securenow 8.4.0 → 8.6.0

package/cli/security.js

@@ -45,10 +45,16 @@ async function alertRulesRoute(args, flags) {
   if (sub === 'update') {
     return alertRuleUpdate(args.slice(1), flags);
   }
+  if (sub === 'set-sql' || sub === 'edit-sql') {
+    return alertRuleSetSql(args.slice(1), flags);
+  }
+  if (sub === 'delete' || sub === 'rm' || sub === 'remove') {
+    return alertRuleDelete(args.slice(1), flags);
+  }
   if (sub === 'test') {
     return alertRuleTest(args.slice(1), flags);
   }
-  if (sub === 'dry-run-query' || sub === 'candidate-test') {
+  if (sub === 'dry-run-query' || sub === 'candidate-test' || sub === 'validate') {
     return alertRuleCandidateTest(args.slice(1), flags);
   }
   if (sub === 'tune-query' || sub === 'query-update') {
@@ -156,14 +162,35 @@ async function alertRuleCreate(args, flags) {
   }
 
   const s = ui.spinner('Creating alert rule');
+  let createdId = null;
   try {
     const data = await api.post('/alert-rules', body);
     const r = data.alertRule || data;
+    createdId = r._id || r.id || null;
     s.stop('Alert rule created');
+
+    // Transactional safety: `create` only runs scope/safety validation, not a real
+    // query execution — so a query that is valid-but-wrong (e.g. an unknown column)
+    // is accepted and would silently never fire. Custom-rule SQL also can't be
+    // patched via the API, so a broken rule would be stuck. We therefore dry-run the
+    // new scheduled rule and roll it back (delete) on a hard query failure, unless
+    // --no-validate is passed. A "complete" dry-run with 0 rows is healthy, not a failure.
+    const scheduled = r.executionMode !== 'instant' && r.schedule?.enabled !== false;
+    if (createdId && scheduled && !flags['no-validate']) {
+      const v = await validateRuleById(createdId, flags);
+      if (v && v.status === 'failed') {
+        const rolledBack = await api.delete(`/alert-rules/${createdId}`).then(() => true).catch(() => false);
+        ui.error(`Rule query failed validation and was ${rolledBack ? 'rolled back (deleted)' : 'left in place (auto-delete failed — remove it manually)'}:`);
+        ui.error(`  ${v.error || 'unknown query error'}`);
+        ui.info('Fix the SQL and re-create, or validate first: securenow alerts rules validate --sql @rule.sql --app <key>');
+        process.exit(1);
+      }
+    }
+
     if (flags.json) { ui.json(data); return; }
     console.log('');
     ui.keyValue([
-      ['ID', r._id || r.id || '-'],
+      ['ID', createdId || '-'],
       ['Name', r.name || '-'],
       ['Status', r.status || '-'],
       ['Mode', r.executionMode || 'scheduled'],
@@ -172,9 +199,10 @@ async function alertRuleCreate(args, flags) {
       ['Schedule', r.schedule?.enabled === false ? 'disabled' : (r.schedule?.description || r.schedule?.cronExpression || '-')],
       ['Throttle', r.throttle?.enabled ? `${r.throttle.minutes} min` : 'off'],
       ['Query', r.queryMappingId?.name || r.queryMappingId || '-'],
+      ['Validation', flags['no-validate'] ? 'skipped' : 'dry-run clean'],
     ]);
     console.log('');
-    ui.success(`Created. View it with: securenow alerts rules show ${r._id || r.id}`);
+    ui.success(`Created. View it with: securenow alerts rules show ${createdId}`);
   } catch (err) {
     s.fail('Failed to create alert rule');
     throw err;
@@ -223,6 +251,11 @@ async function alertRuleShow(args, flags) {
 
 async function alertRuleUpdate(args, flags) {
   requireAuth();
+  // `update <id> --sql ...` is an alias for set-sql so SQL edits and scope edits
+  // share one verb. set-sql handles its own validation/feedback.
+  if (flags.sql || flags.query || flags.file) {
+    return alertRuleSetSql(args, flags);
+  }
   const id = args[0];
   if (!id) {
     ui.error('Usage: securenow alerts rules update <rule-id> (--applications-all | --apps <k1,k2>)');
@@ -280,6 +313,88 @@ async function alertRuleUpdate(args, flags) {
   }
 }
 
+async function alertRuleSetSql(args, flags) {
+  requireAuth();
+  const id = args[0];
+  const sqlQuery = readSqlArg(flags);
+  if (!id || !sqlQuery) {
+    ui.error('Usage: securenow alerts rules set-sql <rule-id> --sql <sql|@file|-> [--nlp "intent"] [--no-validate]');
+    process.exit(1);
+  }
+  const body = { sqlQuery };
+  if (flags.nlp || flags.text) body.nlpQuery = flags.nlp || flags.text;
+  if (flags.category) body.category = flags.category;
+
+  const s = ui.spinner('Updating rule SQL');
+  try {
+    const data = await api.put(`/alert-rules/${id}`, body);
+    s.stop('Rule SQL updated');
+    const ok = flags['no-validate'] ? null : await validateRuleById(id, flags);
+    if (ok && ok.status === 'failed') {
+      ui.warn(`Saved, but the new SQL failed a dry-run: ${ok.error || 'unknown error'}`);
+      ui.info('Fix the SQL and run set-sql again, or delete the rule with: securenow alerts rules delete ' + id);
+    } else if (ok) {
+      ui.success('Saved and dry-run clean.');
+    }
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to update rule SQL');
+    throw err;
+  }
+}
+
+async function alertRuleDelete(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules delete <rule-id> [--yes]');
+    process.exit(1);
+  }
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm(`Delete alert rule ${id}? This cannot be undone (system rules can only be disabled).`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const s = ui.spinner('Deleting alert rule');
+  try {
+    const data = await api.delete(`/alert-rules/${id}`);
+    s.stop('Alert rule deleted');
+    if (flags.json) { ui.json(data); return; }
+    ui.success(`Deleted alert rule ${id}`);
+  } catch (err) {
+    s.fail('Failed to delete alert rule');
+    throw err;
+  }
+}
+
+// Run a dry-run test of an existing rule and return { status, error, resultCount }.
+// Used to validate a rule after create/set-sql. Never throws — returns null on error.
+async function validateRuleById(id, flags = {}) {
+  try {
+    let data = await api.post(`/alert-rules/${id}/test`, { mode: 'dry_run' });
+    if (data.testId) {
+      for (let i = 0; i < 40; i++) {
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        data = await api.get(`/alert-rules/${id}/test/${data.testId}`);
+        if (['complete', 'failed'].includes(data.status)) break;
+      }
+    }
+    return { status: data.status, error: data.error, resultCount: data.resultCount };
+  } catch {
+    return null;
+  }
+}
+
+// Pick an existing rule id to host a candidate dry-run (the test endpoint needs a
+// rule to attach the candidate SQL to). Prefer a system rule (always present on
+// provisioned accounts and never mutated by a dry-run).
+async function resolveHostRuleId() {
+  const data = await api.get('/alert-rules');
+  const rules = data.alertRules || data.rules || [];
+  if (!rules.length) return null;
+  const sys = rules.find((r) => r.isSystem);
+  return (sys || rules[0])._id || (sys || rules[0]).id || null;
+}
+
 function readSqlArg(flags) {
   const raw = flags.sql || flags.query || flags.file;
   if (!raw) return null;
@@ -331,12 +446,24 @@ async function alertRuleTest(args, flags) {
 
 async function alertRuleCandidateTest(args, flags) {
   requireAuth();
-  const id = args[0];
+  let id = args[0];
   const candidateSqlQuery = readSqlArg(flags);
-  if (!id || !candidateSqlQuery) {
-    ui.error('Usage: securenow alerts rules dry-run-query <rule-id> --sql <sql|@file|-> [--app <key>] [--wait]');
+  if (!candidateSqlQuery) {
+    ui.error('Usage: securenow alerts rules validate --sql <sql|@file|-> [--app <key>]   (or dry-run-query <rule-id> --sql ...)');
     process.exit(1);
   }
+  // The test endpoint attaches the candidate SQL to an existing rule. When no
+  // rule id is given, auto-pick a host so a candidate can be validated before any
+  // rule exists for it (every provisioned account has system rules to host on).
+  if (!id) {
+    id = await resolveHostRuleId();
+    if (!id) {
+      ui.error('No existing rule to host the dry-run. Create one rule first, or pass <rule-id>.');
+      process.exit(1);
+    }
+  }
+  // `validate` is meant to return a verdict, so wait for the result by default.
+  const wait = flags.wait || flags['no-wait'] !== true;
 
   const body = { mode: 'dry_run', candidateSqlQuery };
   if (flags.app) body.applicationKey = flags.app;
@@ -344,7 +471,7 @@ async function alertRuleCandidateTest(args, flags) {
   const s = ui.spinner('Starting candidate SQL dry-run');
   try {
     let data = await api.post(`/alert-rules/${id}/test`, body);
-    if (flags.wait && data.testId) {
+    if (wait && data.testId) {
       s.update('Waiting for candidate SQL dry-run results');
       for (let i = 0; i < 40; i++) {
         await new Promise((resolve) => setTimeout(resolve, 2000));

package/cli.js

@@ -255,7 +255,8 @@ const COMMANDS = {
     usage: 'securenow alerts <subcommand> [options]',
     sub: {
       rules: {
-        desc: 'Create, list, show, update, test, or tune alert rules',
+        desc: 'Create, list, show, update, set-sql, validate, delete, test, or tune alert rules',
+        usage: 'securenow alerts rules <list|create|show|update|set-sql|validate|delete|test|dry-run-query|tune-query|exclusions> [options]',
         flags: {
           json: 'Output as JSON',
           name: 'With create: rule name',
@@ -276,9 +277,10 @@ const COMMANDS = {
           app: 'Application key for rule tests',
           mode: 'Rule test mode: dry_run or live',
           wait: 'Wait for rule test completion',
-          sql: 'Detection/candidate/replacement SQL, @file, or - for stdin',
+          sql: 'Detection/candidate/replacement SQL, @file, or - for stdin (create, set-sql, update, validate, dry-run-query, tune-query)',
           query: 'Alias for --sql',
           file: 'Read SQL from a file',
+          'no-validate': 'With create/set-sql: skip the post-write dry-run + rollback',
           reason: 'Audit reason for a write',
           'apply-globally': 'Required for system query tuning',
           'reactivate-paused': 'Reactivate paused system copies after tuning',
@@ -387,6 +389,37 @@ const COMMANDS = {
     },
     defaultSub: 'list',
   },
+  challenge: {
+    desc: 'Manage CAPTCHA / proof-of-work challenge remediation rules',
+    usage: 'securenow challenge <list|add|show|test|enable|disable|remove> [options]',
+    flags: {
+      app: 'Scope to app key (defaults to logged-in app)',
+      env: 'Scope to environment (default for create/test: production)',
+      environment: 'Alias for --env',
+      json: 'Output as JSON',
+      difficulty: 'Proof-of-work strength in leading zero bits (4-28, default 14)',
+      clearance: 'How long a solve clears, e.g. 30m, 1h (default 30m)',
+      route: 'Path pattern such as /login',
+      path: 'Alias for --route',
+      mode: 'Path mode: exact, prefix, or regex',
+      method: 'HTTP method, or ALL',
+      duration: 'Rule expiry, e.g. 24h or 7d',
+      reason: 'Reason note',
+      'escalate-to-block': 'Promote to a hard block after repeated failures',
+      'fail-threshold': 'Failures before escalation (default 10)',
+      'block-ttl-hours': 'Block duration when escalating (default 24)',
+    },
+    sub: {
+      list: { desc: 'List challenge remediation rules', run: (a, f) => require('./cli/challenges').list(a, f) },
+      add: { desc: 'Create a challenge rule', usage: 'securenow challenge add [ip] --route /login --difficulty 16 --clearance 30m', run: (a, f) => require('./cli/challenges').add(a, f) },
+      show: { desc: 'Show one challenge rule', usage: 'securenow challenge show <id>', run: (a, f) => require('./cli/challenges').show(a, f) },
+      test: { desc: 'Check whether a request would be challenged', usage: 'securenow challenge test <ip> --path /login --method GET', run: (a, f) => require('./cli/challenges').test(a, f) },
+      enable: { desc: 'Enable a challenge rule', usage: 'securenow challenge enable <id>', run: (a, f) => require('./cli/challenges').enable(a, f) },
+      disable: { desc: 'Disable a challenge rule', usage: 'securenow challenge disable <id>', run: (a, f) => require('./cli/challenges').disable(a, f) },
+      remove: { desc: 'Remove a challenge rule', usage: 'securenow challenge remove <id> [--reason "..."]', run: (a, f) => require('./cli/challenges').remove(a, f) },
+    },
+    defaultSub: 'list',
+  },
   automation: {
     desc: 'Manage automation rules for blocklist actions',
     usage: 'securenow automation <list|defaults|show|create|update|dry-run|execute|delete> [rule-id] [options]',
@@ -722,7 +755,7 @@ function showHelp(commandName) {
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
     'Firewall': ['firewall'],
-    'Remediation': ['automation', 'ratelimit', 'blocklist', 'revoke', 'allowlist', 'trusted'],
+    'Remediation': ['automation', 'ratelimit', 'challenge', 'blocklist', 'revoke', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'event', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],