securenow 5.15.2 → 5.16.1

package/NPM_README.md

@@ -148,7 +148,10 @@ npx securenow login
 # Or use a token for CI/headless environments
 npx securenow login --token <YOUR_JWT>
 
-# Check who you're logged in as
+# Log in for this project only (per-project credentials)
+npx securenow login --local
+
+# Check who you're logged in as (shows auth source)
 npx securenow whoami
 ```
 
@@ -327,12 +330,15 @@ npx securenow config set format json
 npx securenow config path
 ```
 
-Config files are stored in `~/.securenow/`:
+Config files are stored in `~/.securenow/` (global) or `.securenow/` in the project root (per-project):
 
 | File | Description |
 |------|-------------|
-| `config.json` | API URL, default app, output format |
-| `credentials.json` | Auth token (file permissions: 0600) |
+| `~/.securenow/config.json` | API URL, default app, output format |
+| `~/.securenow/credentials.json` | Auth token — global (file permissions: 0600) |
+| `.securenow/credentials.json` | Auth token — project-local (use `login --local`) |
+
+**Resolution order:** `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ### Global Flags
 
@@ -348,14 +354,37 @@ Every command supports these flags:
 
 | Variable | Description |
 |----------|-------------|
+| `SECURENOW_TOKEN` | JWT token — overrides all file-based credentials |
 | `SECURENOW_API_URL` | Override the API base URL |
 | `SECURENOW_DEBUG` | Show stack traces on errors |
 | `NO_COLOR` | Disable colored output |
 
+### Multi-Project Sessions
+
+Use `--local` to maintain separate logins per project on the same machine:
+
+```bash
+# In project A — log in as user-a@company.com
+cd ~/projects/project-a
+npx securenow login --local
+
+# In project B — log in as user-b@company.com
+cd ~/projects/project-b
+npx securenow login --local
+
+# Each project uses its own credentials independently
+npx securenow whoami   # Shows auth source: project (.securenow/)
+```
+
+You can also use the `SECURENOW_TOKEN` env var for per-terminal sessions without touching any files.
+
 ### CI/CD Integration
 
 ```bash
-# Authenticate with a token in CI
+# Authenticate with a token in CI (env var — no file needed)
+SECURENOW_TOKEN=$MY_SECRET npx securenow issues --json
+
+# Or use login with explicit token
 npx securenow login --token $SECURENOW_TOKEN
 
 # Use --json for machine-readable output
@@ -375,9 +404,9 @@ fi
 | Category | Command | Description |
 |----------|---------|-------------|
 | **Setup** | `init` | Auto-scaffold instrumentation for your framework |
-| **Auth** | `login` | Authenticate via browser or `--token` |
-| | `logout` | Clear credentials |
-| | `whoami` | Show session info |
+| **Auth** | `login` | Authenticate via browser, `--token`, or `--local` |
+| | `logout` | Clear credentials (`--local` for project only) |
+| | `whoami` | Show session info and auth source |
 | **Apps** | `apps` | List applications |
 | | `apps create <name>` | Create application |
 | | `apps info <id>` | Application details |

package/README.md

@@ -264,8 +264,10 @@ Most users won't need this — just add `-r securenow/register` to your existing
 |---------|-------------|
 | `securenow login` | Log in via browser (opens OAuth flow) |
 | `securenow login --token <TOKEN>` | Log in with a token (for CI/headless) |
+| `securenow login --local` | Log in and save credentials to the current project only |
 | `securenow logout` | Clear stored credentials |
-| `securenow whoami` | Show current session info |
+| `securenow logout --local` | Clear project-local credentials only |
+| `securenow whoami` | Show current session info (including auth source) |
 
 ### Applications
 
@@ -356,15 +358,19 @@ Most users won't need this — just add `-r securenow/register` to your existing
 | `--json` | Output as JSON (works on every command) |
 | `--help` | Show help for any command |
 | `--app <key>` | Specify app key (or set default with `config set defaultApp`) |
+| `--local` | Save/clear credentials per-project (login/logout only) |
 
 ### Configuration
 
-Credentials and settings are stored in `~/.securenow/`:
+Credentials and settings are stored in `~/.securenow/` (global) or `.securenow/` (per-project):
 
 | File | Purpose |
 |------|---------|
 | `~/.securenow/config.json` | API URL, default app, preferences |
-| `~/.securenow/credentials.json` | Auth token (restricted permissions) |
+| `~/.securenow/credentials.json` | Auth token — global (restricted permissions) |
+| `.securenow/credentials.json` | Auth token — project-local (use `login --local`) |
+
+**Credential resolution order:** `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 Override the API URL with `securenow config set apiUrl <url>` or the `SECURENOW_API_URL` environment variable.
 

package/SKILL-CLI.md

@@ -18,9 +18,12 @@ npx securenow <command>
 ```bash
 securenow login             # opens browser OAuth; stores JWT in ~/.securenow/credentials.json
 securenow login --token <JWT>   # headless / CI login (get token from dashboard Settings)
-securenow whoami             # verify session
+securenow login --local     # save credentials to this project only (.securenow/)
+securenow whoami             # verify session (shows auth source)
 ```
 
+**Per-project credentials:** Use `--local` to keep separate logins in different project directories on the same machine. Credentials resolve in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
+
 ### Integrate With Your App
 
 The CLI can also instrument any Node.js app at launch — no code changes:
@@ -47,22 +50,25 @@ Save this file as `.cursor/skills/securenow-cli/SKILL.md` in your project. Your
 
 ## Configuration
 
-Config lives in `~/.securenow/`:
+Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-project):
 
 | File | Content |
 |------|---------|
-| `config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
-| `credentials.json` | `token`, `email`, `expiresAt` |
+| `~/.securenow/config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
+| `~/.securenow/credentials.json` | `token`, `email`, `expiresAt` (global) |
+| `.securenow/credentials.json` | `token`, `email`, `expiresAt` (project-local, use `login --local`) |
+
+**Credential resolution order:** `SECURENOW_TOKEN` env var → `.securenow/credentials.json` (project) → `~/.securenow/credentials.json` (global).
 
 ```bash
 securenow config set apiUrl https://api.securenow.ai
 securenow config set defaultApp my-app-key
 securenow config get                     # show all
 securenow config get defaultApp          # show one
-securenow config path                    # print file paths
+securenow config path                    # print file paths + active auth source
 ```
 
-Environment overrides: `SECURENOW_API_URL`, `SECURENOW_APP_URL`, `SECURENOW_APP` (default app key).
+Environment overrides: `SECURENOW_TOKEN` (JWT), `SECURENOW_API_URL`, `SECURENOW_APP_URL`, `SECURENOW_APP` (default app key).
 
 ## Global Flags
 
@@ -94,10 +100,12 @@ Spawns `node --require securenow/register [--import otel/hook.mjs] <script>`. ES
 ### Authentication
 
 ```bash
-securenow login                   # browser-based OAuth (starts local callback server)
+securenow login                   # browser-based OAuth (stores in global ~/.securenow/)
 securenow login --token <JWT>     # headless / CI login
-securenow logout                  # clear ~/.securenow/credentials.json
-securenow whoami                  # show email, user ID, API URL, expiry, default app
+securenow login --local           # save credentials to project .securenow/ (per-project session)
+securenow logout                  # clear active credentials (local if present, else global)
+securenow logout --local          # clear project-local credentials only
+securenow whoami                  # show email, user ID, API URL, auth source, expiry, default app
 ```
 
 ### Applications
@@ -389,8 +397,8 @@ All commands support `--json` for structured output. When piping to other tools
 
 | Exit code / Error | Meaning | Recovery |
 |------------------|---------|----------|
-| `Session expired` | JWT expired | `securenow login` |
-| `Not logged in` | No token in `~/.securenow/credentials.json` | `securenow login` |
+| `Session expired` | JWT expired | `securenow login` (or `login --local`) |
+| `Not logged in` | No token found | `securenow login` or set `SECURENOW_TOKEN` env var |
 | `Access denied (403)` | Insufficient plan or permissions | Upgrade plan or check user role |
 | `Cannot connect` | API unreachable | Check `SECURENOW_API_URL` or network |
 | `Unknown command` | Typo or unrecognized command | `securenow help` |

package/cli/auth.js

@@ -58,7 +58,16 @@ async function loginWithBrowser() {
         }
 
         if (token) {
-          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2 style="color:#22c55e">✓ Logged in to SecureNow</h2><p>You can close this window and return to the terminal.</p></body></html>');
+          const payload = decodeJwtPayload(token);
+          const email = payload?.email || '';
+          const emailHtml = email
+            ? `<p style="font-size:18px;margin:16px 0 4px">Signed in as <strong>${email.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</strong></p>`
+            : '';
+          res.end(`<html><body style="font-family:system-ui;text-align:center;padding:60px">` +
+            `<h2 style="color:#22c55e">\u2713 Logged in to SecureNow</h2>` +
+            emailHtml +
+            `<p style="color:#666">You can close this window and return to the terminal.</p>` +
+            `</body></html>`);
           server.close();
           resolve(token);
           return;
@@ -120,6 +129,8 @@ async function loginWithToken(token) {
 }
 
 async function login(args, flags) {
+  const local = !!flags.local;
+
   if (flags.token) {
     const token = flags.token;
     await loginWithToken(token);
@@ -127,9 +138,11 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp);
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -143,9 +156,11 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp);
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
+    if (local) ui.info('Credentials saved to project .securenow/ (local)');
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -165,14 +180,16 @@ async function login(args, flags) {
   }
 }
 
-async function logout() {
+async function logout(args, flags) {
+  const local = flags ? flags.local : undefined;
   const creds = config.loadCredentials();
-  config.clearCredentials();
+  config.clearCredentials({ local });
   if (creds.email) {
     ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
   } else {
     ui.success('Logged out');
   }
+  if (local) ui.info('Cleared project-local credentials');
 }
 
 async function whoami() {
@@ -192,6 +209,7 @@ async function whoami() {
     ['Email', creds.email || payload?.email || 'unknown'],
     ['User ID', payload?.sub || 'unknown'],
     ['API', config.getApiUrl()],
+    ['Auth Source', config.getAuthSource()],
   ];
   if (creds.expiresAt) {
     const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));

package/cli/config.js

@@ -8,6 +8,10 @@ const CONFIG_DIR = path.join(os.homedir(), '.securenow');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
 
+const LOCAL_CONFIG_DIR = path.join(process.cwd(), '.securenow');
+const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
+const LOCAL_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'credentials.json');
+
 const DEFAULTS = {
   apiUrl: 'https://api.securenow.ai',
   appUrl: 'https://app.securenow.ai',
@@ -15,9 +19,9 @@ const DEFAULTS = {
   output: 'table',
 };
 
-function ensureDir() {
-  if (!fs.existsSync(CONFIG_DIR)) {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+function ensureDir(dir) {
+  if (!fs.existsSync(dir || CONFIG_DIR)) {
+    fs.mkdirSync(dir || CONFIG_DIR, { recursive: true, mode: 0o700 });
   }
 }
 
@@ -30,7 +34,7 @@ function loadJSON(filepath) {
 }
 
 function saveJSON(filepath, data) {
-  ensureDir();
+  ensureDir(path.dirname(filepath));
   fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
   if (process.platform === 'win32') {
     try {
@@ -40,8 +44,25 @@ function saveJSON(filepath, data) {
   }
 }
 
+function hasLocalCredentials() {
+  return fs.existsSync(LOCAL_CREDENTIALS_FILE);
+}
+
+function resolveCredentialsFile() {
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return LOCAL_CREDENTIALS_FILE;
+  return CREDENTIALS_FILE;
+}
+
+function getAuthSource() {
+  if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
+  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return 'project (.securenow/)';
+  return 'global (~/.securenow/)';
+}
+
 function loadConfig() {
-  return { ...DEFAULTS, ...loadJSON(CONFIG_FILE) };
+  const global = loadJSON(CONFIG_FILE);
+  const local = fs.existsSync(LOCAL_CONFIG_FILE) ? loadJSON(LOCAL_CONFIG_FILE) : {};
+  return { ...DEFAULTS, ...global, ...local };
 }
 
 function saveConfig(config) {
@@ -59,20 +80,29 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  return loadJSON(CREDENTIALS_FILE);
+  return loadJSON(resolveCredentialsFile());
 }
 
-function saveCredentials(creds) {
-  saveJSON(CREDENTIALS_FILE, creds);
+function saveCredentials(creds, { local = false } = {}) {
+  const targetFile = local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  saveJSON(targetFile, creds);
 }
 
-function clearCredentials() {
+function clearCredentials({ local } = {}) {
   try {
-    fs.unlinkSync(CREDENTIALS_FILE);
+    if (local === true) {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    } else if (local === false || !hasLocalCredentials()) {
+      fs.unlinkSync(CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
+    }
   } catch {}
 }
 
 function getToken() {
+  if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
+
   const creds = loadCredentials();
   if (!creds.token) return null;
 
@@ -82,8 +112,23 @@ function getToken() {
   return creds.token;
 }
 
-function setAuth(token, email, expiresAt) {
-  saveCredentials({ token, email, expiresAt });
+function setAuth(token, email, expiresAt, { local = false } = {}) {
+  saveCredentials({ token, email, expiresAt }, { local });
+}
+
+function ensureLocalGitignore() {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  const entry = '.securenow/';
+  try {
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      if (!content.split('\n').some(line => line.trim() === entry)) {
+        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      }
+    } else {
+      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+    }
+  } catch {}
 }
 
 function getApiUrl() {
@@ -102,6 +147,8 @@ module.exports = {
   CONFIG_DIR,
   CONFIG_FILE,
   CREDENTIALS_FILE,
+  LOCAL_CONFIG_DIR,
+  LOCAL_CREDENTIALS_FILE,
   loadConfig,
   saveConfig,
   getConfigValue,
@@ -111,6 +158,9 @@ module.exports = {
   clearCredentials,
   getToken,
   setAuth,
+  getAuthSource,
+  hasLocalCredentials,
+  ensureLocalGitignore,
   getApiUrl,
   getAppUrl,
   getDefaultApp,

package/cli.js

@@ -47,14 +47,15 @@ const COMMANDS = {
   },
   login: {
     desc: 'Authenticate with SecureNow',
-    usage: 'securenow login [--token <TOKEN>]',
-    flags: { token: 'Authenticate with a token directly' },
+    usage: 'securenow login [--token <TOKEN>] [--local]',
+    flags: { token: 'Authenticate with a token directly', local: 'Save credentials to this project only (.securenow/)' },
     run: (a, f) => require('./cli/auth').login(a, f),
   },
   logout: {
     desc: 'Clear stored credentials',
-    usage: 'securenow logout',
-    run: () => require('./cli/auth').logout(),
+    usage: 'securenow logout [--local]',
+    flags: { local: 'Clear project-local credentials only' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
   },
   whoami: {
     desc: 'Show current session info',
@@ -276,8 +277,12 @@ const COMMANDS = {
         desc: 'Show config file path',
         run: () => {
           const conf = require('./cli/config');
-          console.log(`Config:      ${conf.CONFIG_FILE}`);
-          console.log(`Credentials: ${conf.CREDENTIALS_FILE}`);
+          console.log(`Config:         ${conf.CONFIG_FILE}`);
+          console.log(`Credentials:    ${conf.CREDENTIALS_FILE}`);
+          if (conf.hasLocalCredentials()) {
+            console.log(`Local creds:    ${conf.LOCAL_CREDENTIALS_FILE} ${require('./cli/ui').c.green('(active)')}`);
+          }
+          console.log(`Auth source:    ${conf.getAuthSource()}`);
         },
       },
     },

package/docs/ALL-FRAMEWORKS-QUICKSTART.md

@@ -764,10 +764,14 @@ The SecureNow CLI is your terminal command center. Below is every command organi
 
 | Command | What It Does |
 |---------|-------------|
-| `securenow login` | Opens browser to authenticate |
+| `securenow login` | Opens browser to authenticate (global session) |
 | `securenow login --token <T>` | Authenticate with a token (for CI/CD or headless servers) |
+| `securenow login --local` | Save credentials to this project only (per-project session) |
 | `securenow logout` | Clear stored credentials |
-| `securenow whoami` | Show current session (email, API URL, expiry, default app) |
+| `securenow logout --local` | Clear project-local credentials only |
+| `securenow whoami` | Show current session (email, API URL, auth source, expiry, default app) |
+
+**Per-project credentials:** Use `--local` to maintain separate logins for different projects on the same machine. The CLI resolves credentials in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ### App Management
 
@@ -1313,9 +1317,15 @@ Or re-authenticate with a token:
 npx securenow login --token <YOUR_TOKEN>
 ```
 
+Or set the env var directly:
+
+```bash
+SECURENOW_TOKEN=<YOUR_JWT> npx securenow whoami
+```
+
 ### CLI says "Session expired"
 
-Tokens expire after a set period. Re-run `securenow login` to get a fresh session.
+Tokens expire after a set period. Re-run `securenow login` to get a fresh session. Use `securenow whoami` to check which credential source is active.
 
 ---
 

package/docs/API-KEYS-GUIDE.md

@@ -128,7 +128,7 @@ The firewall SDK reads this automatically on startup.
 ### In CI/CD
 
 ```yaml
-# GitHub Actions example
+# GitHub Actions example — SDK firewall key
 env:
   SECURENOW_API_KEY: ${{ secrets.SECURENOW_API_KEY }}
 
@@ -139,6 +139,22 @@ steps:
       echo "$ISSUES" | jq '.issues | length'
 ```
 
+### CLI Authentication in CI/CD
+
+For CLI commands in CI, use the `SECURENOW_TOKEN` env var to skip file-based login:
+
+```yaml
+# GitHub Actions example — CLI auth via env var
+env:
+  SECURENOW_TOKEN: ${{ secrets.SECURENOW_CLI_TOKEN }}
+
+steps:
+  - run: npx securenow issues --json --status open
+  - run: npx securenow forensics "critical attacks in last 24h" --json
+```
+
+The `SECURENOW_TOKEN` env var takes priority over any stored credentials.
+
 ---
 
 ## Key Management

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.15.2",
+  "version": "5.16.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",