securenow 5.7.1 → 5.8.1

package/CONSUMING-APPS-GUIDE.md

@@ -362,6 +362,14 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=KEY"
 SECURENOW_APPID=my-app                   # Your app name
 OTEL_SERVICE_NAME=my-app                 # Alternative
 
+# Request Body Capture
+SECURENOW_CAPTURE_BODY=1                 # Capture JSON/form/GraphQL request bodies
+SECURENOW_MAX_BODY_SIZE=10240            # Max body size in bytes (default: 10KB)
+SECURENOW_SENSITIVE_FIELDS="field1,field2" # Additional fields to redact
+
+# Multipart Body Capture (v5.8.0+)
+SECURENOW_CAPTURE_MULTIPART=1            # Capture multipart field values & file metadata (streaming)
+
 # Debugging
 OTEL_LOG_LEVEL=debug                     # Enable debug output
 ```

package/NPM_README.md

@@ -903,6 +903,7 @@ export default defineNuxtConfig({
 | `SECURENOW_CAPTURE_BODY` | Enable request body capture in traces. Set to `1` to enable. | `0` |
 | `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data capture. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `1` to enable. | `0` |
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1018,8 +1019,28 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
+- `multipart/form-data` (requires `SECURENOW_CAPTURE_MULTIPART=1`)
 
-**Note:** Multipart form data (file uploads) are NOT captured by design.
+### Multipart Body Capture (v5.8.0+)
+
+Enable with `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. Uses a streaming parser that never buffers file content — memory stays at ~few KB regardless of upload size.
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 chars), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes
+
+**Example trace attribute:**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "resume", "filename": "cv.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+File binary content is never stored in traces.
 
 ### Sensitive Data Redaction
 

package/README.md

@@ -168,6 +168,9 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=..."  # Authentication headers
 SECURENOW_CAPTURE_BODY=1                    # Capture request bodies in traces
 SECURENOW_MAX_BODY_SIZE=10240               # Max body size in bytes
 SECURENOW_SENSITIVE_FIELDS="field1,field2"  # Additional fields to redact
+
+# Optional: Multipart body capture (file upload metadata)
+SECURENOW_CAPTURE_MULTIPART=1               # Capture multipart field names, values & file metadata
 ```
 
 ### Legacy Environment Variables (still supported)

package/cli/security.js

@@ -269,20 +269,36 @@ async function trustedRemove(args, flags) {
   }
 }
 
+// ── Helpers ──
+
+async function resolveAppId(flags) {
+  const appKey = flags.app || config.getDefaultApp();
+  if (!appKey) return null;
+  const data = await api.get('/applications');
+  const apps = data.applications || [];
+  const match = apps.find(a => a.key === appKey);
+  return match ? { id: match._id, key: match.key, name: match.name } : null;
+}
+
 // ── Forensics ──
 
 async function forensicsQuery(args, flags) {
   requireAuth();
   const query = args.join(' ');
   if (!query) {
-    ui.error('Query required. Usage: securenow forensics "your natural language query"');
+    ui.error('Query required. Usage: securenow forensics "your natural language query" [--app <key>]');
     process.exit(1);
   }
 
   const s = ui.spinner('Submitting forensic query');
   try {
     const body = { query };
-    if (flags.instance) body.instanceId = flags.instance;
+    const resolved = await resolveAppId(flags);
+    if (resolved) {
+      body.applicationId = resolved.id;
+    } else if (flags.instance) {
+      body.instanceId = flags.instance;
+    }
 
     const job = await api.post('/forensics/query', body);
     const jobId = job.jobId;
@@ -387,6 +403,138 @@ async function forensicsLibrary(args, flags) {
   }
 }
 
+// ── Forensics Chat ──
+
+async function forensicsChat(args, flags) {
+  requireAuth();
+  const resolved = await resolveAppId(flags);
+  if (!resolved) {
+    ui.error('App required. Usage: securenow forensics chat --app <key>');
+    ui.info('Set a default with: securenow apps default <key>');
+    process.exit(1);
+  }
+
+  console.log('');
+  ui.heading(`Forensics Chat — ${resolved.name || resolved.key}`);
+  console.log(ui.c.dim(`  App: ${resolved.key} (${resolved.id})`));
+  console.log(ui.c.dim('  Type your question, or "exit" to quit.\n'));
+
+  let conversationId = null;
+
+  const readline = require('readline');
+  const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+
+  const askLine = () => new Promise((resolve) => {
+    rl.question(ui.c.cyan('  you > '), (answer) => resolve(answer.trim()));
+  });
+
+  try {
+    while (true) {
+      const message = await askLine();
+      if (!message || message.toLowerCase() === 'exit' || message.toLowerCase() === 'quit') {
+        console.log('');
+        ui.info('Chat ended.');
+        break;
+      }
+
+      const s = ui.spinner('Thinking');
+      try {
+        const body = { message, applicationKey: resolved.key };
+        if (conversationId) body.conversationId = conversationId;
+
+        const chatRes = await api.post('/forensics/chat', body);
+        conversationId = chatRes.conversationId;
+
+        if (chatRes.status === 'processing') {
+          let result;
+          for (let i = 0; i < 150; i++) {
+            await new Promise(r => setTimeout(r, 2000));
+            result = await api.get(`/forensics/chat/status/${conversationId}`);
+            if (result.status === 'complete' || result.status === 'failed' || result.status === 'awaiting_confirmation') break;
+            const progress = result._progress;
+            if (progress?.action) s.update(progress.action);
+          }
+
+          if (!result || result.status === 'processing') {
+            s.fail('Response timed out');
+            continue;
+          }
+
+          s.stop('Done');
+          printChatMessage(result.message);
+
+          if (result.status === 'awaiting_confirmation') {
+            const proceed = await ui.confirm('Proceed with this query?');
+            if (proceed) {
+              const cs = ui.spinner('Executing query');
+              await api.post(`/forensics/chat/confirm/${conversationId}`);
+              let confirmResult;
+              for (let i = 0; i < 90; i++) {
+                await new Promise(r => setTimeout(r, 2000));
+                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`);
+                if (confirmResult.status !== 'processing') break;
+              }
+              cs.stop('Done');
+              if (confirmResult?.message) printChatMessage(confirmResult.message);
+            } else {
+              ui.info('Query skipped. Ask a different question or refine.');
+            }
+          }
+        } else if (chatRes.message) {
+          s.stop('Done');
+          printChatMessage(chatRes.message);
+        } else {
+          s.stop('Done');
+        }
+      } catch (err) {
+        s.fail('Error');
+        ui.error(err.message);
+      }
+      console.log('');
+    }
+  } finally {
+    rl.close();
+  }
+}
+
+function printChatMessage(msg) {
+  if (!msg) return;
+  console.log('');
+  if (msg.content) {
+    console.log(`  ${ui.c.green('ai >')} ${msg.content}`);
+  }
+  if (msg.sqlQuery) {
+    console.log('');
+    ui.subheading('Generated SQL');
+    console.log(`\n  ${ui.c.dim(msg.sqlQuery)}\n`);
+  }
+  if (msg.results && Array.isArray(msg.results) && msg.results.length > 0) {
+    ui.subheading(`Results (${msg.resultCount ?? msg.results.length} rows)`);
+    console.log('');
+    const headers = Object.keys(msg.results[0]);
+    const rows = msg.results.map(row => headers.map(h => String(row[h] ?? '')));
+    ui.table(headers, rows);
+  }
+  if (msg.estimation) {
+    const est = msg.estimation;
+    const rowLabel = est.timedOut
+      ? 'very large (estimation timed out)'
+      : est.estimatedRows != null
+        ? `~${Number(est.estimatedRows).toLocaleString()}`
+        : 'unknown';
+    console.log(`\n  ${ui.c.yellow('!')} Estimated rows: ${rowLabel}`);
+    if (est.suggestions?.length) {
+      console.log(ui.c.dim('  Suggestions:'));
+      for (const sug of est.suggestions) {
+        console.log(ui.c.dim(`    • ${sug}`));
+      }
+    }
+  }
+  if (msg.error && !msg.results) {
+    console.log(`\n  ${ui.c.red('Error:')} ${msg.error}`);
+  }
+}
+
 // ── IP Lookup ──
 
 async function ipLookup(args, flags) {
@@ -670,6 +818,7 @@ module.exports = {
   trustedAdd,
   trustedRemove,
   forensicsQuery,
+  forensicsChat,
   forensicsLibrary,
   ipLookup,
   ipTraces,

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');
@@ -151,9 +151,10 @@ const COMMANDS = {
   },
   forensics: {
     desc: 'Run forensic queries (natural language → SQL)',
-    usage: 'securenow forensics <query>',
+    usage: 'securenow forensics <query> [--app <key>]',
     sub: {
-      query: { desc: 'Run a forensic query', run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
+      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
+      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key>', flags: { app: 'App key to chat with' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
       library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
     },
     defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),

package/docs/ENVIRONMENT-VARIABLES.md

@@ -16,6 +16,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_CAPTURE_BODY** | Optional | `0` | Enable request body capture |
 | **SECURENOW_MAX_BODY_SIZE** | Optional | `10240` | Max body size in bytes |
 | **SECURENOW_SENSITIVE_FIELDS** | Optional | - | Comma-separated list of fields to redact |
+| **SECURENOW_CAPTURE_MULTIPART** | Optional | `0` | Enable multipart/form-data streaming capture |
 | **SECURENOW_DISABLE_INSTRUMENTATIONS** | Optional | - | Comma-separated list of packages to disable |
 | **SECURENOW_TEST_SPAN** | Optional | `0` | Emit test span on startup |
 | **OTEL_SERVICE_NAME** | Optional | - | Alternative to SECURENOW_APPID |
@@ -279,8 +280,8 @@ export SECURENOW_CAPTURE_BODY=1
 - `application/x-www-form-urlencoded`
 - `application/graphql`
 
-**Not captured:**
-- `multipart/form-data` (file uploads)
+**Not captured (unless separately enabled):**
+- `multipart/form-data` — requires `SECURENOW_CAPTURE_MULTIPART=1` (see below)
 - Bodies larger than `SECURENOW_MAX_BODY_SIZE`
 
 **Security:**
@@ -346,6 +347,50 @@ export SECURENOW_SENSITIVE_FIELDS="custom_secret,private_data,internal_id"
 
 ---
 
+### SECURENOW_CAPTURE_MULTIPART
+
+**Description:** Enable capture of `multipart/form-data` request bodies (file upload metadata and text fields). Uses a streaming parser that processes boundary markers on the fly — file binary content is never buffered or stored.
+
+**Format:** `1` (enabled) or `0` (disabled)
+
+**Default:** `0` (disabled)
+
+**Example:**
+```bash
+export SECURENOW_CAPTURE_MULTIPART=1
+```
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 characters), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes (no binary content)
+
+**Example span attribute (`http.request.body`):**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "document", "filename": "report.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+**Additional span attributes set:**
+- `http.request.body.type` = `"multipart"`
+- `http.request.body.size` — total raw request body size in bytes
+- `http.request.body.fields_count` — number of text fields
+- `http.request.body.files_count` — number of file fields
+
+**Memory:** Bounded at ~few KB regardless of upload size (streaming parser discards file content as it passes through).
+
+**Parts limit:** 100 parts maximum per request (safety guard).
+
+**Requires:** `SECURENOW_CAPTURE_BODY=1` must also be set (multipart capture is gated behind general body capture).
+
+**Since:** v5.8.0
+
+---
+
 ## Instrumentation Control
 
 ### SECURENOW_DISABLE_INSTRUMENTATIONS

package/docs/EXPRESS-BODY-CAPTURE.md

@@ -192,6 +192,7 @@ import express from 'express';
 | `SECURENOW_CAPTURE_BODY` | Enable body capture (`1` or `true`) | `0` (disabled) |
 | `SECURENOW_MAX_BODY_SIZE` | Max body size in bytes | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated additional sensitive fields | (see below) |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data streaming capture (`1` or `true`) | `0` (disabled) |
 
 ### Default Sensitive Fields
 
@@ -274,10 +275,10 @@ pm2 logs express-api --lines 100
 | `application/json` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/graphql` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/x-www-form-urlencoded` | ✅ Yes | ✅ Yes | ✅ Yes |
-| `multipart/form-data` | ❌ No | N/A | N/A |
+| `multipart/form-data` | ✅ Metadata | ✅ Streaming | ✅ Yes |
 | `text/plain` | ❌ No | N/A | N/A |
 
-**Note**: File uploads (`multipart/form-data`) are intentionally NOT captured for performance and privacy reasons.
+**Note**: Multipart capture requires `SECURENOW_CAPTURE_MULTIPART=1` (v5.8.0+). Uses a streaming parser — text field values and file metadata (name, filename, content-type, size) are captured; file binary content is never buffered or stored.
 
 ## 🔍 Example: Complete Express + PM2 Setup
 

package/docs/REQUEST-BODY-CAPTURE.md

@@ -55,16 +55,24 @@ SECURENOW_SENSITIVE_FIELDS=credit_card,email,phone
    ```
    Parsed into object and sensitive fields redacted.
 
-4. **Multipart** (`multipart/form-data`) - ❌ NOT Captured
-   ```
-   [MULTIPART - NOT CAPTURED]
+4. **Multipart** (`multipart/form-data`) - ✅ Streaming Metadata Capture (v5.8.0+)
+
+   Requires `SECURENOW_CAPTURE_MULTIPART=1`. Uses a streaming parser — file binary content is never buffered.
+
+   ```json
+   {
+     "fields": { "description": "Profile update", "token": "[REDACTED]" },
+     "files": [
+       { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 }
+     ]
+   }
    ```
-   *File uploads are not captured at all (by design) - too large and unnecessary*
+   Text field values are captured with sensitive-field redaction. File parts record metadata only (field, filename, content-type, size). Memory stays at ~few KB regardless of upload size.
 
 ### ❌ What's NOT Captured
 
 - GET requests (no body)
-- File uploads (too large)
+- File binary content (only metadata when multipart capture is enabled)
 - Bodies larger than max size
 - Binary data
 - Non-POST/PUT/PATCH requests
@@ -218,6 +226,7 @@ mutation Login {
 | `SECURENOW_CAPTURE_BODY` | `0` (disabled) | Enable body capture |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` (10KB) | Maximum body size to capture |
 | `SECURENOW_SENSITIVE_FIELDS` | `` | Comma-separated custom sensitive fields |
+| `SECURENOW_CAPTURE_MULTIPART` | `0` (disabled) | Enable multipart/form-data streaming capture (v5.8.0+) |
 
 ### Programmatic (Next.js)
 
@@ -529,7 +538,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 
 ### Q: Does this work with file uploads?
 
-**A:** No, multipart/form-data is not captured (by design). Only metadata is logged.
+**A:** Yes! Since v5.8.0, set `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. The streaming parser extracts text field values and file metadata (name, filename, content-type, size) without ever buffering file binary content. Memory stays bounded at ~few KB regardless of upload size.
 
 ### Q: What's the performance impact?
 

package/free-trial-banner.js

@@ -40,19 +40,33 @@ function _bannerClientCode() {
     strong.textContent = 'Testing Environment:';
     msg.appendChild(strong);
     msg.appendChild(document.createTextNode(
-      ' Only add test applications. For production usage, please '
+      ' Only add test applications. For production usage, '
     ));
 
     var link = document.createElement('a');
-    link.href = 'https://securenow.ai/contact';
+    link.href = 'https://app.securenow.ai/dashboard/settings/instances';
     link.target = '_blank';
     link.rel = 'noopener';
     link.style.cssText = 'color:#664D03;font-weight:600;text-decoration:underline';
-    link.textContent = 'contact our team for a demo';
+    link.textContent = 'create a new production instance';
     msg.appendChild(link);
     msg.appendChild(document.createTextNode('.'));
     d.appendChild(msg);
 
+    var upgradeBtn = document.createElement('a');
+    upgradeBtn.href = 'https://app.securenow.ai/dashboard/settings/instances';
+    upgradeBtn.target = '_blank';
+    upgradeBtn.rel = 'noopener';
+    upgradeBtn.textContent = '\u26a1 Upgrade';
+    upgradeBtn.style.cssText =
+      'display:inline-flex;align-items:center;gap:4px;' +
+      'background:#D97706;color:#fff;padding:4px 12px;border-radius:4px;' +
+      'font-size:12px;font-weight:600;text-decoration:none;margin-left:10px;' +
+      'white-space:nowrap;transition:background 0.15s';
+    upgradeBtn.onmouseover = function () { upgradeBtn.style.background = '#B45309'; };
+    upgradeBtn.onmouseout = function () { upgradeBtn.style.background = '#D97706'; };
+    d.appendChild(upgradeBtn);
+
     var close = document.createElement('button');
     close.textContent = '\u00d7';
     close.style.cssText =

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.7.1",
+  "version": "5.8.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -16,6 +16,7 @@
  *   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=...    # full traces URL
  *   OTEL_EXPORTER_OTLP_HEADERS="k=v,k2=v2"
  *   SECURENOW_DISABLE_INSTRUMENTATIONS="pkg1,pkg2"
+ *   SECURENOW_CAPTURE_MULTIPART=1                # capture multipart/form-data fields & file metadata (streaming, no file content buffered)
  *   OTEL_LOG_LEVEL=info|debug
  *   SECURENOW_TEST_SPAN=1
  *
@@ -103,6 +104,131 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
+// -------- Multipart streaming parser --------
+// Streams through the request without buffering file content.
+// Only part headers and text-field values are kept in memory,
+// so memory stays bounded (~few KB) regardless of upload size.
+
+function extractBoundary(contentType) {
+  const match = contentType.match(/boundary=(?:"([^"]+)"|([^\s;]+))/i);
+  return match ? (match[1] || match[2]) : null;
+}
+
+function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFieldSize, onComplete) {
+  const boundary = extractBoundary(contentType);
+  if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return; }
+
+  const result = { fields: {}, files: [] };
+  let totalSize = 0;
+  let buf = Buffer.alloc(0);
+
+  const MAX_PARTS = 100;
+  let partCount = 0;
+
+  const FIRST_DELIM = Buffer.from('--' + boundary);
+  const DELIM       = Buffer.from('\r\n--' + boundary);
+  const HDR_END     = Buffer.from('\r\n\r\n');
+
+  let initialized = false;
+  let inHeaders = true;
+  let isFile = false;
+  let fldName = '';
+  let fName = '';
+  let pCT = '';
+  let bodyBytes = 0;
+  let textVal = '';
+
+  function flushPart() {
+    if (!fldName) return;
+    if (isFile) {
+      result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
+    } else {
+      const lower = fldName.toLowerCase();
+      const redact = sensitiveFields.some(f => lower.includes(f.toLowerCase()));
+      result.fields[fldName] = redact ? '[REDACTED]' : textVal.substring(0, maxTextFieldSize);
+    }
+    fldName = ''; bodyBytes = 0; textVal = ''; partCount++;
+  }
+
+  function drain() {
+    if (!initialized) {
+      const i = buf.indexOf(FIRST_DELIM);
+      if (i === -1) {
+        if (buf.length > FIRST_DELIM.length + 4) buf = buf.slice(buf.length - FIRST_DELIM.length - 4);
+        return;
+      }
+      buf = buf.slice(i + FIRST_DELIM.length);
+      initialized = true;
+      inHeaders = true;
+    }
+
+    let guard = 200;
+    while (buf.length > 0 && guard-- > 0 && partCount < MAX_PARTS) {
+      if (inHeaders) {
+        if (buf.length >= 2 && buf[0] === 0x2D && buf[1] === 0x2D) { buf = Buffer.alloc(0); return; }
+        if (buf.length >= 2 && buf[0] === 0x0D && buf[1] === 0x0A) { buf = buf.slice(2); continue; }
+
+        const hi = buf.indexOf(HDR_END);
+        if (hi === -1) return;
+
+        const hdr = buf.slice(0, hi).toString('latin1');
+        buf = buf.slice(hi + 4);
+
+        const nm = hdr.match(/name="([^"]+)"/);
+        const fn = hdr.match(/filename="([^"]*)"/);
+        const ct = hdr.match(/Content-Type:\s*(.+)/i);
+        fldName = nm ? nm[1] : '';
+        fName   = fn ? fn[1] : '';
+        pCT     = ct ? ct[1].trim() : '';
+        isFile  = !!fn;
+        bodyBytes = 0;
+        textVal = '';
+        inHeaders = false;
+      }
+
+      const di = buf.indexOf(DELIM);
+      if (di === -1) {
+        const safe = Math.max(0, buf.length - DELIM.length - 2);
+        if (safe > 0) {
+          bodyBytes += safe;
+          if (!isFile && textVal.length < maxTextFieldSize) {
+            textVal += buf.slice(0, safe).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+          }
+          buf = buf.slice(safe);
+        }
+        return;
+      }
+
+      bodyBytes += di;
+      if (!isFile && textVal.length < maxTextFieldSize) {
+        textVal += buf.slice(0, di).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+      }
+      flushPart();
+      buf = buf.slice(di + DELIM.length);
+      inHeaders = true;
+    }
+  }
+
+  request.on('data', (chunk) => {
+    totalSize += chunk.length;
+    buf = Buffer.concat([buf, chunk]);
+    drain();
+  });
+
+  request.on('end', () => {
+    try {
+      if (!inHeaders && fldName) {
+        bodyBytes += buf.length;
+        if (!isFile) textVal += buf.toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+        flushPart();
+      }
+      onComplete({ parsed: result, totalSize });
+    } catch (e) {
+      onComplete({ error: 'PARSE_ERROR' });
+    }
+  });
+}
+
 // -------- ESM detection --------
 // register.js auto-registers the hook via module.register() on Node >=20.6.
 // This warning only fires if BOTH --import AND module.register() were skipped
@@ -194,6 +320,8 @@ const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
+const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || String(env('SECURENOW_CAPTURE_MULTIPART')).toLowerCase() === 'true';
+
 // -------- Trusted proxy IP resolution --------
 // Only trust X-Forwarded-For / X-Real-IP when the direct connection comes from
 // a known proxy (loopback, private RFC-1918/RFC-4193, or an explicit allowlist).
@@ -325,10 +453,38 @@ const httpInstrumentation = new HttpInstrumentation({
             }
           });
         } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured
-          span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-          span.setAttribute('http.request.body.type', 'multipart');
-          span.setAttribute('http.request.body.note', 'File uploads not captured by design');
+          if (captureMultipart) {
+            collectMultipartMeta(request, contentType, allSensitiveFields, 1000, ({ error, parsed, totalSize }) => {
+              try {
+                if (error === 'BOUNDARY_NOT_FOUND') {
+                  span.setAttribute('http.request.body', '[MULTIPART - BOUNDARY NOT FOUND]');
+                  span.setAttribute('http.request.body.type', 'multipart');
+                  return;
+                }
+                if (error) {
+                  span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+                  span.setAttribute('http.request.body.type', 'multipart');
+                  span.setAttribute('http.request.body.parse_error', true);
+                  return;
+                }
+                span.setAttributes({
+                  'http.request.body': JSON.stringify(parsed).substring(0, maxBodySize),
+                  'http.request.body.type': 'multipart',
+                  'http.request.body.size': totalSize,
+                  'http.request.body.fields_count': Object.keys(parsed.fields).length,
+                  'http.request.body.files_count': parsed.files.length,
+                });
+              } catch (e) {
+                span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+                span.setAttribute('http.request.body.type', 'multipart');
+                span.setAttribute('http.request.body.parse_error', true);
+              }
+            });
+          } else {
+            span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+            span.setAttribute('http.request.body.type', 'multipart');
+            span.setAttribute('http.request.body.note', 'Set SECURENOW_CAPTURE_MULTIPART=1 to enable');
+          }
         }
       }
     } catch (error) {
@@ -416,6 +572,9 @@ const sdk = new NodeSDK({
     if (captureBody) {
       console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
     }
+    if (captureMultipart) {
+      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
+    }
     if (String(env('SECURENOW_TEST_SPAN')) === '1') {
       const api = require('@opentelemetry/api');
       const tracer = api.trace.getTracer('securenow-smoke');

package/web-vite.mjs

@@ -173,19 +173,33 @@ function injectFreeTrialBanner(): void {
     strong.textContent = 'Testing Environment:';
     msg.appendChild(strong);
     msg.appendChild(document.createTextNode(
-      ' Only add test applications. For production usage, please '
+      ' Only add test applications. For production usage, '
     ));
 
     const link = document.createElement('a');
-    link.href = 'https://securenow.ai/contact';
+    link.href = 'https://app.securenow.ai/dashboard/settings/instances';
     link.target = '_blank';
     link.rel = 'noopener';
     link.style.cssText = 'color:#664D03;font-weight:600;text-decoration:underline';
-    link.textContent = 'contact our team for a demo';
+    link.textContent = 'create a new production instance';
     msg.appendChild(link);
     msg.appendChild(document.createTextNode('.'));
     d.appendChild(msg);
 
+    const upgradeBtn = document.createElement('a');
+    upgradeBtn.href = 'https://app.securenow.ai/dashboard/settings/instances';
+    upgradeBtn.target = '_blank';
+    upgradeBtn.rel = 'noopener';
+    upgradeBtn.textContent = '\u26a1 Upgrade';
+    upgradeBtn.style.cssText =
+      'display:inline-flex;align-items:center;gap:4px;' +
+      'background:#D97706;color:#fff;padding:4px 12px;border-radius:4px;' +
+      'font-size:12px;font-weight:600;text-decoration:none;margin-left:10px;' +
+      'white-space:nowrap;transition:background 0.15s';
+    upgradeBtn.onmouseover = () => { upgradeBtn.style.background = '#B45309'; };
+    upgradeBtn.onmouseout = () => { upgradeBtn.style.background = '#D97706'; };
+    d.appendChild(upgradeBtn);
+
     const close = document.createElement('button');
     close.textContent = '\u00d7';
     close.style.cssText =