securenow 5.8.0 → 5.8.1

package/CONSUMING-APPS-GUIDE.md

@@ -362,6 +362,14 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=KEY"
 SECURENOW_APPID=my-app                   # Your app name
 OTEL_SERVICE_NAME=my-app                 # Alternative
 
+# Request Body Capture
+SECURENOW_CAPTURE_BODY=1                 # Capture JSON/form/GraphQL request bodies
+SECURENOW_MAX_BODY_SIZE=10240            # Max body size in bytes (default: 10KB)
+SECURENOW_SENSITIVE_FIELDS="field1,field2" # Additional fields to redact
+
+# Multipart Body Capture (v5.8.0+)
+SECURENOW_CAPTURE_MULTIPART=1            # Capture multipart field values & file metadata (streaming)
+
 # Debugging
 OTEL_LOG_LEVEL=debug                     # Enable debug output
 ```

package/NPM_README.md

@@ -903,6 +903,7 @@ export default defineNuxtConfig({
 | `SECURENOW_CAPTURE_BODY` | Enable request body capture in traces. Set to `1` to enable. | `0` |
 | `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data capture. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `1` to enable. | `0` |
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1018,8 +1019,28 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
+- `multipart/form-data` (requires `SECURENOW_CAPTURE_MULTIPART=1`)
 
-**Note:** Multipart form data (file uploads) are NOT captured by design.
+### Multipart Body Capture (v5.8.0+)
+
+Enable with `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. Uses a streaming parser that never buffers file content — memory stays at ~few KB regardless of upload size.
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 chars), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes
+
+**Example trace attribute:**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "resume", "filename": "cv.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+File binary content is never stored in traces.
 
 ### Sensitive Data Redaction
 

package/README.md

@@ -168,6 +168,9 @@ OTEL_EXPORTER_OTLP_HEADERS="x-api-key=..."  # Authentication headers
 SECURENOW_CAPTURE_BODY=1                    # Capture request bodies in traces
 SECURENOW_MAX_BODY_SIZE=10240               # Max body size in bytes
 SECURENOW_SENSITIVE_FIELDS="field1,field2"  # Additional fields to redact
+
+# Optional: Multipart body capture (file upload metadata)
+SECURENOW_CAPTURE_MULTIPART=1               # Capture multipart field names, values & file metadata
 ```
 
 ### Legacy Environment Variables (still supported)

package/docs/ENVIRONMENT-VARIABLES.md

@@ -16,6 +16,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_CAPTURE_BODY** | Optional | `0` | Enable request body capture |
 | **SECURENOW_MAX_BODY_SIZE** | Optional | `10240` | Max body size in bytes |
 | **SECURENOW_SENSITIVE_FIELDS** | Optional | - | Comma-separated list of fields to redact |
+| **SECURENOW_CAPTURE_MULTIPART** | Optional | `0` | Enable multipart/form-data streaming capture |
 | **SECURENOW_DISABLE_INSTRUMENTATIONS** | Optional | - | Comma-separated list of packages to disable |
 | **SECURENOW_TEST_SPAN** | Optional | `0` | Emit test span on startup |
 | **OTEL_SERVICE_NAME** | Optional | - | Alternative to SECURENOW_APPID |
@@ -279,8 +280,8 @@ export SECURENOW_CAPTURE_BODY=1
 - `application/x-www-form-urlencoded`
 - `application/graphql`
 
-**Not captured:**
-- `multipart/form-data` (file uploads)
+**Not captured (unless separately enabled):**
+- `multipart/form-data` — requires `SECURENOW_CAPTURE_MULTIPART=1` (see below)
 - Bodies larger than `SECURENOW_MAX_BODY_SIZE`
 
 **Security:**
@@ -346,6 +347,50 @@ export SECURENOW_SENSITIVE_FIELDS="custom_secret,private_data,internal_id"
 
 ---
 
+### SECURENOW_CAPTURE_MULTIPART
+
+**Description:** Enable capture of `multipart/form-data` request bodies (file upload metadata and text fields). Uses a streaming parser that processes boundary markers on the fly — file binary content is never buffered or stored.
+
+**Format:** `1` (enabled) or `0` (disabled)
+
+**Default:** `0` (disabled)
+
+**Example:**
+```bash
+export SECURENOW_CAPTURE_MULTIPART=1
+```
+
+**What gets captured:**
+- **Text fields** — field name and value (up to 1000 characters), with sensitive fields auto-redacted
+- **File fields** — metadata only: field name, filename, content-type, and size in bytes (no binary content)
+
+**Example span attribute (`http.request.body`):**
+```json
+{
+  "fields": { "description": "My upload", "token": "[REDACTED]" },
+  "files": [
+    { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 },
+    { "field": "document", "filename": "report.pdf", "contentType": "application/pdf", "size": 1048576 }
+  ]
+}
+```
+
+**Additional span attributes set:**
+- `http.request.body.type` = `"multipart"`
+- `http.request.body.size` — total raw request body size in bytes
+- `http.request.body.fields_count` — number of text fields
+- `http.request.body.files_count` — number of file fields
+
+**Memory:** Bounded at ~few KB regardless of upload size (streaming parser discards file content as it passes through).
+
+**Parts limit:** 100 parts maximum per request (safety guard).
+
+**Requires:** `SECURENOW_CAPTURE_BODY=1` must also be set (multipart capture is gated behind general body capture).
+
+**Since:** v5.8.0
+
+---
+
 ## Instrumentation Control
 
 ### SECURENOW_DISABLE_INSTRUMENTATIONS

package/docs/EXPRESS-BODY-CAPTURE.md

@@ -192,6 +192,7 @@ import express from 'express';
 | `SECURENOW_CAPTURE_BODY` | Enable body capture (`1` or `true`) | `0` (disabled) |
 | `SECURENOW_MAX_BODY_SIZE` | Max body size in bytes | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated additional sensitive fields | (see below) |
+| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data streaming capture (`1` or `true`) | `0` (disabled) |
 
 ### Default Sensitive Fields
 
@@ -274,10 +275,10 @@ pm2 logs express-api --lines 100
 | `application/json` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/graphql` | ✅ Yes | ✅ Yes | ✅ Yes |
 | `application/x-www-form-urlencoded` | ✅ Yes | ✅ Yes | ✅ Yes |
-| `multipart/form-data` | ❌ No | N/A | N/A |
+| `multipart/form-data` | ✅ Metadata | ✅ Streaming | ✅ Yes |
 | `text/plain` | ❌ No | N/A | N/A |
 
-**Note**: File uploads (`multipart/form-data`) are intentionally NOT captured for performance and privacy reasons.
+**Note**: Multipart capture requires `SECURENOW_CAPTURE_MULTIPART=1` (v5.8.0+). Uses a streaming parser — text field values and file metadata (name, filename, content-type, size) are captured; file binary content is never buffered or stored.
 
 ## 🔍 Example: Complete Express + PM2 Setup
 

package/docs/REQUEST-BODY-CAPTURE.md

@@ -55,16 +55,24 @@ SECURENOW_SENSITIVE_FIELDS=credit_card,email,phone
    ```
    Parsed into object and sensitive fields redacted.
 
-4. **Multipart** (`multipart/form-data`) - ❌ NOT Captured
-   ```
-   [MULTIPART - NOT CAPTURED]
+4. **Multipart** (`multipart/form-data`) - ✅ Streaming Metadata Capture (v5.8.0+)
+
+   Requires `SECURENOW_CAPTURE_MULTIPART=1`. Uses a streaming parser — file binary content is never buffered.
+
+   ```json
+   {
+     "fields": { "description": "Profile update", "token": "[REDACTED]" },
+     "files": [
+       { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 }
+     ]
+   }
    ```
-   *File uploads are not captured at all (by design) - too large and unnecessary*
+   Text field values are captured with sensitive-field redaction. File parts record metadata only (field, filename, content-type, size). Memory stays at ~few KB regardless of upload size.
 
 ### ❌ What's NOT Captured
 
 - GET requests (no body)
-- File uploads (too large)
+- File binary content (only metadata when multipart capture is enabled)
 - Bodies larger than max size
 - Binary data
 - Non-POST/PUT/PATCH requests
@@ -218,6 +226,7 @@ mutation Login {
 | `SECURENOW_CAPTURE_BODY` | `0` (disabled) | Enable body capture |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` (10KB) | Maximum body size to capture |
 | `SECURENOW_SENSITIVE_FIELDS` | `` | Comma-separated custom sensitive fields |
+| `SECURENOW_CAPTURE_MULTIPART` | `0` (disabled) | Enable multipart/form-data streaming capture (v5.8.0+) |
 
 ### Programmatic (Next.js)
 
@@ -529,7 +538,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 
 ### Q: Does this work with file uploads?
 
-**A:** No, multipart/form-data is not captured (by design). Only metadata is logged.
+**A:** Yes! Since v5.8.0, set `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. The streaming parser extracts text field values and file metadata (name, filename, content-type, size) without ever buffering file binary content. Memory stays bounded at ~few KB regardless of upload size.
 
 ### Q: What's the performance impact?
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.8.0",
+  "version": "5.8.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",