securenow 6.0.2 → 6.1.0

package/docs/NEXTJS-WRAPPER-APPROACH.md

@@ -241,7 +241,7 @@ export function register() {
 ```bash
 # Required
 SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://signoz:4318
+SECURENOW_INSTANCE=http://otel-collector:4318
 
 # Optional: Enable body capture
 SECURENOW_CAPTURE_BODY=1

package/docs/NUXT-GUIDE.md

@@ -0,0 +1,166 @@
+# SecureNow — Nuxt 3 Setup Guide
+
+## Quick Start (1 minute)
+
+### 1. Install
+
+```bash
+npm install securenow
+```
+
+### 2. Add the module to `nuxt.config.ts`
+
+```ts
+export default defineNuxtConfig({
+  modules: ['securenow/nuxt'],
+});
+```
+
+### 3. Set environment variables
+
+Create a `.env` file in your project root:
+
+```env
+SECURENOW_APPID=my-nuxt-app
+SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
+```
+
+### 4. Start your app
+
+```bash
+nuxt dev
+```
+
+You should see in the console:
+
+```
+[securenow] Nuxt module loaded — server plugin registered
+[securenow] 🚀 Nuxt OTel SDK started → https://freetrial.securenow.ai:4318/v1/traces
+[securenow] service.name=my-nuxt-app instance.id=my-nuxt-app-...
+```
+
+That's it — all server-side requests are now traced.
+
+---
+
+## Configuration
+
+### Module options in `nuxt.config.ts`
+
+```ts
+export default defineNuxtConfig({
+  modules: ['securenow/nuxt'],
+  securenow: {
+    serviceName: 'my-nuxt-app',     // overrides SECURENOW_APPID
+    endpoint: 'http://host:4318',   // overrides SECURENOW_INSTANCE
+    noUuid: true,                   // single service.name (no UUID suffix)
+    captureBody: true,              // capture POST/PUT/PATCH bodies
+    logging: true,                  // forward console.* as OTLP logs
+  },
+});
+```
+
+### Environment variables
+
+All standard SecureNow env vars are supported:
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `SECURENOW_APPID` | Service name | `nuxt-app-<uuid>` |
+| `SECURENOW_INSTANCE` | OTLP base URL | `https://freetrial.securenow.ai:4318` |
+| `SECURENOW_NO_UUID` | Don't append UUID to service name | `false` |
+| `SECURENOW_LOGGING_ENABLED` | Forward console logs as OTLP | `false` |
+| `SECURENOW_CAPTURE_BODY` | Capture request bodies | `false` |
+| `SECURENOW_MAX_BODY_SIZE` | Max body size to capture (bytes) | `10240` |
+| `SECURENOW_SENSITIVE_FIELDS` | Extra fields to redact (CSV) | _(built-in list)_ |
+| `OTEL_EXPORTER_OTLP_ENDPOINT` | Alternative OTLP base URL | — |
+| `OTEL_EXPORTER_OTLP_HEADERS` | OTLP headers (k=v,k2=v2) | — |
+
+---
+
+## What gets traced
+
+### Automatic (out of the box)
+
+- All Nitro server handler requests (API routes, SSR pages, middleware)
+- HTTP method, path, status code, duration
+- Client IP address (with proxy-aware resolution)
+- User-Agent, Referer, Origin, Host
+- Security header presence (auth, cookies, CSRF)
+- Request IDs and correlation headers
+
+### With `captureBody: true`
+
+- POST/PUT/PATCH request bodies (JSON, form-urlencoded, GraphQL)
+- Sensitive fields auto-redacted (passwords, tokens, etc.)
+- Bodies larger than `SECURENOW_MAX_BODY_SIZE` are skipped
+
+### With `logging: true`
+
+- All `console.log/info/warn/error/debug` calls forwarded as OTLP log records
+- Logs correlated with active trace spans
+
+---
+
+## Comparison with Next.js integration
+
+| Feature | Nuxt (`securenow/nuxt`) | Next.js (`securenow/nextjs`) |
+|---------|-------------------------|------------------------------|
+| Setup | Add to `modules` array | Create `instrumentation.ts` |
+| Config | `nuxt.config.ts` | `.env.local` + `next.config.js` |
+| Server tracing | Nitro hooks | HTTP instrumentation |
+| Edge runtime | Not supported | Skipped gracefully |
+| Vercel support | Via env vars | `@vercel/otel` integration |
+| Body capture | HTTP instrumentation | Middleware + `Request.clone()` |
+| Logging | Console patching | Console patching |
+
+---
+
+## Deployment
+
+### Node.js server (PM2, Docker, etc.)
+
+Works out of the box with `nuxt build && node .output/server/index.mjs`.
+
+### Vercel / Netlify / Cloudflare
+
+Set env vars in the platform dashboard:
+
+```
+SECURENOW_APPID=my-nuxt-app
+SECURENOW_INSTANCE=https://your-otlp-backend:4318
+```
+
+> Note: On edge runtimes (Cloudflare Workers, Vercel Edge), some Node.js-specific
+> instrumentations may not be available. Server-handler tracing via Nitro hooks
+> still works.
+
+---
+
+## Troubleshooting
+
+### No traces appearing
+
+1. Check that `SECURENOW_APPID` and `SECURENOW_INSTANCE` are set
+2. Look for `[securenow] 🚀 Nuxt OTel SDK started` in the console
+3. Verify the OTLP endpoint is reachable from your server
+
+### Module not loading
+
+Make sure you're using Nuxt 3 (`nuxt: ">=3.0.0"`) and the module is listed
+in the `modules` array (not `buildModules`).
+
+### OpenTelemetry packages bundled by Nitro
+
+The module automatically externalizes OTel packages. If you see bundling errors,
+manually add to `nuxt.config.ts`:
+
+```ts
+export default defineNuxtConfig({
+  nitro: {
+    externals: {
+      external: ['securenow', '@opentelemetry/api', '@opentelemetry/sdk-node'],
+    },
+  },
+});
+```

package/docs/QUICKSTART-BODY-CAPTURE.md

@@ -8,7 +8,7 @@ This approach **never interferes** with your middleware or routing.
 
 ```bash
 SECURENOW_APPID=my-app
-SECURENOW_INSTANCE=http://signoz:4318
+SECURENOW_INSTANCE=http://otel-collector:4318
 SECURENOW_CAPTURE_BODY=1
 ```
 
@@ -155,7 +155,7 @@ export async function GET() {
 ```bash
 # Required
 SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://your-signoz:4318
+SECURENOW_INSTANCE=http://your-otlp-backend:4318
 
 # Body capture
 SECURENOW_CAPTURE_BODY=1                    # Enable body capture

package/docs/REDACTION-EXAMPLES.md

@@ -439,7 +439,7 @@ If "token" is sensitive, these get redacted:
      -d '{"username":"test","password":"secret123"}'
    ```
 
-3. **Check SigNoz:**
+3. **Check SecureNow:**
    - Find the trace
    - Look for `http.request.body`
    - Verify password shows `[REDACTED]`

package/docs/REQUEST-BODY-CAPTURE.md

@@ -55,16 +55,24 @@ SECURENOW_SENSITIVE_FIELDS=credit_card,email,phone
    ```
    Parsed into object and sensitive fields redacted.
 
-4. **Multipart** (`multipart/form-data`) - ❌ NOT Captured
-   ```
-   [MULTIPART - NOT CAPTURED]
+4. **Multipart** (`multipart/form-data`) - ✅ Streaming Metadata Capture (v5.8.0+)
+
+   Requires `SECURENOW_CAPTURE_MULTIPART=1`. Uses a streaming parser — file binary content is never buffered.
+
+   ```json
+   {
+     "fields": { "description": "Profile update", "token": "[REDACTED]" },
+     "files": [
+       { "field": "avatar", "filename": "photo.jpg", "contentType": "image/jpeg", "size": 524288 }
+     ]
+   }
    ```
-   *File uploads are not captured at all (by design) - too large and unnecessary*
+   Text field values are captured with sensitive-field redaction. File parts record metadata only (field, filename, content-type, size). Memory stays at ~few KB regardless of upload size.
 
 ### ❌ What's NOT Captured
 
 - GET requests (no body)
-- File uploads (too large)
+- File binary content (only metadata when multipart capture is enabled)
 - Bodies larger than max size
 - Binary data
 - Non-POST/PUT/PATCH requests
@@ -218,6 +226,7 @@ mutation Login {
 | `SECURENOW_CAPTURE_BODY` | `0` (disabled) | Enable body capture |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` (10KB) | Maximum body size to capture |
 | `SECURENOW_SENSITIVE_FIELDS` | `` | Comma-separated custom sensitive fields |
+| `SECURENOW_CAPTURE_MULTIPART` | `0` (disabled) | Enable multipart/form-data streaming capture (v5.8.0+) |
 
 ### Programmatic (Next.js)
 
@@ -235,7 +244,7 @@ export function register() {
 
 ---
 
-## 🔍 Viewing in SigNoz
+## 🔍 Viewing in SecureNow
 
 ### Query Examples
 
@@ -277,7 +286,7 @@ Request bodies may contain personal data. Consider:
 
 1. **Legal Basis** - Ensure you have legitimate interest or consent
 2. **Data Minimization** - Only capture what you need
-3. **Retention** - Configure SigNoz retention policies
+3. **Retention** - Configure SecureNow retention policies
 4. **Anonymization** - Add more fields to redact list
 
 ### PCI-DSS Compliance
@@ -397,7 +406,7 @@ Field matching is case-insensitive and uses `includes()`:
    }
    ```
 
-3. **Filter in SigNoz**
+3. **Filter in SecureNow**
    - Use sampling to reduce volume
    - Set up trace tail sampling
 
@@ -529,7 +538,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 
 ### Q: Does this work with file uploads?
 
-**A:** No, multipart/form-data is not captured (by design). Only metadata is logged.
+**A:** Yes! Since v5.8.0, set `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. The streaming parser extracts text field values and file metadata (name, filename, content-type, size) without ever buffering file binary content. Memory stays bounded at ~few KB regardless of upload size.
 
 ### Q: What's the performance impact?
 
@@ -564,7 +573,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 
 3. **Deploy!** Bodies are captured with sensitive data automatically redacted.
 
-**View in SigNoz:**
+**View in SecureNow:**
 - `http.request.body` - The captured body (redacted)
 - `http.request.body.size` - Body size in bytes
 - `http.request.body.type` - Content type (json, graphql, form)

package/docs/SOLUTION-SUMMARY.md

@@ -0,0 +1,312 @@
+# ✅ Self-Sufficient Body Capture Solution - Complete!
+
+## 🎯 The Challenge
+
+**Problem:** Next.js request streams can only be read once. Reading them at the HTTP instrumentation level locks the stream and causes:
+```
+TypeError: Response body object should not be disturbed or locked
+```
+
+**Solution:** Use Next.js middleware that:
+- Clones the request before reading (doesn't lock original)
+- Reads body safely
+- All logic is in the package (self-sufficient!)
+
+---
+
+## 🚀 How It Works (Self-Sufficient!)
+
+### For Your Customers - Only 2 Steps!
+
+**Step 1: During Installation**
+
+When they run `npm install securenow`, the installer asks:
+
+```
+Would you like to automatically create instrumentation file? (Y/n) Y
+✅ Created instrumentation.ts
+
+Would you like to enable request body capture? (y/N) y
+✅ Created middleware.ts
+   → Captures JSON, GraphQL, Form bodies with auto-redaction
+```
+
+**Step 2: Configure**
+
+Edit `.env.local` (already created by installer):
+```bash
+SECURENOW_APPID=my-app
+SECURENOW_INSTANCE=http://otel-collector:4318
+SECURENOW_CAPTURE_BODY=1  # Enable body capture
+```
+
+**That's IT!** 🎉 No code to write!
+
+---
+
+## 📦 What's in the Package (Self-Sufficient!)
+
+### 1. nextjs-middleware.js
+
+**Exports ready-to-use middleware:**
+```javascript
+export { middleware } from 'securenow/nextjs-middleware';
+```
+
+**Customers just re-export it!** No code to write:
+```typescript
+// middleware.ts (created by installer)
+export { middleware } from 'securenow/nextjs-middleware';
+
+export const config = {
+  matcher: '/api/:path*',
+};
+```
+
+### 2. All Logic is in the Package
+
+**The middleware handles:**
+- ✅ Request cloning (doesn't lock stream)
+- ✅ Body parsing (JSON, GraphQL, Form)
+- ✅ Sensitive field redaction (20+ fields)
+- ✅ Size limits
+- ✅ Error handling
+- ✅ Span attribution
+
+**Customer writes: 0 lines of logic!**
+
+---
+
+## 🔧 Technical Solution
+
+### The Key: request.clone()
+
+```javascript
+// In nextjs-middleware.js (part of package)
+async function middleware(request) {
+  // Clone request so original is not consumed
+  const clonedRequest = request.clone();
+  const bodyText = await clonedRequest.text();
+  
+  // Original request is untouched!
+  // Next.js can still read it normally
+  
+  // Parse and redact body
+  const redacted = redactSensitiveData(JSON.parse(bodyText));
+  
+  // Add to span
+  span.setAttribute('http.request.body', JSON.stringify(redacted));
+  
+  // Continue to Next.js
+  return NextResponse.next();
+}
+```
+
+**Why this works:**
+- `request.clone()` creates a copy
+- Clone can be read without affecting original
+- Next.js reads the original stream normally
+- No locking errors!
+
+---
+
+## 📊 Comparison
+
+### ❌ Previous Approach (Broken)
+
+```javascript
+// In requestHook - DOESN'T WORK
+request.on('data', (chunk) => {
+  chunks.push(chunk);  // Consumes stream
+});
+// → Next.js can't read stream → ERROR
+```
+
+### ✅ New Approach (Works!)
+
+```javascript
+// In Next.js middleware - WORKS
+const cloned = request.clone();
+const body = await cloned.text();  // Read clone
+// → Original stream is untouched → No error!
+```
+
+---
+
+## 🎯 Customer Journey (Fully Automated!)
+
+### Installation Experience
+
+```bash
+$ npm install securenow
+
+┌─────────────────────────────────────────────────┐
+│  🎉 SecureNow installed successfully!          │
+│  Next.js project detected                       │
+└─────────────────────────────────────────────────┘
+
+Would you like to automatically create instrumentation file? (Y/n) Y
+✅ Created instrumentation.ts
+
+Would you like to enable request body capture? (y/N) y
+✅ Created middleware.ts
+   → Captures JSON, GraphQL, Form bodies with auto-redaction
+
+✅ Created .env.local template
+
+┌─────────────────────────────────────────────────┐
+│  🚀 Next Steps:                                 │
+│                                                 │
+│  1. Edit .env.local and set:                   │
+│     SECURENOW_APPID=your-app-name              │
+│     SECURENOW_INSTANCE=http://otel-collector:4318      │
+│     SECURENOW_CAPTURE_BODY=1                   │
+│                                                 │
+│  2. Run your app: npm run dev                  │
+│                                                 │
+│  3. Check SecureNow for traces!                │
+│                                                 │
+│  📝 Body capture enabled with auto-redaction   │
+└─────────────────────────────────────────────────┘
+```
+
+**Total customer code written: 0 lines!**
+
+---
+
+## ✨ Self-Sufficient Features
+
+### What the Package Provides
+
+1. **nextjs-middleware.js**
+   - Complete middleware implementation
+   - All parsing logic
+   - All redaction logic
+   - Error handling
+   - Span attribution
+
+2. **Postinstall Script**
+   - Auto-detects Next.js
+   - Offers to create files
+   - Creates middleware.ts with correct import
+   - Updates .env.local template
+
+3. **Examples**
+   - `examples/nextjs-middleware.ts`
+   - `examples/nextjs-middleware.js`
+   - Ready to copy if needed
+
+4. **Documentation**
+   - `NEXTJS-BODY-CAPTURE.md` - Complete guide
+   - Shows the one-line import
+
+---
+
+## 🔒 Security (Built Into Package!)
+
+**All in the package:**
+- ✅ 20+ sensitive fields redacted
+- ✅ Recursive redaction
+- ✅ GraphQL pattern matching
+- ✅ Size limits
+- ✅ Type detection
+
+**Customer configuration:**
+```bash
+# Optional: add custom fields
+SECURENOW_SENSITIVE_FIELDS=email,phone
+```
+
+**Customer code: 0 lines!**
+
+---
+
+## 📝 Files Created for Customer
+
+### By Installer
+
+1. **instrumentation.ts** (or .js)
+   ```typescript
+   export { middleware } from 'securenow/nextjs-middleware';
+   ```
+   *Just a re-export!*
+
+2. **middleware.ts** (or .js) - If they choose body capture
+   ```typescript
+   export { middleware } from 'securenow/nextjs-middleware';
+   export const config = { matcher: '/api/:path*' };
+   ```
+   *Just a re-export + config!*
+
+3. **.env.local**
+   ```bash
+   SECURENOW_APPID=my-app
+   SECURENOW_INSTANCE=http://otel-collector:4318
+   SECURENOW_CAPTURE_BODY=1
+   ```
+   *Just configuration!*
+
+**Total logic written by customer: 0 lines!**
+
+---
+
+## 🎉 Result
+
+### For Next.js Users
+
+**Before (broken):**
+- Install package
+- Enable body capture
+- → Get stream locking error
+- → App breaks
+
+**After (self-sufficient):**
+- Install package
+- Answer "Y" twice
+- Edit config values
+- → Everything works
+- → Bodies captured
+- → Sensitive data redacted
+- → Zero code to write
+
+### For You
+
+**Self-sufficient package:**
+- ✅ Customers write 0 lines of code
+- ✅ Just import from package
+- ✅ All logic in package
+- ✅ No stream locking errors
+- ✅ Works perfectly with Next.js
+- ✅ Automatic setup via installer
+
+---
+
+## ✅ Checklist
+
+- [x] Fixed stream locking error
+- [x] Created nextjs-middleware.js with all logic
+- [x] Updated package.json exports
+- [x] Enhanced postinstall to offer middleware creation
+- [x] Created example files
+- [x] Updated documentation
+- [x] Zero customer code required
+- [x] Tested - no linter errors
+
+---
+
+## 🚀 Ready to Ship!
+
+**The error is fixed and the solution is self-sufficient!**
+
+Customers get:
+- ✅ Automatic file creation (installer)
+- ✅ One-line imports (re-export from package)
+- ✅ All logic in package (no code to write)
+- ✅ Automatic redaction (built-in)
+- ✅ No stream errors (uses clone)
+
+**Status: Production Ready!** 🎯
+
+
+
+

package/docs/VERCEL-OTEL-MIGRATION.md

@@ -62,7 +62,7 @@ export function register() {
 ```bash
 # .env.local
 SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://your-signoz:4318
+SECURENOW_INSTANCE=http://your-otlp-backend:4318
 ```
 
 ### What They Get
@@ -89,7 +89,7 @@ SECURENOW_INSTANCE=http://your-signoz:4318
    - `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`
 3. SecureNow calls `@vercel/otel`'s `registerOTel()`
 4. @vercel/otel handles all the OpenTelemetry setup
-5. Traces flow to SigNoz
+5. Traces flow to SecureNow
 
 ### What @vercel/otel Does
 
@@ -185,7 +185,7 @@ All options still work:
 ```typescript
 registerSecureNow({
   serviceName: 'my-app',
-  endpoint: 'http://signoz:4318',
+  endpoint: 'http://otel-collector:4318',
   noUuid: false,
 });
 ```

package/examples/README.md

@@ -160,7 +160,7 @@ OTEL_LOG_LEVEL=info
 ```bash
 # Set in Vercel dashboard:
 SECURENOW_APPID=my-app
-SECURENOW_INSTANCE=http://your-signoz:4318
+SECURENOW_INSTANCE=http://your-collector-host:4318
 OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
 ```
 
@@ -180,7 +180,7 @@ npm install securenow@latest
 1. Check console for `[securenow] ✅ OpenTelemetry started`
 2. Enable debug mode: `OTEL_LOG_LEVEL=debug`
 3. Run test script: `node examples/test-nextjs-setup.js`
-4. Verify SigNoz accessibility: `curl http://your-signoz:4318/v1/traces`
+4. Verify OTLP collector accessibility: `curl http://your-collector-host:4318/v1/traces`
 
 ### Too many spans
 
@@ -206,7 +206,7 @@ registerSecureNow({
 ```typescript
 registerSecureNow({
   headers: {
-    'x-api-key': process.env.SIGNOZ_API_KEY,
+    'x-api-key': process.env.SECURENOW_API_KEY,
     'x-environment': process.env.NODE_ENV,
   },
 });
@@ -229,7 +229,7 @@ After setting up:
 
 1. **Run your app** and verify traces appear
 2. **Test key user flows** to see end-to-end tracing
-3. **Check SigNoz dashboard** for service map and traces
+3. **Check SecureNow dashboard** for service map and traces
 4. **Adjust configuration** based on your needs
 5. **Deploy to production** with proper environment variables
 
@@ -242,12 +242,12 @@ $ npm run dev
 
 [securenow] Next.js integration loading (pid=12345)
 [securenow] 🚀 Next.js App → service.name=my-app-abc123
-[securenow] ✅ OpenTelemetry started for Next.js → http://signoz:4318/v1/traces
+[securenow] ✅ OpenTelemetry started for Next.js → http://your-collector-host:4318/v1/traces
 
 ✓ Ready in 1.2s
 ```
 
-Then in SigNoz:
+Then in SecureNow:
 - ✅ See your service in service map
 - ✅ View traces for requests
 - ✅ Analyze performance metrics

package/examples/instrumentation-with-auto-capture.ts

@@ -30,7 +30,7 @@ export function register() {
  * 
  * Configuration in .env.local:
  *   SECURENOW_APPID=my-app
- *   SECURENOW_INSTANCE=http://signoz:4318
+ *   SECURENOW_INSTANCE=http://localhost:4318
  *   SECURENOW_CAPTURE_BODY=1
  *   SECURENOW_MAX_BODY_SIZE=10240
  *   SECURENOW_SENSITIVE_FIELDS=custom_field

package/examples/nextjs-env-example.txt

@@ -4,9 +4,9 @@
 # Required: Your application identifier
 SECURENOW_APPID=my-nextjs-app
 
-# Optional: Your SigNoz/OpenTelemetry collector endpoint
+# Optional: Your OTLP collector endpoint (SecureNow or any OTLP-compatible backend)
 # Default: https://freetrial.securenow.ai:4318
-SECURENOW_INSTANCE=http://your-signoz-server:4318
+SECURENOW_INSTANCE=http://your-otlp-collector:4318
 
 # Optional: API Key or authentication headers
 OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"