securenow 8.8.0 → 8.9.0

package/cli/security.js

@@ -48,6 +48,15 @@ async function alertRulesRoute(args, flags) {
   if (sub === 'set-sql' || sub === 'edit-sql') {
     return alertRuleSetSql(args.slice(1), flags);
   }
+  if (sub === 'versions' || sub === 'history') {
+    return alertRuleVersions(args.slice(1), flags);
+  }
+  if (sub === 'version') {
+    return alertRuleVersionShow(args.slice(1), flags);
+  }
+  if (sub === 'rollback' || sub === 'revert') {
+    return alertRuleRollback(args.slice(1), flags);
+  }
   if (sub === 'delete' || sub === 'rm' || sub === 'remove') {
     return alertRuleDelete(args.slice(1), flags);
   }
@@ -464,6 +473,113 @@ async function alertRuleSetSql(args, flags) {
   }
 }
 
+// List a rule's configuration version history (newest first). Each material update (SQL,
+// instant config, settings), duplicate, and rollback is a version; rollback restores a
+// prior snapshot and is itself recorded as a new version.
+async function alertRuleVersions(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow alerts rules versions <rule-id> [--limit N] [--page N]');
+    process.exit(1);
+  }
+  const query = {};
+  if (flags.limit) query.limit = flags.limit;
+  if (flags.page) query.page = flags.page;
+  const s = ui.spinner('Fetching version history');
+  let data;
+  try {
+    data = await api.get(`/alert-rules/${id}/versions`, Object.keys(query).length ? { query } : undefined);
+    s.stop(`Found ${data.total ?? (data.versions || []).length} version${(data.total ?? 0) === 1 ? '' : 's'}`);
+  } catch (err) {
+    s.fail(`Failed to fetch versions: ${err.message}`);
+    process.exit(1);
+  }
+  if (flags.json) { ui.json(data); return; }
+  const rows = data.versions || [];
+  if (rows.length === 0) { ui.info('No versions recorded yet.'); return; }
+  console.log('');
+  ui.info(`Current: v${data.currentVersion}`);
+  for (const v of rows) {
+    const marker = v.isCurrent ? ui.c.green('→') : ' ';
+    const when = v.createdAt ? new Date(v.createdAt).toISOString().replace('T', ' ').slice(0, 19) : '';
+    const extra = v.changeType === 'rollback' && v.rolledBackFrom ? ` (from v${v.rolledBackFrom})` : '';
+    console.log(`${marker} ${ui.c.bold('v' + v.version).padEnd(14)} ${String(v.changeType + extra).padEnd(22)} ${ui.c.dim(when)}  ${v.createdByName || ''}`);
+    if (v.reason) console.log(`     ${ui.c.dim(ui.truncate(v.reason, 90))}`);
+  }
+  console.log('');
+  ui.info(`Show: securenow alerts rules version ${ui.truncate(id, 12)} <n>   |   Roll back: securenow alerts rules rollback ${ui.truncate(id, 12)} <n>`);
+}
+
+// Show one version's full material snapshot (diff-able SQL / instant / settings).
+async function alertRuleVersionShow(args, flags) {
+  requireAuth();
+  const id = args[0];
+  const version = args[1];
+  if (!id || !version) {
+    ui.error('Usage: securenow alerts rules version <rule-id> <version-number>');
+    process.exit(1);
+  }
+  const s = ui.spinner(`Fetching v${version}`);
+  let data;
+  try {
+    data = await api.get(`/alert-rules/${id}/versions/${version}`);
+    s.stop(`Loaded v${version}`);
+  } catch (err) {
+    s.fail(`Failed: ${err.message}`);
+    process.exit(1);
+  }
+  if (flags.json) { ui.json(data); return; }
+  const v = data.version || {};
+  const snap = v.snapshot || {};
+  console.log('');
+  ui.success(`v${v.version}${v.isCurrent ? ' (current)' : ''} — ${v.changeType}`);
+  console.log(`  When     ${v.createdAt || ''}`);
+  if (v.createdByName) console.log(`  By       ${v.createdByName}`);
+  if (v.reason) console.log(`  Reason   ${v.reason}`);
+  if (v.rolledBackFrom) console.log(`  Restored v${v.rolledBackFrom}`);
+  console.log('');
+  console.log(`  Name     ${snap.name || ''}`);
+  console.log(`  Mode     ${snap.mode || ''} / ${snap.executionMode || ''}   severity ${snap.severity || '-'}`);
+  if (snap.instant && snap.instant.enabled) {
+    console.log(`  Instant  enabled  block=${snap.instant.block}  (${(snap.instant.conditions || []).length} condition${(snap.instant.conditions || []).length === 1 ? '' : 's'})`);
+  }
+  if (snap.query && snap.query.sqlQuery) {
+    console.log('  SQL:');
+    console.log(snap.query.sqlQuery.split('\n').map((l) => '    ' + ui.c.dim(l)).join('\n'));
+  }
+}
+
+// Roll a rule back to a prior version — restores that version's full snapshot and records it
+// as a new version (append-only history). System (read-only template) rules can't be rolled back.
+async function alertRuleRollback(args, flags) {
+  requireAuth();
+  const id = args[0];
+  const version = args[1] || flags.version;
+  if (!id || !version) {
+    ui.error('Usage: securenow alerts rules rollback <rule-id> <version-number> [--reason "..."] [--yes]');
+    process.exit(1);
+  }
+  if (!flags.yes && !flags.force) {
+    const ok = await ui.confirm(`Roll back rule ${ui.truncate(id, 12)} to v${version}? Restores that config and creates a new version.`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const body = { version: Number(version) };
+  if (flags.reason) body.reason = String(flags.reason);
+  const s = ui.spinner(`Rolling back to v${version}`);
+  let data;
+  try {
+    data = await api.post(`/alert-rules/${id}/rollback`, body);
+    s.stop(`Rolled back to v${version}`);
+  } catch (err) {
+    s.fail(`Failed to roll back: ${err.message}`);
+    process.exit(1);
+  }
+  if (flags.json) { ui.json(data); return; }
+  ui.success(`Restored from v${data.rolledBackFrom} → now at v${data.newVersion}`);
+  ui.info(`History: securenow alerts rules versions ${ui.truncate(id, 12)}`);
+}
+
 async function alertRuleDelete(args, flags) {
   requireAuth();
   const id = args[0];
@@ -967,6 +1083,58 @@ async function blocklistRemove(args, flags) {
   }
 }
 
+// Approve a block that the AI prepared but parked pending customer approval
+// (e.g. the autopilot held it under block_risk_score_below_policy). Enforces the IP.
+async function blocklistApprove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow blocklist approve <pending-block-id> [--reason <reason>] [--yes]');
+    process.exit(1);
+  }
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Approve this pending block? The IP will be enforced by the firewall.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const s = ui.spinner('Approving pending block');
+  try {
+    const body = {};
+    if (flags.reason) body.reason = flags.reason;
+    const data = await api.post(`/blocklist/${id}/approve`, body);
+    s.stop('Pending block approved — IP now enforced');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to approve pending block');
+    throw err;
+  }
+}
+
+// Reject a pending block: the IP is NOT blocked, the entry is removed, and a scoped
+// no-block decision is recorded so auto-block won't re-block this IP for the same rule.
+async function blocklistReject(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Usage: securenow blocklist reject <pending-block-id> [--reason <reason>] [--yes]');
+    process.exit(1);
+  }
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Reject this pending block? The IP will NOT be blocked; a scoped no-block decision is recorded for the rule that proposed it.');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  const s = ui.spinner('Rejecting pending block');
+  try {
+    const body = {};
+    if (flags.reason) body.reason = flags.reason;
+    const data = await api.post(`/blocklist/${id}/reject`, body);
+    s.stop('Pending block rejected — IP cleared (scoped no-block decision recorded)');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to reject pending block');
+    throw err;
+  }
+}
+
 async function blocklistStats(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist stats');
@@ -1666,6 +1834,8 @@ module.exports = {
   blocklistList,
   blocklistAdd,
   blocklistRemove,
+  blocklistApprove,
+  blocklistReject,
   blocklistStats,
   revokeRoute,
   allowlistList,

package/cli.js

@@ -473,6 +473,8 @@ const COMMANDS = {
       add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--app <key>] [--env production] [--duration 24h] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
+      approve: { desc: 'Approve a pending block (enforce the IP)', usage: 'securenow blocklist approve <pending-block-id> [--reason <reason>] [--yes]', run: (a, f) => require('./cli/security').blocklistApprove(a, f) },
+      reject: { desc: 'Reject a pending block (clear the IP, record a scoped no-block decision)', usage: 'securenow blocklist reject <pending-block-id> [--reason <reason>] [--yes]', run: (a, f) => require('./cli/security').blocklistReject(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },
     },
     defaultSub: 'list',