get> [key] [value]',
+    sub: {
+      set: {
+        desc: 'Set a config value',
+        usage: 'securenow config set <key> <value>',
+        run: (a) => {
+          const conf = require('./cli/config');
+          const [key, ...rest] = a;
+          const value = rest.join(' ');
+          if (!key || !value) { ui.error('Usage: securenow config set <key> <value>'); process.exit(1); }
+          conf.setConfigValue(key, value);
+          ui.success(`${key} = ${value}`);
+        },
+      },
+      get: {
+        desc: 'Get a config value',
+        usage: 'securenow config get [key]',
+        run: (a) => {
+          const conf = require('./cli/config');
+          const key = a[0];
+          if (key) {
+            const val = conf.getConfigValue(key);
+            console.log(val != null ? val : ui.c.dim('(not set)'));
+          } else {
+            const all = conf.loadConfig();
+            console.log('');
+            ui.keyValue(Object.entries(all).map(([k, v]) => [k, v != null ? String(v) : ui.c.dim('(not set)')]));
+            console.log('');
+          }
+        },
+      },
+      path: {
+        desc: 'Show config file path',
+        run: () => {
+          const conf = require('./cli/config');
+          console.log(`Config:         ${conf.CONFIG_FILE}`);
+          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
+          if (conf.hasLocalCredentials()) {
+            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
+          }
+          console.log(`Auth source:    ${conf.getAuthSource()}`);
+        },
+      },
+    },
+  },
+  run: {
+    desc: 'Run a Node.js app with automatic OTel instrumentation',
+    usage: 'securenow run [node-flags] [--firewall-only] <script> [app-args]',
+    flags: {
+      watch: 'Enable Node.js watch mode',
+      inspect: 'Enable Node.js inspector',
+      'firewall-only': 'Preload firewall without OTel tracing overhead',
+    },
+    rawArgv: true,
+    run: (rawArgs) => require('./cli/run').run(rawArgs),
+  },
+  redact: {
+    desc: 'Redact sensitive fields from a JSON payload',
+    usage: "securenow redact '<json>' [--fields f1,f2] [--json]",
+    flags: { fields: 'Comma-separated extra field names to redact (added to defaults)' },
+    run: (a, f) => require('./cli/utils').redact(a, f),
+  },
+  cidr: {
+    desc: 'CIDR utilities (match and parse)',
+    usage: 'securenow cidr <match|parse> ...',
+    sub: {
+      match: {
+        desc: 'Check if an IP matches a CIDR list',
+        usage: 'securenow cidr match <ip> <cidr1,cidr2,...>',
+        run: (a, f) => require('./cli/utils').cidrMatch(a, f),
+      },
+      parse: {
+        desc: 'Parse a CIDR and show network/broadcast/size',
+        usage: 'securenow cidr parse <cidr>',
+        run: (a, f) => require('./cli/utils').cidrParse(a, f),
+      },
+    },
+  },
+  log: {
+    desc: 'Emit logs via OTLP (for scripts, cron, debugging)',
+    usage: 'securenow log send <message> [--level info|warn|error] [--attrs k=v,k=v]',
     sub: {
       send: {
         desc: 'Send a single log record to the OTLP collector',
@@ -583,11 +595,32 @@ const COMMANDS = {
           level: 'Severity (trace|debug|info|warn|error|fatal)',
           attrs: 'Comma-separated key=value attributes',
         },
-        run: (a, f) => require('./cli/diagnostics').logSend(a, f),
-      },
-    },
-    defaultSub: 'send',
-  },
+        run: (a, f) => require('./cli/diagnostics').logSend(a, f),
+      },
+    },
+    defaultSub: 'send',
+  },
+  event: {
+    desc: 'Emit a custom security event to SecureNow (for scripts, testing, non-JS apps)',
+    usage: 'securenow event send <type> [--user <id>] [--session <id>] [--ip <ip>] [--attrs k=v,k=v]',
+    sub: {
+      send: {
+        desc: 'Send a single custom event to the /v1/events ingest',
+        flags: {
+          env: 'Deployment environment for this event (defaults to credentials file)',
+          environment: 'Alias for --env',
+          user: 'End-user / account id (enduser.id)',
+          session: 'Session id (session.id)',
+          ip: 'End-user client IP',
+          'user-agent': 'End-user agent string',
+          level: 'Severity (trace|debug|info|warn|error|fatal)',
+          attrs: 'Comma-separated key=value attributes',
+        },
+        run: (a, f) => require('./cli/diagnostics').eventSend(a, f),
+      },
+    },
+    defaultSub: 'send',
+  },
   'test-span': {
     desc: 'Emit a test span to verify collector connectivity',
     usage: 'securenow test-span [<span-name>] [--env local|production]',
@@ -597,11 +630,11 @@ const COMMANDS = {
     },
     run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
   },
-  doctor: {
-    desc: 'Diagnose SecureNow configuration and collector connectivity',
-    usage: 'securenow doctor [--json]',
-    run: (a, f) => require('./cli/diagnostics').doctor(a, f),
-  },
+  doctor: {
+    desc: 'Diagnose SecureNow configuration and collector connectivity',
+    usage: 'securenow doctor [--json]',
+    run: (a, f) => require('./cli/diagnostics').doctor(a, f),
+  },
   env: {
     desc: 'Show resolved SecureNow configuration (service name, endpoints, credentials)',
     usage: 'securenow env [--json]',
@@ -615,163 +648,163 @@ const COMMANDS = {
   version: {
     desc: 'Show CLI version',
     run: () => {
-      try {
-        const pkg = require('./package.json');
-        console.log(`securenow v${pkg.version}`);
-      } catch {
-        console.log('securenow (version unknown)');
-      }
-    },
-  },
-};
-// ── Help System ──
-function showBanner() {
-  console.log('');
-  console.log(`  ${ui.c.bold(ui.c.cyan('SecureNow CLI'))} ${ui.c.dim('— Security observability from the terminal')}`);
-  console.log('');
-}
-function showHelp(commandName) {
-  if (commandName && COMMANDS[commandName]) {
-    const cmd = COMMANDS[commandName];
-    showBanner();
-    console.log(`  ${ui.c.bold(commandName)} — ${cmd.desc}`);
-    console.log('');
-    if (cmd.usage) {
-      console.log(`  ${ui.c.bold('USAGE')}`);
-      console.log(`    ${cmd.usage}`);
-      console.log('');
-    }
-    if (cmd.sub) {
-      console.log(`  ${ui.c.bold('SUBCOMMANDS')}`);
-      const entries = Object.entries(cmd.sub);
-      const maxLen = entries.reduce((m, [k]) => Math.max(m, k.length), 0);
-      for (const [name, sub] of entries) {
-        console.log(`    ${ui.c.cyan(name.padEnd(maxLen + 2))} ${sub.desc}`);
-      }
-      console.log('');
-    }
-    if (cmd.flags) {
-      console.log(`  ${ui.c.bold('FLAGS')}`);
-      for (const [flag, desc] of Object.entries(cmd.flags)) {
-        console.log(`    --${ui.c.cyan(flag.padEnd(16))} ${desc}`);
-      }
-      console.log('');
-    }
-    console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
-    console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
-    console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help`);
-    console.log('');
-    return;
-  }
-  showBanner();
-  const groups = {
-    'Run': ['run'],
+      try {
+        const pkg = require('./package.json');
+        console.log(`securenow v${pkg.version}`);
+      } catch {
+        console.log('securenow (version unknown)');
+      }
+    },
+  },
+};
+// ── Help System ──
+function showBanner() {
+  console.log('');
+  console.log(`  ${ui.c.bold(ui.c.cyan('SecureNow CLI'))} ${ui.c.dim('— Security observability from the terminal')}`);
+  console.log('');
+}
+function showHelp(commandName) {
+  if (commandName && COMMANDS[commandName]) {
+    const cmd = COMMANDS[commandName];
+    showBanner();
+    console.log(`  ${ui.c.bold(commandName)} — ${cmd.desc}`);
+    console.log('');
+    if (cmd.usage) {
+      console.log(`  ${ui.c.bold('USAGE')}`);
+      console.log(`    ${cmd.usage}`);
+      console.log('');
+    }
+    if (cmd.sub) {
+      console.log(`  ${ui.c.bold('SUBCOMMANDS')}`);
+      const entries = Object.entries(cmd.sub);
+      const maxLen = entries.reduce((m, [k]) => Math.max(m, k.length), 0);
+      for (const [name, sub] of entries) {
+        console.log(`    ${ui.c.cyan(name.padEnd(maxLen + 2))} ${sub.desc}`);
+      }
+      console.log('');
+    }
+    if (cmd.flags) {
+      console.log(`  ${ui.c.bold('FLAGS')}`);
+      for (const [flag, desc] of Object.entries(cmd.flags)) {
+        console.log(`    --${ui.c.cyan(flag.padEnd(16))} ${desc}`);
+      }
+      console.log('');
+    }
+    console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
+    console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
+    console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help`);
+    console.log('');
+    return;
+  }
+  showBanner();
+  const groups = {
+    'Run': ['run'],
     'Authentication': ['login', 'logout', 'whoami', 'credentials'],
-    'Applications': ['apps', 'init', 'status'],
-    'Observe': ['traces', 'logs', 'analytics'],
+    'Applications': ['apps', 'init', 'status'],
+    'Observe': ['traces', 'logs', 'analytics'],
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
-    'Investigate': ['ip', 'forensics'],
+    'Investigate': ['ip', 'forensics'],
     'Firewall': ['firewall'],
     'Remediation': ['automation', 'ratelimit', 'blocklist', 'allowlist', 'trusted'],
-    'Telemetry': ['log', 'test-span'],
+    'Telemetry': ['log', 'event', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
-    'Settings': ['instances', 'config', 'version'],
-  };
-  for (const [group, cmds] of Object.entries(groups)) {
-    console.log(`  ${ui.c.bold(group)}`);
-    for (const name of cmds) {
-      const cmd = COMMANDS[name];
-      if (cmd) {
-        console.log(`    ${ui.c.cyan(name.padEnd(18))} ${cmd.desc}`);
-      }
-    }
-    console.log('');
-  }
-  console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
-  console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
-  console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help for a command`);
-  console.log('');
-  console.log(`  ${ui.c.dim('Run')} securenow help <command> ${ui.c.dim('for detailed usage')}`);
-  console.log('');
-}
-// ── Main Router ──
-async function main() {
-  const { positional, flags } = parseArgs(process.argv.slice(2));
-  const cmdName = positional[0] || 'help';
-  if (cmdName === 'help' || flags.help) {
-    showHelp(flags.help === true ? positional[0] : flags.help || positional[1] || (cmdName !== 'help' ? cmdName : null));
-    return;
-  }
-  const cmd = COMMANDS[cmdName];
-  if (!cmd) {
-    // Auto-detect: if the first arg looks like a file path, treat it as `securenow run <file>`
-    if (/\.(m?[jt]sx?|cjs)$/.test(cmdName) || cmdName.includes('/') || cmdName.includes('\\')) {
-      return COMMANDS.run.run(process.argv.slice(2));
-    }
-    ui.error(`Unknown command: ${cmdName}`);
-    ui.info('Run `securenow help` for a list of commands.');
-    process.exit(1);
-  }
-  if (cmd.rawArgv) {
-    // Pass raw argv (everything after the command name) so the command can
-    // forward flags like --watch, --inspect verbatim to child processes.
-    const cmdIdx = process.argv.indexOf(cmdName);
-    const rawArgs = cmdIdx !== -1 ? process.argv.slice(cmdIdx + 1) : positional.slice(1);
-    await cmd.run(rawArgs);
-    return;
-  }
-  if (cmd.run && !cmd.sub) {
-    await cmd.run(positional.slice(1), flags);
-    return;
-  }
-  if (cmd.sub) {
-    let subName = positional[1];
-    let subArgs = positional.slice(2);
-    if (subName && cmd.sub[subName]) {
-      if (flags.help) {
-        showHelp(cmdName);
-        return;
-      }
-      await cmd.sub[subName].run(subArgs, flags);
-      return;
-    }
-    if (cmd.defaultAction) {
-      const allArgs = subName ? [subName, ...subArgs] : [];
-      await cmd.defaultAction(allArgs, flags);
-      return;
-    }
-    if (cmd.defaultSub) {
-      const allArgs = subName ? [subName, ...subArgs] : [];
-      await cmd.sub[cmd.defaultSub].run(allArgs, flags);
-      return;
-    }
-    showHelp(cmdName);
-    return;
-  }
-  if (cmd.run) {
-    await cmd.run(positional.slice(1), flags);
-  }
-}
+    'Settings': ['instances', 'config', 'version'],
+  };
+  for (const [group, cmds] of Object.entries(groups)) {
+    console.log(`  ${ui.c.bold(group)}`);
+    for (const name of cmds) {
+      const cmd = COMMANDS[name];
+      if (cmd) {
+        console.log(`    ${ui.c.cyan(name.padEnd(18))} ${cmd.desc}`);
+      }
+    }
+    console.log('');
+  }
+  console.log(`  ${ui.c.bold('GLOBAL FLAGS')}`);
+  console.log(`    --${ui.c.cyan('json'.padEnd(16))} Output as JSON`);
+  console.log(`    --${ui.c.cyan('help'.padEnd(16))} Show help for a command`);
+  console.log('');
+  console.log(`  ${ui.c.dim('Run')} securenow help <command> ${ui.c.dim('for detailed usage')}`);
+  console.log('');
+}
+// ── Main Router ──
+async function main() {
+  const { positional, flags } = parseArgs(process.argv.slice(2));
+  const cmdName = positional[0] || 'help';
+  if (cmdName === 'help' || flags.help) {
+    showHelp(flags.help === true ? positional[0] : flags.help || positional[1] || (cmdName !== 'help' ? cmdName : null));
+    return;
+  }
+  const cmd = COMMANDS[cmdName];
+  if (!cmd) {
+    // Auto-detect: if the first arg looks like a file path, treat it as `securenow run <file>`
+    if (/\.(m?[jt]sx?|cjs)$/.test(cmdName) || cmdName.includes('/') || cmdName.includes('\\')) {
+      return COMMANDS.run.run(process.argv.slice(2));
+    }
+    ui.error(`Unknown command: ${cmdName}`);
+    ui.info('Run `securenow help` for a list of commands.');
+    process.exit(1);
+  }
+  if (cmd.rawArgv) {
+    // Pass raw argv (everything after the command name) so the command can
+    // forward flags like --watch, --inspect verbatim to child processes.
+    const cmdIdx = process.argv.indexOf(cmdName);
+    const rawArgs = cmdIdx !== -1 ? process.argv.slice(cmdIdx + 1) : positional.slice(1);
+    await cmd.run(rawArgs);
+    return;
+  }
+  if (cmd.run && !cmd.sub) {
+    await cmd.run(positional.slice(1), flags);
+    return;
+  }
+  if (cmd.sub) {
+    let subName = positional[1];
+    let subArgs = positional.slice(2);
+    if (subName && cmd.sub[subName]) {
+      if (flags.help) {
+        showHelp(cmdName);
+        return;
+      }
+      await cmd.sub[subName].run(subArgs, flags);
+      return;
+    }
+    if (cmd.defaultAction) {
+      const allArgs = subName ? [subName, ...subArgs] : [];
+      await cmd.defaultAction(allArgs, flags);
+      return;
+    }
+    if (cmd.defaultSub) {
+      const allArgs = subName ? [subName, ...subArgs] : [];
+      await cmd.sub[cmd.defaultSub].run(allArgs, flags);
+      return;
+    }
+    showHelp(cmdName);
+    return;
+  }
+  if (cmd.run) {
+    await cmd.run(positional.slice(1), flags);
+  }
+}
 main().catch((err) => {
   if (err.name !== 'CLIError') {
     ui.error(err.message || 'An unexpected error occurred');