securenow 4.0.3 → 4.0.5

package/nextjs-middleware.js

@@ -0,0 +1,178 @@
+/**
+ * SecureNow Next.js Middleware for Body Capture
+ * 
+ * OPTIONAL: Import this in your Next.js app to enable automatic body capture
+ * 
+ * Usage:
+ * 
+ * Create middleware.ts in your Next.js app root:
+ * 
+ * export { middleware } from 'securenow/nextjs-middleware';
+ * export const config = {
+ *   matcher: '/api/:path*',  // Apply to API routes only
+ * };
+ * 
+ * That's it! Bodies are now captured with sensitive data redacted.
+ */
+
+const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key in redacted) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  
+  let redacted = query;
+  
+  sensitiveFields.forEach(field => {
+    const patterns = [
+      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        return suffix ? `${prefix}[REDACTED]${suffix}` : `${prefix}[REDACTED]`;
+      });
+    });
+  });
+  
+  return redacted;
+}
+
+/**
+ * Next.js Middleware for Body Capture
+ */
+async function middleware(request) {
+  const { NextResponse } = require('next/server');
+  
+  // Only capture for POST/PUT/PATCH
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) {
+    return NextResponse.next();
+  }
+  
+  // Get or create a tracer
+  const tracer = trace.getTracer('securenow-middleware');
+  let span = trace.getActiveSpan();
+  let createdSpan = false;
+  
+  // If no active span, create one for this middleware
+  if (!span) {
+    const url = new URL(request.url);
+    span = tracer.startSpan(`middleware ${request.method} ${url.pathname}`);
+    createdSpan = true;
+  }
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only capture supported types
+    if (contentType.includes('application/json') || 
+        contentType.includes('application/graphql')) {
+      
+      // Clone the request to read body without consuming the original
+      const clonedRequest = request.clone();
+      const bodyText = await clonedRequest.text();
+      
+      if (bodyText.length <= maxBodySize) {
+        let redactedBody;
+        
+        if (contentType.includes('application/graphql')) {
+          // GraphQL: redact query string
+          redactedBody = redactGraphQLQuery(bodyText, allSensitiveFields);
+        } else {
+          // JSON: parse and redact
+          try {
+            const parsed = JSON.parse(bodyText);
+            const redacted = redactSensitiveData(parsed, allSensitiveFields);
+            redactedBody = JSON.stringify(redacted);
+          } catch (e) {
+            redactedBody = bodyText; // Keep as-is if parse fails
+          }
+        }
+        
+        span.setAttributes({
+          'http.request.body': redactedBody.substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } else {
+        span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const clonedRequest = request.clone();
+      const formData = await clonedRequest.formData();
+      const parsed = Object.fromEntries(formData);
+      const redacted = redactSensitiveData(parsed, allSensitiveFields);
+      
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': JSON.stringify(parsed).length,
+      });
+    } else if (contentType.includes('multipart/form-data')) {
+      span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+      span.setAttribute('http.request.body.type', 'multipart');
+    }
+    
+    // End span if we created it
+    if (createdSpan) {
+      span.setStatus({ code: SpanStatusCode.OK });
+      span.end();
+    }
+  } catch (error) {
+    // Silently fail - don't break the request
+    console.debug('[securenow] Body capture failed:', error.message);
+    
+    // End span with error if we created it
+    if (createdSpan && span) {
+      span.setStatus({ 
+        code: SpanStatusCode.ERROR,
+        message: error.message 
+      });
+      span.end();
+    }
+  }
+  
+  return NextResponse.next();
+}
+
+module.exports = {
+  middleware,
+  redactSensitiveData,
+  redactGraphQLQuery,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+

package/nextjs-wrapper.js

@@ -0,0 +1,155 @@
+/**
+ * SecureNow Next.js API Route Wrapper for Body Capture
+ * 
+ * This approach is NON-INVASIVE and runs INSIDE your handler,
+ * so it never blocks or interferes with middleware or routing.
+ * 
+ * Usage:
+ * 
+ * import { withSecureNow } from 'securenow/nextjs-wrapper';
+ * 
+ * export const POST = withSecureNow(async (request) => {
+ *   // Your handler code - request.body is available as parsed JSON
+ *   const data = await request.json();
+ *   return Response.json({ success: true });
+ * });
+ */
+
+const { trace } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key in redacted) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Capture body from Request object (clone to avoid consuming)
+ */
+async function captureRequestBody(request) {
+  const captureBody = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
+                      String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
+  
+  if (!captureBody) return;
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
+  
+  const span = trace.getActiveSpan();
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Clone to avoid consuming the original
+    const cloned = request.clone();
+    const bodyText = await cloned.text();
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      span.setAttribute('http.request.body.size', bodyText.length);
+      return;
+    }
+    
+    // Parse and redact based on type
+    let redacted;
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        span.setAttribute('http.request.body', '[INVALID JSON]');
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const params = new URLSearchParams(bodyText);
+      const parsed = Object.fromEntries(params);
+      redacted = redactSensitiveData(parsed, allSensitiveFields);
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': bodyText.length,
+      });
+    }
+  } catch (error) {
+    // Silently fail - never block the request
+  }
+}
+
+/**
+ * Wrap a Next.js API route handler to capture body
+ * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
+ */
+function withSecureNow(handler) {
+  return async function wrappedHandler(request, context) {
+    // Capture body asynchronously (doesn't block handler)
+    captureRequestBody(request).catch(() => {
+      // Ignore errors silently
+    });
+    
+    // Call original handler immediately - no blocking!
+    return handler(request, context);
+  };
+}
+
+/**
+ * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
+ * This is even safer as it never interferes with the handler logic
+ */
+function withSecureNowAsync(handler) {
+  return async function wrappedHandler(request, context) {
+    // Try to capture body in background (non-blocking)
+    const capturePromise = captureRequestBody(request);
+    
+    // Run handler
+    const response = await handler(request, context);
+    
+    // Wait for capture to finish (but don't fail if it doesn't)
+    await capturePromise.catch(() => {});
+    
+    return response;
+  };
+}
+
+module.exports = {
+  withSecureNow,
+  withSecureNowAsync,
+  captureRequestBody,
+  redactSensitiveData,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+

package/nextjs.js

@@ -276,11 +276,18 @@ function registerSecureNow(options = {}) {
         'vercel.region': process.env.VERCEL_REGION || undefined,
       },
       instrumentations: [
-        // Add HTTP instrumentation with request hooks to capture IP, headers, and body
+        // Add HTTP instrumentation with request hooks to capture IP, headers
+        // NOTE: Body capture is DISABLED at this level for Next.js to prevent conflicts
         new HttpInstrumentation({
           requireParentforOutgoingSpans: false,
           requireParentforIncomingSpans: false,
-          requestHook: async (span, request) => {
+          // Ignore request/response bodies to prevent Next.js conflicts
+          ignoreIncomingRequestHook: (request) => {
+            // Never ignore - we want to trace all requests
+            return false;
+          },
+          requestHook: (span, request) => {
+            // SYNCHRONOUS ONLY - no async operations to avoid timing issues
             try {
               // Capture client IP from various headers
               const headers = request.headers || {};
@@ -294,7 +301,7 @@ function registerSecureNow(options = {}) {
                 request.socket?.remoteAddress ||
                 'unknown';
               
-              // Add IP and request metadata to span
+              // Add IP and request metadata to span (synchronously)
               span.setAttributes({
                 'http.client_ip': clientIp,
                 'http.user_agent': headers['user-agent'] || 'unknown',
@@ -319,64 +326,20 @@ function registerSecureNow(options = {}) {
                 span.setAttribute('http.geo.country', headers['cf-ipcountry']);
               }
 
-              // -------- Capture Request Body --------
-              if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
-                const contentType = headers['content-type'] || '';
-                
-                // Only capture JSON, GraphQL, and form data (not large files)
-                if (contentType.includes('application/json') || 
-                    contentType.includes('application/graphql') ||
-                    contentType.includes('application/x-www-form-urlencoded')) {
-                  
-                  const bodyResult = await captureRequestBody(request, maxBodySize);
-                  
-                  if (bodyResult.captured) {
-                    let redactedBody;
-                    
-                    // Redact based on type
-                    if (bodyResult.type === 'graphql') {
-                      // GraphQL: redact query string
-                      redactedBody = redactGraphQLQuery(bodyResult.body, allSensitiveFields);
-                    } else if (typeof bodyResult.body === 'object') {
-                      // JSON/Form: redact object properties
-                      redactedBody = redactSensitiveData(bodyResult.body, allSensitiveFields);
-                    } else {
-                      // Plain text: basic redaction
-                      redactedBody = bodyResult.body;
-                    }
-                    
-                    span.setAttributes({
-                      'http.request.body': typeof redactedBody === 'string' 
-                        ? redactedBody.substring(0, maxBodySize)
-                        : JSON.stringify(redactedBody).substring(0, maxBodySize),
-                      'http.request.body.type': bodyResult.type,
-                      'http.request.body.size': bodyResult.size,
-                    });
-                  } else {
-                    span.setAttribute('http.request.body.capture_failed', bodyResult.reason || 'unknown');
-                  }
-                } else if (contentType.includes('multipart/form-data')) {
-                  // Multipart is NOT captured at all
-                  span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-                  span.setAttribute('http.request.body.type', 'multipart');
-                  span.setAttribute('http.request.body.note', 'File uploads not captured by design');
-                }
-              }
+              // -------- Request Body NOT captured at HTTP instrumentation level --------
+              // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
+              // Next.js manages request streams internally and reading them here causes:
+              // - "Response body object should not be disturbed or locked" errors
+              // - Hanging requests that never complete
+              // - Body data unavailable to Next.js route handlers
+              //
+              // Body capture must be done in Next.js middleware using request.clone()
+              
             } catch (error) {
               // Silently fail to not break the request
-              console.debug('[securenow] Failed to capture request metadata:', error.message);
+              // Do not log in production to avoid noise
             }
-          },
-          responseHook: (span, response) => {
-            try {
-              // Add response metadata
-              if (response.statusCode) {
-                span.setAttribute('http.status_code', response.statusCode);
-              }
-            } catch (error) {
-              console.debug('[securenow] Failed to capture response metadata:', error.message);
-            }
-          },
+          }
         }),
       ],
       instrumentationConfig: {
@@ -402,10 +365,10 @@ function registerSecureNow(options = {}) {
     isRegistered = true;
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing: IP, User-Agent, Headers, Geographic data');
+    console.log('[securenow] ⚠️  Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
     if (captureBody) {
-      console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
-    } else {
-      console.log('[securenow] 📝 Request body capture: DISABLED (set SECURENOW_CAPTURE_BODY=1 to enable)');
+      console.log('[securenow] 💡 SECURENOW_CAPTURE_BODY is set but has no effect in Next.js HTTP instrumentation');
+      console.log('[securenow] 💡 Body capture must be implemented differently for Next.js (coming soon)');
     }
 
     // Optional test span

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "4.0.3",
+  "version": "4.0.5",
   "description": "OpenTelemetry instrumentation for Node.js and Next.js - Send traces to SigNoz or any OTLP backend",
   "type": "commonjs",
   "main": "register.js",
@@ -33,6 +33,9 @@
     "./register": "./register.js",
     "./tracing": "./tracing.js",
     "./nextjs": "./nextjs.js",
+    "./nextjs-auto-capture": "./nextjs-auto-capture.js",
+    "./nextjs-middleware": "./nextjs-middleware.js",
+    "./nextjs-wrapper": "./nextjs-wrapper.js",
     "./nextjs-webpack-config": "./nextjs-webpack-config.js",
     "./register-vite": "./register-vite.js",
     "./web-vite": {
@@ -44,6 +47,9 @@
     "register.js",
     "tracing.js",
     "nextjs.js",
+    "nextjs-auto-capture.js",
+    "nextjs-middleware.js",
+    "nextjs-wrapper.js",
     "cli.js",
     "postinstall.js",
     "register-vite.js",
@@ -57,7 +63,16 @@
     "AUTOMATIC-IP-CAPTURE.md",
     "REQUEST-BODY-CAPTURE.md",
     "BODY-CAPTURE-QUICKSTART.md",
-    "REDACTION-EXAMPLES.md"
+    "REDACTION-EXAMPLES.md",
+    "NEXTJS-BODY-CAPTURE.md",
+    "NEXTJS-BODY-CAPTURE-COMPARISON.md",
+    "NEXTJS-WRAPPER-APPROACH.md",
+    "QUICKSTART-BODY-CAPTURE.md",
+    "AUTO-BODY-CAPTURE.md",
+    "EASIEST-SETUP.md",
+    "SOLUTION-SUMMARY.md",
+    "BODY-CAPTURE-FIX.md",
+    "FINAL-SOLUTION.md"
   ],
   "dependencies": {
     "@opentelemetry/api": "1.7.0",

package/postinstall.js

@@ -80,6 +80,64 @@ export function register() {
  *   SECURENOW_INSTANCE=http://your-signoz-server:4318
  *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
  *   OTEL_LOG_LEVEL=info
+ *   
+ * Optional: Enable request body capture
+ *   SECURENOW_CAPTURE_BODY=1
+ *   (Also create middleware.ts to activate - run: npx securenow init)
+ */
+`;
+  
+  fs.writeFileSync(targetPath, content, 'utf8');
+}
+
+// Create TypeScript middleware file
+function createTsMiddleware(targetPath) {
+  const content = `// SecureNow Middleware - Automatic Request Body Capture
+// This enables capturing JSON, GraphQL, and Form request bodies
+// with automatic sensitive field redaction
+
+export { middleware } from 'securenow/nextjs-middleware';
+
+export const config = {
+  matcher: '/api/:path*',  // Apply to all API routes
+};
+
+/**
+ * Bodies are captured with:
+ * - Automatic redaction of passwords, tokens, cards, etc.
+ * - Size limits (configurable via SECURENOW_MAX_BODY_SIZE)
+ * - JSON, GraphQL, Form data support
+ * 
+ * Configure in .env.local:
+ *   SECURENOW_MAX_BODY_SIZE=20480
+ *   SECURENOW_SENSITIVE_FIELDS=email,phone
+ */
+`;
+  
+  fs.writeFileSync(targetPath, content, 'utf8');
+}
+
+// Create JavaScript middleware file
+function createJsMiddleware(targetPath) {
+  const content = `// SecureNow Middleware - Automatic Request Body Capture
+// This enables capturing JSON, GraphQL, and Form request bodies
+// with automatic sensitive field redaction
+
+export { middleware } from 'securenow/nextjs-middleware';
+
+export const config = {
+  matcher: '/api/:path*',  // Apply to all API routes
+};
+
+/**
+ * Bodies are captured with:
+ * - Automatic redaction of passwords, tokens, cards, etc.
+ * - Size limits (configurable via SECURENOW_MAX_BODY_SIZE)
+ * - JSON, GraphQL, Form data support
+ * 
+ * Configure in .env.local:
+ *   SECURENOW_MAX_BODY_SIZE=20480
+ *   SECURENOW_SENSITIVE_FIELDS=email,phone
  */
 `;
   
@@ -101,6 +159,11 @@ SECURENOW_INSTANCE=http://your-signoz-server:4318
 
 # Optional: Log level (debug|info|warn|error)
 # OTEL_LOG_LEVEL=info
+
+# Optional: Enable request body capture (requires middleware.ts)
+# SECURENOW_CAPTURE_BODY=1
+# SECURENOW_MAX_BODY_SIZE=10240
+# SECURENOW_SENSITIVE_FIELDS=email,phone
 `;
   
   fs.writeFileSync(targetPath, content, 'utf8');
@@ -171,33 +234,65 @@ async function setup() {
       
       console.log(`\n✅ Created ${srcExists ? 'src/' : ''}${fileName}`);
       
-      // Create .env.local if it doesn't exist
-      const envPath = path.join(process.cwd(), '.env.local');
-      if (!fs.existsSync(envPath)) {
-        createEnvTemplate(envPath);
-        console.log('✅ Created .env.local template');
-      }
-      
-      console.log('\n┌─────────────────────────────────────────────────┐');
-      console.log('│  🚀 Next Steps:                                 │');
-      console.log('│                                                 │');
-      console.log('│  1. Edit .env.local and set:                   │');
-      console.log('│     SECURENOW_APPID=your-app-name              │');
-      console.log('│     SECURENOW_INSTANCE=http://signoz:4318      │');
-      console.log('│                                                 │');
-      console.log('│  2. Run your app: npm run dev                  │');
-      console.log('│                                                 │');
-      console.log('│  3. Check SigNoz for traces!                   │');
-      console.log('│                                                 │');
-      console.log('│  📚 Full guide: npm docs securenow              │');
-      console.log('└─────────────────────────────────────────────────┘\n');
+      // Ask about middleware for body capture
+      rl.question('\nWould you like to enable request body capture? (y/N) ', (middlewareAnswer) => {
+        const shouldCreateMiddleware = middlewareAnswer && (middlewareAnswer.toLowerCase() === 'y' || middlewareAnswer.toLowerCase() === 'yes');
+        
+        if (shouldCreateMiddleware) {
+          try {
+            const middlewareName = useTypeScript ? 'middleware.ts' : 'middleware.js';
+            const middlewarePath = srcExists 
+              ? path.join(process.cwd(), 'src', middlewareName)
+              : path.join(process.cwd(), middlewareName);
+            
+            if (useTypeScript) {
+              createTsMiddleware(middlewarePath);
+            } else {
+              createJsMiddleware(middlewarePath);
+            }
+            
+            console.log(`✅ Created ${srcExists ? 'src/' : ''}${middlewareName}`);
+            console.log('   → Captures JSON, GraphQL, Form bodies with auto-redaction');
+          } catch (error) {
+            console.warn(`⚠️  Could not create middleware: ${error.message}`);
+          }
+        }
+        
+        // Create .env.local if it doesn't exist
+        const envPath = path.join(process.cwd(), '.env.local');
+        if (!fs.existsSync(envPath)) {
+          createEnvTemplate(envPath);
+          console.log('✅ Created .env.local template');
+        }
+        
+        console.log('\n┌─────────────────────────────────────────────────┐');
+        console.log('│  🚀 Next Steps:                                 │');
+        console.log('│                                                 │');
+        console.log('│  1. Edit .env.local and set:                   │');
+        console.log('│     SECURENOW_APPID=your-app-name              │');
+        console.log('│     SECURENOW_INSTANCE=http://signoz:4318      │');
+        if (shouldCreateMiddleware) {
+          console.log('│     SECURENOW_CAPTURE_BODY=1                   │');
+        }
+        console.log('│                                                 │');
+        console.log('│  2. Run your app: npm run dev                  │');
+        console.log('│                                                 │');
+        console.log('│  3. Check SigNoz for traces!                   │');
+        console.log('│                                                 │');
+        if (shouldCreateMiddleware) {
+          console.log('│  📝 Body capture enabled with auto-redaction   │');
+        }
+        console.log('│  📚 Full guide: npm docs securenow              │');
+        console.log('└─────────────────────────────────────────────────┘\n');
+        
+        rl.close();
+      });
       
     } catch (error) {
       console.error('\n❌ Failed to create instrumentation file:', error.message);
       console.log('💡 You can create it manually or run: npx securenow init');
+      rl.close();
     }
-    
-    rl.close();
   });
 }