securenow 5.17.1 → 6.0.0

package/docs/NUXT-GUIDE.md

@@ -1,166 +0,0 @@
-# SecureNow — Nuxt 3 Setup Guide
-
-## Quick Start (1 minute)
-
-### 1. Install
-
-```bash
-npm install securenow
-```
-
-### 2. Add the module to `nuxt.config.ts`
-
-```ts
-export default defineNuxtConfig({
-  modules: ['securenow/nuxt'],
-});
-```
-
-### 3. Set environment variables
-
-Create a `.env` file in your project root:
-
-```env
-SECURENOW_APPID=my-nuxt-app
-SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
-```
-
-### 4. Start your app
-
-```bash
-nuxt dev
-```
-
-You should see in the console:
-
-```
-[securenow] Nuxt module loaded — server plugin registered
-[securenow] 🚀 Nuxt OTel SDK started → https://freetrial.securenow.ai:4318/v1/traces
-[securenow] service.name=my-nuxt-app instance.id=my-nuxt-app-...
-```
-
-That's it — all server-side requests are now traced.
-
----
-
-## Configuration
-
-### Module options in `nuxt.config.ts`
-
-```ts
-export default defineNuxtConfig({
-  modules: ['securenow/nuxt'],
-  securenow: {
-    serviceName: 'my-nuxt-app',     // overrides SECURENOW_APPID
-    endpoint: 'http://host:4318',   // overrides SECURENOW_INSTANCE
-    noUuid: true,                   // single service.name (no UUID suffix)
-    captureBody: true,              // capture POST/PUT/PATCH bodies
-    logging: true,                  // forward console.* as OTLP logs
-  },
-});
-```
-
-### Environment variables
-
-All standard SecureNow env vars are supported:
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_APPID` | Service name | `nuxt-app-<uuid>` |
-| `SECURENOW_INSTANCE` | OTLP base URL | `https://freetrial.securenow.ai:4318` |
-| `SECURENOW_NO_UUID` | Don't append UUID to service name | `false` |
-| `SECURENOW_LOGGING_ENABLED` | Forward console logs as OTLP | `false` |
-| `SECURENOW_CAPTURE_BODY` | Capture request bodies | `false` |
-| `SECURENOW_MAX_BODY_SIZE` | Max body size to capture (bytes) | `10240` |
-| `SECURENOW_SENSITIVE_FIELDS` | Extra fields to redact (CSV) | _(built-in list)_ |
-| `OTEL_EXPORTER_OTLP_ENDPOINT` | Alternative OTLP base URL | — |
-| `OTEL_EXPORTER_OTLP_HEADERS` | OTLP headers (k=v,k2=v2) | — |
-
----
-
-## What gets traced
-
-### Automatic (out of the box)
-
-- All Nitro server handler requests (API routes, SSR pages, middleware)
-- HTTP method, path, status code, duration
-- Client IP address (with proxy-aware resolution)
-- User-Agent, Referer, Origin, Host
-- Security header presence (auth, cookies, CSRF)
-- Request IDs and correlation headers
-
-### With `captureBody: true`
-
-- POST/PUT/PATCH request bodies (JSON, form-urlencoded, GraphQL)
-- Sensitive fields auto-redacted (passwords, tokens, etc.)
-- Bodies larger than `SECURENOW_MAX_BODY_SIZE` are skipped
-
-### With `logging: true`
-
-- All `console.log/info/warn/error/debug` calls forwarded as OTLP log records
-- Logs correlated with active trace spans
-
----
-
-## Comparison with Next.js integration
-
-| Feature | Nuxt (`securenow/nuxt`) | Next.js (`securenow/nextjs`) |
-|---------|-------------------------|------------------------------|
-| Setup | Add to `modules` array | Create `instrumentation.ts` |
-| Config | `nuxt.config.ts` | `.env.local` + `next.config.js` |
-| Server tracing | Nitro hooks | HTTP instrumentation |
-| Edge runtime | Not supported | Skipped gracefully |
-| Vercel support | Via env vars | `@vercel/otel` integration |
-| Body capture | HTTP instrumentation | Middleware + `Request.clone()` |
-| Logging | Console patching | Console patching |
-
----
-
-## Deployment
-
-### Node.js server (PM2, Docker, etc.)
-
-Works out of the box with `nuxt build && node .output/server/index.mjs`.
-
-### Vercel / Netlify / Cloudflare
-
-Set env vars in the platform dashboard:
-
-```
-SECURENOW_APPID=my-nuxt-app
-SECURENOW_INSTANCE=https://your-otlp-backend:4318
-```
-
-> Note: On edge runtimes (Cloudflare Workers, Vercel Edge), some Node.js-specific
-> instrumentations may not be available. Server-handler tracing via Nitro hooks
-> still works.
-
----
-
-## Troubleshooting
-
-### No traces appearing
-
-1. Check that `SECURENOW_APPID` and `SECURENOW_INSTANCE` are set
-2. Look for `[securenow] 🚀 Nuxt OTel SDK started` in the console
-3. Verify the OTLP endpoint is reachable from your server
-
-### Module not loading
-
-Make sure you're using Nuxt 3 (`nuxt: ">=3.0.0"`) and the module is listed
-in the `modules` array (not `buildModules`).
-
-### OpenTelemetry packages bundled by Nitro
-
-The module automatically externalizes OTel packages. If you see bundling errors,
-manually add to `nuxt.config.ts`:
-
-```ts
-export default defineNuxtConfig({
-  nitro: {
-    externals: {
-      external: ['securenow', '@opentelemetry/api', '@opentelemetry/sdk-node'],
-    },
-  },
-});
-```

package/docs/SOLUTION-SUMMARY.md

@@ -1,312 +0,0 @@
-# ✅ Self-Sufficient Body Capture Solution - Complete!
-
-## 🎯 The Challenge
-
-**Problem:** Next.js request streams can only be read once. Reading them at the HTTP instrumentation level locks the stream and causes:
-```
-TypeError: Response body object should not be disturbed or locked
-```
-
-**Solution:** Use Next.js middleware that:
-- Clones the request before reading (doesn't lock original)
-- Reads body safely
-- All logic is in the package (self-sufficient!)
-
----
-
-## 🚀 How It Works (Self-Sufficient!)
-
-### For Your Customers - Only 2 Steps!
-
-**Step 1: During Installation**
-
-When they run `npm install securenow`, the installer asks:
-
-```
-Would you like to automatically create instrumentation file? (Y/n) Y
-✅ Created instrumentation.ts
-
-Would you like to enable request body capture? (y/N) y
-✅ Created middleware.ts
-   → Captures JSON, GraphQL, Form bodies with auto-redaction
-```
-
-**Step 2: Configure**
-
-Edit `.env.local` (already created by installer):
-```bash
-SECURENOW_APPID=my-app
-SECURENOW_INSTANCE=http://otel-collector:4318
-SECURENOW_CAPTURE_BODY=1  # Enable body capture
-```
-
-**That's IT!** 🎉 No code to write!
-
----
-
-## 📦 What's in the Package (Self-Sufficient!)
-
-### 1. nextjs-middleware.js
-
-**Exports ready-to-use middleware:**
-```javascript
-export { middleware } from 'securenow/nextjs-middleware';
-```
-
-**Customers just re-export it!** No code to write:
-```typescript
-// middleware.ts (created by installer)
-export { middleware } from 'securenow/nextjs-middleware';
-
-export const config = {
-  matcher: '/api/:path*',
-};
-```
-
-### 2. All Logic is in the Package
-
-**The middleware handles:**
-- ✅ Request cloning (doesn't lock stream)
-- ✅ Body parsing (JSON, GraphQL, Form)
-- ✅ Sensitive field redaction (20+ fields)
-- ✅ Size limits
-- ✅ Error handling
-- ✅ Span attribution
-
-**Customer writes: 0 lines of logic!**
-
----
-
-## 🔧 Technical Solution
-
-### The Key: request.clone()
-
-```javascript
-// In nextjs-middleware.js (part of package)
-async function middleware(request) {
-  // Clone request so original is not consumed
-  const clonedRequest = request.clone();
-  const bodyText = await clonedRequest.text();
-  
-  // Original request is untouched!
-  // Next.js can still read it normally
-  
-  // Parse and redact body
-  const redacted = redactSensitiveData(JSON.parse(bodyText));
-  
-  // Add to span
-  span.setAttribute('http.request.body', JSON.stringify(redacted));
-  
-  // Continue to Next.js
-  return NextResponse.next();
-}
-```
-
-**Why this works:**
-- `request.clone()` creates a copy
-- Clone can be read without affecting original
-- Next.js reads the original stream normally
-- No locking errors!
-
----
-
-## 📊 Comparison
-
-### ❌ Previous Approach (Broken)
-
-```javascript
-// In requestHook - DOESN'T WORK
-request.on('data', (chunk) => {
-  chunks.push(chunk);  // Consumes stream
-});
-// → Next.js can't read stream → ERROR
-```
-
-### ✅ New Approach (Works!)
-
-```javascript
-// In Next.js middleware - WORKS
-const cloned = request.clone();
-const body = await cloned.text();  // Read clone
-// → Original stream is untouched → No error!
-```
-
----
-
-## 🎯 Customer Journey (Fully Automated!)
-
-### Installation Experience
-
-```bash
-$ npm install securenow
-
-┌─────────────────────────────────────────────────┐
-│  🎉 SecureNow installed successfully!          │
-│  Next.js project detected                       │
-└─────────────────────────────────────────────────┘
-
-Would you like to automatically create instrumentation file? (Y/n) Y
-✅ Created instrumentation.ts
-
-Would you like to enable request body capture? (y/N) y
-✅ Created middleware.ts
-   → Captures JSON, GraphQL, Form bodies with auto-redaction
-
-✅ Created .env.local template
-
-┌─────────────────────────────────────────────────┐
-│  🚀 Next Steps:                                 │
-│                                                 │
-│  1. Edit .env.local and set:                   │
-│     SECURENOW_APPID=your-app-name              │
-│     SECURENOW_INSTANCE=http://otel-collector:4318      │
-│     SECURENOW_CAPTURE_BODY=1                   │
-│                                                 │
-│  2. Run your app: npm run dev                  │
-│                                                 │
-│  3. Check SecureNow for traces!                │
-│                                                 │
-│  📝 Body capture enabled with auto-redaction   │
-└─────────────────────────────────────────────────┘
-```
-
-**Total customer code written: 0 lines!**
-
----
-
-## ✨ Self-Sufficient Features
-
-### What the Package Provides
-
-1. **nextjs-middleware.js**
-   - Complete middleware implementation
-   - All parsing logic
-   - All redaction logic
-   - Error handling
-   - Span attribution
-
-2. **Postinstall Script**
-   - Auto-detects Next.js
-   - Offers to create files
-   - Creates middleware.ts with correct import
-   - Updates .env.local template
-
-3. **Examples**
-   - `examples/nextjs-middleware.ts`
-   - `examples/nextjs-middleware.js`
-   - Ready to copy if needed
-
-4. **Documentation**
-   - `NEXTJS-BODY-CAPTURE.md` - Complete guide
-   - Shows the one-line import
-
----
-
-## 🔒 Security (Built Into Package!)
-
-**All in the package:**
-- ✅ 20+ sensitive fields redacted
-- ✅ Recursive redaction
-- ✅ GraphQL pattern matching
-- ✅ Size limits
-- ✅ Type detection
-
-**Customer configuration:**
-```bash
-# Optional: add custom fields
-SECURENOW_SENSITIVE_FIELDS=email,phone
-```
-
-**Customer code: 0 lines!**
-
----
-
-## 📝 Files Created for Customer
-
-### By Installer
-
-1. **instrumentation.ts** (or .js)
-   ```typescript
-   export { middleware } from 'securenow/nextjs-middleware';
-   ```
-   *Just a re-export!*
-
-2. **middleware.ts** (or .js) - If they choose body capture
-   ```typescript
-   export { middleware } from 'securenow/nextjs-middleware';
-   export const config = { matcher: '/api/:path*' };
-   ```
-   *Just a re-export + config!*
-
-3. **.env.local**
-   ```bash
-   SECURENOW_APPID=my-app
-   SECURENOW_INSTANCE=http://otel-collector:4318
-   SECURENOW_CAPTURE_BODY=1
-   ```
-   *Just configuration!*
-
-**Total logic written by customer: 0 lines!**
-
----
-
-## 🎉 Result
-
-### For Next.js Users
-
-**Before (broken):**
-- Install package
-- Enable body capture
-- → Get stream locking error
-- → App breaks
-
-**After (self-sufficient):**
-- Install package
-- Answer "Y" twice
-- Edit config values
-- → Everything works
-- → Bodies captured
-- → Sensitive data redacted
-- → Zero code to write
-
-### For You
-
-**Self-sufficient package:**
-- ✅ Customers write 0 lines of code
-- ✅ Just import from package
-- ✅ All logic in package
-- ✅ No stream locking errors
-- ✅ Works perfectly with Next.js
-- ✅ Automatic setup via installer
-
----
-
-## ✅ Checklist
-
-- [x] Fixed stream locking error
-- [x] Created nextjs-middleware.js with all logic
-- [x] Updated package.json exports
-- [x] Enhanced postinstall to offer middleware creation
-- [x] Created example files
-- [x] Updated documentation
-- [x] Zero customer code required
-- [x] Tested - no linter errors
-
----
-
-## 🚀 Ready to Ship!
-
-**The error is fixed and the solution is self-sufficient!**
-
-Customers get:
-- ✅ Automatic file creation (installer)
-- ✅ One-line imports (re-export from package)
-- ✅ All logic in package (no code to write)
-- ✅ Automatic redaction (built-in)
-- ✅ No stream errors (uses clone)
-
-**Status: Production Ready!** 🎯
-
-
-
-

package/firewall-cloud.js

@@ -1,212 +0,0 @@
-'use strict';
-
-/**
- * Layer 4: Cloud/Edge WAF integration.
- * Pushes the blocklist to the customer's cloud WAF provider so traffic is
- * blocked at the CDN/edge before it ever reaches the origin server.
- *
- * Supported providers: cloudflare, aws, gcp
- * Cloud SDKs are optional peer dependencies — only required when enabled.
- * Cloud credentials are never logged.
- */
-
-const https = require('https');
-
-let _options = null;
-let _active = false;
-let _provider = null;
-let _lastPushTime = 0;
-
-const MIN_PUSH_INTERVAL_MS = 30000;
-
-// ────── Cloudflare ──────
-
-async function cloudflareSync(ips) {
-  const token = process.env.CLOUDFLARE_API_TOKEN;
-  const accountId = process.env.CLOUDFLARE_ACCOUNT_ID;
-  if (!token || !accountId) throw new Error('Missing CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID');
-
-  const listName = 'securenow-blocklist';
-
-  const lists = await cfApi('GET', `/accounts/${accountId}/rules/lists`, token);
-  let list = lists.result?.find(l => l.name === listName);
-
-  if (!list) {
-    const created = await cfApi('POST', `/accounts/${accountId}/rules/lists`, token, {
-      name: listName,
-      kind: 'ip',
-      description: 'Managed by SecureNow firewall SDK',
-    });
-    list = created.result;
-  }
-
-  const items = ips.map(ip => ({ ip: ip.includes('/') ? ip : ip + '/32' }));
-
-  await cfApi('PUT', `/accounts/${accountId}/rules/lists/${list.id}/items`, token, items);
-}
-
-function cfApi(method, path, token, body) {
-  return new Promise((resolve, reject) => {
-    const data = body ? JSON.stringify(body) : null;
-    const req = https.request({
-      hostname: 'api.cloudflare.com',
-      path: '/client/v4' + path,
-      method,
-      headers: {
-        'Authorization': `Bearer ${token}`,
-        'Content-Type': 'application/json',
-        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}),
-      },
-      timeout: 15000,
-    }, (res) => {
-      let chunks = '';
-      res.on('data', c => chunks += c);
-      res.on('end', () => {
-        try { resolve(JSON.parse(chunks)); } catch (e) { reject(new Error(`CF parse error: ${chunks.slice(0, 200)}`)); }
-      });
-    });
-    req.on('error', reject);
-    req.on('timeout', () => { req.destroy(); reject(new Error('Cloudflare API timeout')); });
-    if (data) req.write(data);
-    req.end();
-  });
-}
-
-// ────── AWS WAF ──────
-
-async function awsSync(ips) {
-  let WAFV2;
-  try {
-    WAFV2 = require('@aws-sdk/client-wafv2');
-  } catch {
-    throw new Error('AWS WAF requires @aws-sdk/client-wafv2 — install it: npm i @aws-sdk/client-wafv2');
-  }
-
-  const ipSetId = process.env.AWS_WAF_IP_SET_ID;
-  const ipSetName = process.env.AWS_WAF_IP_SET_NAME || 'securenow-blocklist';
-  const scope = process.env.AWS_WAF_SCOPE || 'REGIONAL';
-  if (!ipSetId) throw new Error('Missing AWS_WAF_IP_SET_ID');
-
-  const client = new WAFV2.WAFV2Client({});
-
-  const { IPSet, LockToken } = await client.send(new WAFV2.GetIPSetCommand({
-    Name: ipSetName,
-    Scope: scope,
-    Id: ipSetId,
-  }));
-
-  const addresses = ips.map(ip => ip.includes('/') ? ip : ip + '/32');
-
-  await client.send(new WAFV2.UpdateIPSetCommand({
-    Name: ipSetName,
-    Scope: scope,
-    Id: ipSetId,
-    Addresses: addresses,
-    LockToken,
-    Description: 'Managed by SecureNow firewall SDK',
-  }));
-}
-
-// ────── GCP Cloud Armor ──────
-
-async function gcpSync(ips) {
-  let compute;
-  try {
-    compute = require('@google-cloud/compute');
-  } catch {
-    throw new Error('GCP Cloud Armor requires @google-cloud/compute — install it: npm i @google-cloud/compute');
-  }
-
-  const project = process.env.GCP_PROJECT_ID;
-  const policyName = process.env.GCP_SECURITY_POLICY;
-  if (!project || !policyName) throw new Error('Missing GCP_PROJECT_ID or GCP_SECURITY_POLICY');
-
-  const client = new compute.SecurityPoliciesClient();
-  const rulePriority = 2000;
-
-  const srcRanges = ips.map(ip => ip.includes('/') ? ip : ip + '/32');
-
-  try {
-    await client.patchRule({
-      project,
-      securityPolicy: policyName,
-      priority: String(rulePriority),
-      securityPolicyRuleResource: {
-        priority: rulePriority,
-        action: 'deny(403)',
-        match: { versionedExpr: 'SRC_IPS_V1', config: { srcIpRanges: srcRanges } },
-        description: 'Managed by SecureNow firewall SDK',
-      },
-    });
-  } catch (e) {
-    if (e.code === 404 || e.message?.includes('not found')) {
-      await client.addRule({
-        project,
-        securityPolicy: policyName,
-        securityPolicyRuleResource: {
-          priority: rulePriority,
-          action: 'deny(403)',
-          match: { versionedExpr: 'SRC_IPS_V1', config: { srcIpRanges: srcRanges } },
-          description: 'Managed by SecureNow firewall SDK',
-        },
-      });
-    } else {
-      throw e;
-    }
-  }
-}
-
-// ────── Provider dispatch ──────
-
-const PROVIDERS = {
-  cloudflare: cloudflareSync,
-  aws: awsSync,
-  gcp: gcpSync,
-};
-
-// ────── Public API ──────
-
-function init(options) {
-  _options = options;
-  const provider = (options.cloud || '').toLowerCase();
-
-  if (!PROVIDERS[provider]) {
-    if (_options.log) console.warn('[securenow] Firewall cloud: unknown provider "%s", expected cloudflare|aws|gcp', provider);
-    return;
-  }
-
-  _provider = provider;
-  _active = true;
-}
-
-/**
- * Called by the firewall core after each successful blocklist sync.
- * Throttled to max 1 push per MIN_PUSH_INTERVAL_MS.
- * @param {string[]} ips - Array of IPs and CIDRs to push
- */
-async function sync(ips) {
-  if (!_active || !_provider) return;
-
-  const now = Date.now();
-  if (now - _lastPushTime < MIN_PUSH_INTERVAL_MS) return;
-  _lastPushTime = now;
-
-  const dryRun = process.env.SECURENOW_FIREWALL_CLOUD_DRY_RUN === '1';
-  if (dryRun) {
-    if (_options.log) console.log('[securenow] Firewall cloud: dry-run — would push %d IPs to %s', ips.length, _provider);
-    return;
-  }
-
-  try {
-    await PROVIDERS[_provider](ips);
-    if (_options.log) console.log('[securenow] Firewall cloud: pushed %d IPs to %s', ips.length, _provider);
-  } catch (e) {
-    if (_options.log) console.warn('[securenow] Firewall cloud: push to %s failed:', _provider, e.message);
-  }
-}
-
-function shutdown() {
-  _active = false;
-}
-
-module.exports = { init, sync, shutdown };