securenow 5.18.0 → 6.0.0

package/free-trial-banner.js

@@ -1,174 +0,0 @@
-'use strict';
-
-/**
- * Free Trial Banner — auto-injects a visible "Testing Environment" banner
- * into HTML pages served by apps using the SecureNow free trial instance.
- *
- * Opt-out: set SECURENOW_HIDE_BANNER=1
- */
-
-const FREETRIAL_HOST = 'freetrial.securenow.ai';
-
-function isFreeTrial(endpointBase) {
-  return !!endpointBase && endpointBase.includes(FREETRIAL_HOST);
-}
-
-/* istanbul ignore next — runs in browser, not Node */
-function _bannerClientCode() {
-  if (window.__snBanner) return;
-  window.__snBanner = 1;
-
-  function create() {
-    if (document.getElementById('sn-ft-banner')) return;
-
-    var d = document.createElement('div');
-    d.id = 'sn-ft-banner';
-    d.style.cssText =
-      'position:fixed;top:0;left:0;right:0;z-index:2147483647;' +
-      'background:#FEF3CD;color:#856404;padding:10px 16px;' +
-      'font-family:system-ui,-apple-system,sans-serif;font-size:13px;' +
-      'text-align:center;border-bottom:2px solid #FFE69C;' +
-      'display:flex;align-items:center;justify-content:center;gap:6px;' +
-      'box-shadow:0 2px 8px rgba(0,0,0,0.12)';
-
-    var icon = document.createElement('span');
-    icon.textContent = '\u26a0\ufe0f';
-    d.appendChild(icon);
-
-    var msg = document.createElement('span');
-    var strong = document.createElement('strong');
-    strong.textContent = 'Testing Environment:';
-    msg.appendChild(strong);
-    msg.appendChild(document.createTextNode(
-      ' Only add test applications. For production usage, '
-    ));
-
-    var link = document.createElement('a');
-    link.href = 'https://app.securenow.ai/dashboard/settings/instances';
-    link.target = '_blank';
-    link.rel = 'noopener';
-    link.style.cssText = 'color:#664D03;font-weight:600;text-decoration:underline';
-    link.textContent = 'create a new production instance';
-    msg.appendChild(link);
-    msg.appendChild(document.createTextNode('.'));
-    d.appendChild(msg);
-
-    var upgradeBtn = document.createElement('a');
-    upgradeBtn.href = 'https://app.securenow.ai/dashboard/settings/instances';
-    upgradeBtn.target = '_blank';
-    upgradeBtn.rel = 'noopener';
-    upgradeBtn.textContent = '\u26a1 Upgrade';
-    upgradeBtn.style.cssText =
-      'display:inline-flex;align-items:center;gap:4px;' +
-      'background:#D97706;color:#fff;padding:4px 12px;border-radius:4px;' +
-      'font-size:12px;font-weight:600;text-decoration:none;margin-left:10px;' +
-      'white-space:nowrap;transition:background 0.15s';
-    upgradeBtn.onmouseover = function () { upgradeBtn.style.background = '#B45309'; };
-    upgradeBtn.onmouseout = function () { upgradeBtn.style.background = '#D97706'; };
-    d.appendChild(upgradeBtn);
-
-    var close = document.createElement('button');
-    close.textContent = '\u00d7';
-    close.style.cssText =
-      'background:none;border:none;color:#856404;font-size:18px;' +
-      'cursor:pointer;margin-left:12px;padding:0 4px;line-height:1';
-    close.onclick = function () { d.style.display = 'none'; };
-    d.appendChild(close);
-
-    document.body.prepend(d);
-  }
-
-  if (document.readyState === 'loading') {
-    document.addEventListener('DOMContentLoaded', create);
-  } else {
-    create();
-  }
-}
-
-var BANNER_SCRIPT =
-  '<script data-securenow-banner>(' +
-  _bannerClientCode.toString() +
-  ')()</scr' + 'ipt>';
-
-/**
- * Monkey-patch http.ServerResponse to inject the banner script into HTML
- * responses. Searches for `<head...>` and inserts the script right after it.
- * Skips compressed responses and non-HTML content types.
- */
-function patchHttpForBanner() {
-  try {
-    var http = require('http');
-    var _origWrite = http.ServerResponse.prototype.write;
-    var _origEnd   = http.ServerResponse.prototype.end;
-
-    function maybeInject(res, chunk) {
-      if (res._snBannerDone || !chunk) return chunk;
-
-      if (res._snIsHtml === undefined) {
-        var ct = res.getHeader('content-type');
-        var ce = res.getHeader('content-encoding');
-        var csp = res.getHeader('content-security-policy');
-        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce && !csp);
-      }
-      if (!res._snIsHtml) {
-        res._snBannerDone = true;
-        return chunk;
-      }
-
-      var isStr = typeof chunk === 'string';
-      var isBuf = Buffer.isBuffer(chunk);
-      if (!isStr && !isBuf) return chunk;
-
-      var str = isStr ? chunk : chunk.toString('utf8');
-      var headIdx = str.indexOf('<head');
-      if (headIdx === -1) return chunk;
-
-      var gt = str.indexOf('>', headIdx);
-      if (gt === -1) return chunk;
-
-      res._snBannerDone = true;
-      var result = str.slice(0, gt + 1) + BANNER_SCRIPT + str.slice(gt + 1);
-      return isStr ? result : Buffer.from(result, 'utf8');
-    }
-
-    http.ServerResponse.prototype.write = function (chunk, encoding, cb) {
-      try {
-        var modified = maybeInject(this, chunk);
-        if (modified !== chunk) {
-          var enc = typeof encoding === 'function' ? 'utf8' : encoding;
-          var callback = typeof encoding === 'function' ? encoding : cb;
-          try {
-            if (this.getHeader('content-length')) {
-              this.setHeader('content-length', Buffer.byteLength(modified));
-            }
-          } catch (_) { /* headers already sent */ }
-          return _origWrite.call(this, modified, enc, callback);
-        }
-      } catch (_) { /* never break the app */ }
-      return _origWrite.call(this, chunk, encoding, cb);
-    };
-
-    http.ServerResponse.prototype.end = function (chunk, encoding, cb) {
-      try {
-        var modified = maybeInject(this, chunk);
-        if (modified !== chunk) {
-          var enc = typeof encoding === 'function' ? 'utf8' : encoding;
-          var callback = typeof encoding === 'function' ? encoding : cb;
-          try {
-            if (this.getHeader('content-length')) {
-              this.setHeader('content-length', Buffer.byteLength(modified));
-            }
-          } catch (_) { /* headers already sent */ }
-          return _origEnd.call(this, modified, enc, callback);
-        }
-      } catch (_) { /* never break the app */ }
-      return _origEnd.call(this, chunk, encoding, cb);
-    };
-
-    console.log('[securenow] Free trial banner injection enabled');
-  } catch (err) {
-    console.warn('[securenow] Could not setup free trial banner:', err.message);
-  }
-}
-
-module.exports = { isFreeTrial, patchHttpForBanner, BANNER_SCRIPT };

package/nuxt-server-plugin.mjs

@@ -1,423 +0,0 @@
-/**
- * SecureNow Nitro Server Plugin
- *
- * Initialises the OpenTelemetry SDK and hooks into Nitro's request lifecycle
- * to create spans, capture metadata, and forward logs.
- *
- * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
- */
-
-import { NodeSDK } from '@opentelemetry/sdk-node';
-import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
-import { Resource } from '@opentelemetry/resources';
-import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
-import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
-import {
-  context as otelContext,
-  trace as otelTrace,
-  SpanStatusCode,
-} from '@opentelemetry/api';
-import { v4 as uuidv4 } from 'uuid';
-
-// ── Helpers ──
-
-const env = (k) =>
-  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-
-const parseHeaders = (str) => {
-  const out = {};
-  if (!str) return out;
-  for (const raw of String(str).split(',')) {
-    const s = raw.trim();
-    if (!s) continue;
-    const i = s.indexOf('=');
-    if (i === -1) continue;
-    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
-  }
-  return out;
-};
-
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-function redactSensitiveData(obj, fields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  for (const key of Object.keys(redacted)) {
-    const lower = key.toLowerCase();
-    if (fields.some((f) => lower.includes(f.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], fields);
-    }
-  }
-  return redacted;
-}
-
-// ── Runtime config helpers ──
-
-function getRuntimeOptions() {
-  try {
-    const cfg = useRuntimeConfig();
-    return cfg.securenow || {};
-  } catch {
-    return {};
-  }
-}
-
-// ── Plugin ──
-
-export default defineNitroPlugin((nitroApp) => {
-  const opts = getRuntimeOptions();
-
-  // ── Naming ──
-  const rawBase = (
-    opts.serviceName ||
-    env('OTEL_SERVICE_NAME') ||
-    env('SECURENOW_APPID') ||
-    ''
-  ).trim().replace(/^['"]|['"]$/g, '');
-
-  const baseName = rawBase || null;
-  const noUuid =
-    opts.noUuid ??
-    (String(env('SECURENOW_NO_UUID')) === '1' ||
-      String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
-
-  let serviceName;
-  if (baseName) {
-    serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
-  } else {
-    serviceName = `nuxt-app-${uuidv4()}`;
-    console.warn(
-      '[securenow] ⚠️  No SECURENOW_APPID set. Using fallback: %s',
-      serviceName,
-    );
-    console.warn(
-      '[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env for better tracking',
-    );
-  }
-
-  const serviceInstanceId = `${baseName || 'securenow'}-${uuidv4()}`;
-
-  // ── Endpoints ──
-  const endpointBase = (
-    opts.endpoint ||
-    env('SECURENOW_INSTANCE') ||
-    env('OTEL_EXPORTER_OTLP_ENDPOINT') ||
-    'https://freetrial.securenow.ai:4318'
-  ).replace(/\/$/, '');
-
-  const tracesUrl =
-    env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-  const logsUrl =
-    env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
-  const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
-
-  // ── Resource ──
-  const resource = new Resource({
-    [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-    [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
-    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]:
-      env('NODE_ENV') || 'production',
-    [SemanticResourceAttributes.SERVICE_VERSION]:
-      process.env.npm_package_version || undefined,
-    'framework': 'nuxt',
-  });
-
-  // ── Body capture config ──
-  const captureBody =
-    opts.captureBody ??
-    (String(env('SECURENOW_CAPTURE_BODY')) === '1' ||
-      String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true');
-  const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-  const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '')
-    .split(',')
-    .map((s) => s.trim())
-    .filter(Boolean);
-  const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-
-  // ── HTTP instrumentation ──
-  const httpInstrumentation = new HttpInstrumentation({
-    requestHook: (span, request) => {
-      try {
-        const hdrs = request.headers || {};
-        const fwd = hdrs['x-forwarded-for'];
-        const clientIp =
-          (fwd ? String(fwd).split(',')[0].trim() : null) ||
-          hdrs['x-real-ip'] ||
-          hdrs['cf-connecting-ip'] ||
-          hdrs['x-client-ip'] ||
-          request.socket?.remoteAddress ||
-          'unknown';
-
-        span.setAttributes({
-          'http.client_ip': clientIp,
-          'http.user_agent': hdrs['user-agent'] || '',
-          'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
-          'http.scheme':
-            hdrs['x-forwarded-proto'] ||
-            (request.socket?.encrypted ? 'https' : 'http'),
-          'http.referer': hdrs['referer'] || '',
-          'http.origin': hdrs['origin'] || '',
-          'http.request_id':
-            hdrs['x-request-id'] || hdrs['x-trace-id'] || '',
-        });
-
-        if (hdrs['authorization']) {
-          span.setAttribute('http.security.auth_present', 'true');
-        }
-        if (hdrs['cookie']) {
-          span.setAttribute('http.security.cookies_present', 'true');
-        }
-
-        // Body capture via stream listener (same approach as tracing.js)
-        if (
-          captureBody &&
-          request.method &&
-          ['POST', 'PUT', 'PATCH'].includes(request.method)
-        ) {
-          const ct = hdrs['content-type'] || '';
-          if (
-            ct.includes('application/json') ||
-            ct.includes('application/graphql') ||
-            ct.includes('application/x-www-form-urlencoded')
-          ) {
-            const chunks = [];
-            let size = 0;
-            request.on('data', (chunk) => {
-              size += chunk.length;
-              if (size <= maxBodySize) chunks.push(chunk);
-            });
-            request.on('end', () => {
-              if (size > maxBodySize) {
-                span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
-                return;
-              }
-              if (chunks.length === 0) return;
-              const raw = Buffer.concat(chunks).toString('utf8');
-              try {
-                const parsed = JSON.parse(raw);
-                const redacted = redactSensitiveData(parsed, allSensitiveFields);
-                span.setAttributes({
-                  'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-                  'http.request.body.type': ct.includes('graphql') ? 'graphql' : 'json',
-                  'http.request.body.size': size,
-                });
-              } catch {
-                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
-                span.setAttribute('http.request.body.parse_error', true);
-              }
-            });
-          }
-        }
-      } catch {
-        // never break the request
-      }
-    },
-  });
-
-  // ── Trace exporter + SDK ──
-  const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
-
-  const sdk = new NodeSDK({
-    traceExporter,
-    resource,
-    instrumentations: [httpInstrumentation],
-  });
-
-  sdk.start();
-  console.log('[securenow] 🚀 Nuxt OTel SDK started → %s', tracesUrl);
-  console.log(
-    '[securenow] service.name=%s instance.id=%s',
-    serviceName,
-    serviceInstanceId,
-  );
-
-  // ── Logging ──
-  const loggingEnabled =
-    opts.logging ??
-    (String(env('SECURENOW_LOGGING_ENABLED')) === '1' ||
-      String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true');
-
-  let loggerProvider = null;
-
-  if (loggingEnabled) {
-    try {
-      const { OTLPLogExporter } = await import(
-        '@opentelemetry/exporter-logs-otlp-http'
-      );
-      const { LoggerProvider, BatchLogRecordProcessor } = await import(
-        '@opentelemetry/sdk-logs'
-      );
-
-      const logExporter = new OTLPLogExporter({ url: logsUrl, headers });
-      loggerProvider = new LoggerProvider({ resource });
-      loggerProvider.addLogRecordProcessor(
-        new BatchLogRecordProcessor(logExporter),
-      );
-
-      const logger = loggerProvider.getLogger('console', '1.0.0');
-      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-      const orig = {
-        log: console.log,
-        info: console.info,
-        warn: console.warn,
-        error: console.error,
-        debug: console.debug,
-      };
-
-      function emitLog(sn, st, args) {
-        try {
-          const ctx = otelContext.active();
-          const spanCtx = otelTrace.getSpanContext(ctx);
-          logger.emit({
-            severityNumber: sn,
-            severityText: st,
-            body: args
-              .map((a) =>
-                typeof a === 'object' && a !== null ? JSON.stringify(a) : String(a),
-              )
-              .join(' '),
-            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
-            ...(spanCtx && { context: ctx }),
-          });
-        } catch {
-          // swallow
-        }
-      }
-
-      console.log = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.log.apply(console, a); };
-      console.info = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.info.apply(console, a); };
-      console.warn = (...a) => { emitLog(SEV.WARN, 'WARN', a); orig.warn.apply(console, a); };
-      console.error = (...a) => { emitLog(SEV.ERROR, 'ERROR', a); orig.error.apply(console, a); };
-      console.debug = (...a) => { emitLog(SEV.DEBUG, 'DEBUG', a); orig.debug.apply(console, a); };
-
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
-    } catch (e) {
-      console.warn('[securenow] ⚠️  Logging setup failed:', e.message);
-    }
-  } else {
-    console.log(
-      '[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)',
-    );
-  }
-
-  if (captureBody) {
-    console.log(
-      '[securenow] 📝 Body capture: ENABLED (max %d bytes, redacting %d fields)',
-      maxBodySize,
-      allSensitiveFields.length,
-    );
-  }
-
-  // ── Free trial banner ──
-  try {
-    const { isFreeTrial, patchHttpForBanner } = await import('./free-trial-banner.js');
-    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
-      patchHttpForBanner();
-    }
-  } catch {
-    // not critical
-  }
-
-  // ── Firewall — runs independently from OTel ──
-  const firewallApiKey = env('SECURENOW_API_KEY');
-  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
-    try {
-      const { init: fwInit } = await import('./firewall.js');
-      fwInit({
-        apiKey: firewallApiKey,
-        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-        log: env('SECURENOW_FIREWALL_LOG') !== '0',
-        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
-      });
-    } catch (e) {
-      console.warn('[securenow] Firewall init failed:', e.message);
-    }
-  }
-
-  // ── Graceful shutdown ──
-  const shutdown = async (sig) => {
-    try {
-      await sdk.shutdown?.();
-      if (loggerProvider) await loggerProvider.shutdown?.();
-      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
-      console.log(`[securenow] Shut down on ${sig}`);
-    } catch {
-      // swallow
-    }
-  };
-  process.on('SIGINT', () => shutdown('SIGINT'));
-  process.on('SIGTERM', () => shutdown('SIGTERM'));
-
-  // ── Nitro request hooks for span enrichment ──
-  const tracer = otelTrace.getTracer('securenow-nuxt', '1.0.0');
-  const spanMap = new WeakMap();
-
-  nitroApp.hooks.hook('request', (event) => {
-    try {
-      const req = event.node.req;
-      const method = event.method || req.method || 'GET';
-      const path = event.path || req.url || '/';
-
-      const span = tracer.startSpan(`${method} ${path}`, {
-        attributes: {
-          'http.method': method,
-          'http.target': path,
-          'http.url': `${req.headers?.['x-forwarded-proto'] || 'http'}://${req.headers?.host || 'localhost'}${path}`,
-          'component': 'nuxt-nitro',
-        },
-      });
-
-      spanMap.set(event, span);
-    } catch {
-      // never break the request
-    }
-  });
-
-  nitroApp.hooks.hook('afterResponse', (event) => {
-    try {
-      const span = spanMap.get(event);
-      if (!span) return;
-
-      const status = event.node.res.statusCode || 200;
-      span.setAttribute('http.status_code', status);
-
-      if (status >= 500) {
-        span.setStatus({ code: SpanStatusCode.ERROR, message: `HTTP ${status}` });
-      }
-
-      span.end();
-      spanMap.delete(event);
-    } catch {
-      // swallow
-    }
-  });
-
-  nitroApp.hooks.hook('error', (error, { event }) => {
-    try {
-      const span = event ? spanMap.get(event) : null;
-      if (span) {
-        span.recordException(error);
-        span.setStatus({
-          code: SpanStatusCode.ERROR,
-          message: error.message || 'Internal Server Error',
-        });
-        span.end();
-        spanMap.delete(event);
-      }
-    } catch {
-      // swallow
-    }
-  });
-});

package/nuxt.d.ts

@@ -1,60 +0,0 @@
-/**
- * SecureNow Nuxt 3 Module TypeScript Declarations
- */
-
-export interface SecureNowNuxtOptions {
-  /**
-   * Service name for OpenTelemetry traces.
-   * @default process.env.SECURENOW_APPID || process.env.OTEL_SERVICE_NAME
-   */
-  serviceName?: string;
-
-  /**
-   * OTLP endpoint base URL.
-   * @default process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318'
-   */
-  endpoint?: string;
-
-  /**
-   * Don't append UUID to service name (useful when running a single instance).
-   * @default false
-   */
-  noUuid?: boolean;
-
-  /**
-   * Capture request bodies (POST/PUT/PATCH) on traced spans.
-   * Sensitive fields are automatically redacted.
-   * @default false
-   */
-  captureBody?: boolean;
-
-  /**
-   * Enable console log forwarding as OTLP log records.
-   * @default false
-   */
-  logging?: boolean;
-}
-
-declare module 'nuxt/schema' {
-  interface NuxtConfig {
-    securenow?: SecureNowNuxtOptions;
-  }
-  interface NuxtOptions {
-    securenow?: SecureNowNuxtOptions;
-  }
-  interface RuntimeConfig {
-    securenow?: SecureNowNuxtOptions;
-  }
-}
-
-declare module '@nuxt/schema' {
-  interface NuxtConfig {
-    securenow?: SecureNowNuxtOptions;
-  }
-  interface NuxtOptions {
-    securenow?: SecureNowNuxtOptions;
-  }
-  interface RuntimeConfig {
-    securenow?: SecureNowNuxtOptions;
-  }
-}