npm - securenow - Versions diffs - 6.0.2 → 6.1.0 - Mend

securenow 6.0.2 → 6.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/CONSUMING-APPS-GUIDE.md +455 -0
package/NPM_README.md +2029 -0
package/README.md +297 -40
package/SKILL-API.md +634 -0
package/SKILL-CLI.md +454 -0
package/cidr.js +83 -0
package/cli/apps.js +585 -0
package/cli/auth.js +280 -0
package/cli/client.js +115 -0
package/cli/config.js +173 -0
package/cli/diagnostics.js +387 -0
package/cli/firewall.js +100 -0
package/cli/fp.js +638 -0
package/cli/init.js +201 -0
package/cli/monitor.js +440 -0
package/cli/run.js +148 -0
package/cli/security.js +980 -0
package/cli/ui.js +386 -0
package/cli/utils.js +127 -0
package/cli.js +466 -455
package/console-instrumentation.js +147 -136
package/docs/ALL-FRAMEWORKS-QUICKSTART.md +1377 -455
package/docs/API-KEYS-GUIDE.md +233 -0
package/docs/ARCHITECTURE.md +3 -3
package/docs/AUTO-BODY-CAPTURE.md +1 -1
package/docs/AUTO-SETUP-SUMMARY.md +331 -0
package/docs/AUTO-SETUP.md +4 -4
package/docs/AUTOMATIC-IP-CAPTURE.md +5 -5
package/docs/BODY-CAPTURE-FIX.md +261 -0
package/docs/BODY-CAPTURE-QUICKSTART.md +2 -2
package/docs/CHANGELOG-NEXTJS.md +1 -35
package/docs/COMPLETION-REPORT.md +408 -0
package/docs/CUSTOMER-GUIDE.md +16 -16
package/docs/EASIEST-SETUP.md +5 -5
package/docs/ENVIRONMENT-VARIABLES.md +880 -652
package/docs/EXPRESS-BODY-CAPTURE.md +13 -12
package/docs/EXPRESS-SETUP-GUIDE.md +719 -720
package/docs/FINAL-SOLUTION.md +335 -0
package/docs/FIREWALL-GUIDE.md +426 -0
package/docs/IMPLEMENTATION-SUMMARY.md +410 -0
package/docs/INDEX.md +22 -4
package/docs/LOGGING-GUIDE.md +701 -708
package/docs/LOGGING-QUICKSTART.md +234 -255
package/docs/NEXTJS-BODY-CAPTURE-COMPARISON.md +323 -0
package/docs/NEXTJS-BODY-CAPTURE.md +2 -2
package/docs/NEXTJS-GUIDE.md +14 -14
package/docs/NEXTJS-QUICKSTART.md +1 -1
package/docs/NEXTJS-SETUP-COMPLETE.md +795 -0
package/docs/NEXTJS-WRAPPER-APPROACH.md +1 -1
package/docs/NUXT-GUIDE.md +166 -0
package/docs/QUICKSTART-BODY-CAPTURE.md +2 -2
package/docs/REDACTION-EXAMPLES.md +1 -1
package/docs/REQUEST-BODY-CAPTURE.md +19 -10
package/docs/SOLUTION-SUMMARY.md +312 -0
package/docs/VERCEL-OTEL-MIGRATION.md +3 -3
package/examples/README.md +6 -6
package/examples/instrumentation-with-auto-capture.ts +1 -1
package/examples/nextjs-env-example.txt +2 -2
package/examples/nextjs-instrumentation.js +1 -1
package/examples/nextjs-instrumentation.ts +1 -1
package/examples/nextjs-with-logging-example.md +6 -6
package/examples/nextjs-with-options.ts +1 -1
package/examples/test-nextjs-setup.js +1 -1
package/firewall-cloud.js +212 -0
package/firewall-iptables.js +139 -0
package/firewall-only.js +38 -0
package/firewall-tcp.js +74 -0
package/firewall.js +720 -0
package/free-trial-banner.js +174 -0
package/nextjs-auto-capture.js +199 -207
package/nextjs-middleware.js +186 -181
package/nextjs-webpack-config.js +88 -53
package/nextjs-wrapper.js +158 -158
package/nextjs.d.ts +1 -1
package/nextjs.js +639 -647
package/nuxt-server-plugin.mjs +423 -0
package/nuxt.d.ts +60 -0
package/nuxt.mjs +75 -0
package/package.json +186 -164
package/postinstall.js +6 -6
package/register.d.ts +1 -1
package/register.js +39 -4
package/resolve-ip.js +77 -0
package/tracing.d.ts +2 -1
package/tracing.js +295 -34
package/web-vite.mjs +239 -156
package/LICENSE +0 -15

package/nextjs.js CHANGED Viewed

@@ -1,647 +1,639 @@
-'use strict';
-/**
- * SecureNow Next.js Integration using @vercel/otel
- *
- * Usage in Next.js app:
- *
- * 1. Create instrumentation.ts (or .js) in your project root:
- *
- *    import { registerSecureNow } from 'securenow/nextjs';
- *    export function register() {
- *      registerSecureNow();
- *    }
- *
- * 2. Set environment variables:
- *    SECURENOW_APPID=my-nextjs-app
- *    SECURENOW_INSTANCE=http://your-signoz-host:4318
- *
- * That's it! 🎉 No webpack warnings!
- */
-const { v4: uuidv4 } = require('uuid');
-const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-const parseHeaders = str => {
-  const out = {}; if (!str) return out;
-  for (const raw of String(str).split(',')) {
-    const s = raw.trim(); if (!s) continue;
-    const i = s.indexOf('='); if (i === -1) continue;
-    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
-  }
-  return out;
-};
-let isRegistered = false;
-// Default sensitive fields to redact from request bodies
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  for (const key in redacted) {
-    const lowerKey = key.toLowerCase();
-    // Check if field is sensitive
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      // Recursively redact nested objects
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  return redacted;
-}
-/**
- * Redact sensitive data from GraphQL query strings
- */
-function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!query || typeof query !== 'string') return query;
-  let redacted = query;
-  // Redact sensitive fields in GraphQL arguments and variables
-  // Matches patterns like: password: "value" or password:"value" or password:'value'
-  sensitiveFields.forEach(field => {
-    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
-    const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
-    ];
-    patterns.forEach(pattern => {
-      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
-        if (suffix) {
-          return `${prefix}[REDACTED]${suffix}`;
-        } else {
-          return `${prefix}[REDACTED]`;
-        }
-      });
-    });
-  });
-  return redacted;
-}
-/**
- * Parse and capture request body safely
- */
-async function captureRequestBody(request, maxSize = 10240) {
-  try {
-    const contentType = request.headers['content-type'] || '';
-    let body = '';
-    // Collect body chunks
-    const chunks = [];
-    let size = 0;
-    return new Promise((resolve) => {
-      request.on('data', (chunk) => {
-        size += chunk.length;
-        if (size <= maxSize) {
-          chunks.push(chunk);
-        }
-      });
-      request.on('end', () => {
-        if (size > maxSize) {
-          resolve({
-            captured: false,
-            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
-            size
-          });
-          return;
-        }
-        body = Buffer.concat(chunks).toString('utf8');
-        // Parse based on content type
-        if (contentType.includes('application/json')) {
-          try {
-            const parsed = JSON.parse(body);
-            resolve({
-              captured: true,
-              type: 'json',
-              body: parsed,
-              size
-            });
-          } catch (e) {
-            resolve({
-              captured: true,
-              type: 'json',
-              body: body.substring(0, 1000),
-              parseError: true,
-              size
-            });
-          }
-        } else if (contentType.includes('application/graphql')) {
-          // GraphQL queries need redaction too!
-          resolve({
-            captured: true,
-            type: 'graphql',
-            body: body,  // Will be redacted later
-            size
-          });
-        } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured (files can be huge)
-          resolve({
-            captured: false,
-            type: 'multipart',
-            reason: 'Multipart data not captured (file uploads)',
-            size
-          });
-        } else if (contentType.includes('application/x-www-form-urlencoded')) {
-          try {
-            const params = new URLSearchParams(body);
-            const parsed = Object.fromEntries(params);
-            resolve({
-              captured: true,
-              type: 'form',
-              body: parsed,
-              size
-            });
-          } catch (e) {
-            resolve({
-              captured: true,
-              type: 'form',
-              body: body.substring(0, 1000),
-              size
-            });
-          }
-        } else {
-          resolve({
-            captured: true,
-            type: 'text',
-            body: body.substring(0, 1000),
-            size
-          });
-        }
-      });
-      request.on('error', () => {
-        resolve({ captured: false, reason: 'Stream error' });
-      });
-      // Timeout after 100ms
-      setTimeout(() => {
-        resolve({ captured: false, reason: 'Timeout' });
-      }, 100);
-    });
-  } catch (error) {
-    return { captured: false, reason: error.message };
-  }
-}
-/**
- * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
- * @param {Object} options - Optional configuration
- * @param {string} options.serviceName - Service name (defaults to SECURENOW_APPID or OTEL_SERVICE_NAME)
- * @param {string} options.endpoint - Traces endpoint (defaults to SECURENOW_INSTANCE)
- * @param {boolean} options.noUuid - Don't append UUID to service name
- */
-function registerSecureNow(options = {}) {
-  // Only register once
-  if (isRegistered) {
-    console.log('[securenow] Already registered, skipping...');
-    return;
-  }
-  // Skip for Edge runtime
-  if (process.env.NEXT_RUNTIME === 'edge') {
-    console.log('[securenow] Skipping Edge runtime (Node.js only)');
-    return;
-  }
-  // Detect environment outside try block for error handling
-  const isVercel = !!(env('VERCEL') || env('VERCEL_ENV') || env('VERCEL_URL'));
-  try {
-    console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
-    // -------- Configuration --------
-    const rawBase = (
-      options.serviceName ||
-      env('OTEL_SERVICE_NAME') ||
-      env('SECURENOW_APPID') ||
-      ''
-    ).trim().replace(/^['"]|['"]$/g, '');
-    const baseName = rawBase || null;
-    const noUuid = options.noUuid ?? (String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
-    // service.name
-    let serviceName;
-    if (baseName) {
-      serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
-    } else {
-      serviceName = `nextjs-app-${uuidv4()}`;
-      console.warn('[securenow] ⚠️  No SECURENOW_APPID or OTEL_SERVICE_NAME provided. Using fallback: %s', serviceName);
-      console.warn('[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env.local for better tracking');
-    }
-    // -------- Endpoint Configuration --------
-    const endpointBase = (
-      options.endpoint ||
-      env('SECURENOW_INSTANCE') ||
-      env('OTEL_EXPORTER_OTLP_ENDPOINT') ||
-      'https://freetrial.securenow.ai:4318'
-    ).replace(/\/$/, '');
-    const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-    const logsUrl   = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT')   || `${endpointBase}/v1/logs`;
-    // Set environment variables for @vercel/otel to pick up
-    process.env.OTEL_SERVICE_NAME = serviceName;
-    process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
-    // -------- Logging Configuration --------
-    // Opt-in: SECURENOW_LOGGING_ENABLED=1 (or "true").
-    const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' ||
-                           String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
-    console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
-    // -------- Body Capture Configuration --------
-    const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' ||
-                       String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
-                       options.captureBody === true;
-    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    // -------- Log environment detection --------
-    if (!isVercel) {
-      console.log('[securenow] 🖥️  Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
-    }
-    // -------- Use different initialization based on environment --------
-    const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
-    // Configure HTTP instrumentation with comprehensive header capture
-    const httpInstrumentation = new HttpInstrumentation({
-      requireParentforOutgoingSpans: false,
-      requireParentforIncomingSpans: false,
-      ignoreIncomingRequestHook: (request) => {
-        // Never ignore - we want to trace all requests
-        return false;
-      },
-      requestHook: (span, request) => {
-        // SYNCHRONOUS ONLY - no async operations to avoid timing issues
-        try {
-          // Capture all headers
-          const headers = request.headers || {};
-          // ======== IP ADDRESS CAPTURE ========
-          // Try different header sources for IP (priority order)
-          const forwardedFor = headers['x-forwarded-for'];
-          const realIp = headers['x-real-ip'];
-          const cfConnectingIp = headers['cf-connecting-ip']; // Cloudflare
-          const clientIp = headers['x-client-ip'];
-          const socketIp = request.socket?.remoteAddress;
-          // Primary IP (first in chain is the real client)
-          const primaryIp =
-            (forwardedFor ? forwardedFor.split(',')[0]?.trim() : null) ||
-            realIp ||
-            cfConnectingIp ||
-            clientIp ||
-            socketIp ||
-            'unknown';
-          // ======== PROTOCOL & CONNECTION ========
-          const scheme = headers['x-forwarded-proto'] ||
-                        (request.socket?.encrypted ? 'https' : 'http');
-          const host = headers['x-forwarded-host'] || headers['host'] || '';
-          const port = headers['x-forwarded-port'] || request.socket?.localPort || '';
-          // ======== REQUEST METADATA ========
-          const userAgent = headers['user-agent'] || '';
-          const referer = headers['referer'] || headers['referrer'] || '';
-          const accept = headers['accept'] || '';
-          const acceptLanguage = headers['accept-language'] || '';
-          const acceptEncoding = headers['accept-encoding'] || '';
-          const contentType = headers['content-type'] || '';
-          const contentLength = headers['content-length'] || '';
-          const origin = headers['origin'] || '';
-          // ======== PROXY & LOAD BALANCER ========
-          const originalUri = headers['x-original-uri'] || '';
-          const originalMethod = headers['x-original-method'] || '';
-          const requestId = headers['x-request-id'] || headers['x-trace-id'] || headers['x-correlation-id'] || '';
-          // ======== SET ALL ATTRIBUTES ========
-          const attributes = {
-            // IP & Network
-            'http.client_ip': primaryIp,
-            'http.forwarded_for': forwardedFor || '',
-            'http.real_ip': realIp || '',
-            'http.socket_ip': socketIp || '',
-            // Protocol & Host
-            'http.scheme': scheme,
-            'http.host': host,
-            'http.port': port.toString(),
-            'http.forwarded_proto': headers['x-forwarded-proto'] || '',
-            'http.forwarded_host': headers['x-forwarded-host'] || '',
-            // Request Details
-            'http.user_agent': userAgent,
-            'http.referer': referer,
-            'http.origin': origin,
-            'http.accept': accept,
-            'http.accept_language': acceptLanguage,
-            'http.accept_encoding': acceptEncoding,
-            'http.content_type': contentType,
-            'http.content_length': contentLength,
-            // Proxy & Routing
-            'http.original_uri': originalUri,
-            'http.original_method': originalMethod,
-            'http.request_id': requestId,
-            // Connection Info
-            'http.connection': headers['connection'] || '',
-            'http.upgrade': headers['upgrade'] || '',
-          };
-          // Set all attributes at once
-          span.setAttributes(attributes);
-          // ======== GEOGRAPHIC DATA ========
-          // Vercel geo headers
-          if (headers['x-vercel-ip-country']) {
-            span.setAttributes({
-              'http.geo.country': headers['x-vercel-ip-country'],
-              'http.geo.region': headers['x-vercel-ip-country-region'] || '',
-              'http.geo.city': headers['x-vercel-ip-city'] || '',
-              'http.geo.latitude': headers['x-vercel-ip-latitude'] || '',
-              'http.geo.longitude': headers['x-vercel-ip-longitude'] || '',
-              'http.geo.timezone': headers['x-vercel-ip-timezone'] || '',
-            });
-          }
-          // Cloudflare geo headers
-          if (headers['cf-ipcountry']) {
-            span.setAttributes({
-              'http.geo.country': headers['cf-ipcountry'],
-              'http.geo.cf_ray': headers['cf-ray'] || '',
-              'http.geo.cf_visitor': headers['cf-visitor'] || '',
-            });
-          }
-          // Cloudflare additional headers
-          if (headers['cf-connecting-ip']) {
-            span.setAttribute('http.cf.connecting_ip', headers['cf-connecting-ip']);
-          }
-          // ======== SECURITY HEADERS ========
-          if (headers['x-csrf-token']) {
-            span.setAttribute('http.security.csrf_token_present', 'true');
-          }
-          if (headers['authorization']) {
-            span.setAttribute('http.security.auth_present', 'true');
-            // Never log the actual token!
-          }
-          if (headers['cookie']) {
-            span.setAttribute('http.security.cookies_present', 'true');
-            // Never log actual cookies!
-          }
-          // Debug log in development
-          if (env('NODE_ENV') === 'development' || env('OTEL_LOG_LEVEL') === 'debug') {
-            console.log('[securenow] 📡 Captured IP: %s (from: %s)',
-              primaryIp,
-              forwardedFor ? 'x-forwarded-for' : realIp ? 'x-real-ip' : socketIp ? 'socket' : 'unknown'
-            );
-          }
-          // -------- Request Body NOT captured at HTTP instrumentation level --------
-          // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
-          // Next.js manages request streams internally and reading them here causes conflicts
-          // Body capture must be done in Next.js middleware using request.clone()
-        } catch (error) {
-          // Silently fail to not break the request
-          if (env('OTEL_LOG_LEVEL') === 'debug') {
-            console.error('[securenow] ⚠️  Error in requestHook:', error.message);
-          }
-        }
-      },
-      responseHook: (span, response) => {
-        try {
-          // Capture response metadata
-          span.setAttributes({
-            'http.status_code': response.statusCode || 0,
-            'http.status_message': response.statusMessage || '',
-            'http.response.content_type': response.headers?.['content-type'] || '',
-            'http.response.content_length': response.headers?.['content-length'] || '',
-          });
-        } catch (error) {
-          // Silently fail
-        }
-      },
-    });
-    // -------- Guard against OTLP exporter socket errors --------
-    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
-    function _isOtlpTransientError(err) {
-      if (!err) return false;
-      if (_TRANSIENT_CODES.has(err.code)) return true;
-      if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
-      return false;
-    }
-    function _looksLikeOtlpStack(err) {
-      const s = err && err.stack;
-      if (!s) return false;
-      return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
-        || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
-    }
-    const _diagDebug = (env('OTEL_LOG_LEVEL') || '').toLowerCase() === 'debug';
-    process.on('uncaughtException', (err, origin) => {
-      if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-        }
-        return;
-      }
-      throw err;
-    });
-    process.on('unhandledRejection', (reason) => {
-      if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-        }
-        return;
-      }
-      throw reason;
-    });
-    if (isVercel) {
-      // -------- Vercel Environment: Use @vercel/otel --------
-      const { registerOTel } = require('@vercel/otel');
-      registerOTel({
-        serviceName: serviceName,
-        attributes: {
-          'deployment.environment': env('NODE_ENV') || env('VERCEL_ENV') || 'development',
-          'service.version': process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
-          'vercel.region': process.env.VERCEL_REGION || undefined,
-        },
-        instrumentations: [httpInstrumentation],
-        instrumentationConfig: {
-          fetch: {
-            // Propagate context to your backend APIs
-            propagateContextUrls: [
-              /^https?:\/\/localhost/,
-              /^https?:\/\/.*\.vercel\.app/,
-              // Add your backend domains here
-            ],
-            // Optionally ignore certain URLs
-            ignoreUrls: [
-              /_next\/static/,
-              /_next\/image/,
-              /\.map$/,
-            ],
-          },
-        },
-      });
-    } else {
-      // -------- Self-Hosted (EC2/PM2): Use Vanilla OpenTelemetry SDK --------
-      const { NodeSDK } = require('@opentelemetry/sdk-node');
-      const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
-      const { Resource } = require('@opentelemetry/resources');
-      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
-      const traceExporter = new OTLPTraceExporter({
-        url: tracesUrl,
-        headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'))
-      });
-      const sdk = new NodeSDK({
-        serviceName: serviceName,
-        traceExporter: traceExporter,
-        instrumentations: [httpInstrumentation],
-        resource: new Resource({
-          [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || env('VERCEL_ENV') || 'production',
-          [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
-        }),
-      });
-      sdk.start();
-      console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
-    }
-    // -------- Logging pipeline (both Vercel and self-hosted) --------
-    // Neither @vercel/otel nor NodeSDK 0.47.x wires OTLP logs for us, so we
-    // create the LoggerProvider ourselves, register a BatchLogRecordProcessor
-    // (addLogRecordProcessor — the `processors` constructor option was only
-    // added in sdk-logs 0.52 and is silently ignored in 0.47), publish it as
-    // the global logger provider, and auto-patch console.* to emit records.
-    if (loggingEnabled) {
-      const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
-      const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
-      const { logs } = require('@opentelemetry/api-logs');
-      const { Resource } = require('@opentelemetry/resources');
-      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
-      const logResource = new Resource({
-        [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-        [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || env('VERCEL_ENV') || 'production',
-        [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
-      });
-      const logExporter = new OTLPLogExporter({
-        url: logsUrl,
-        headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS')),
-      });
-      const loggerProvider = new LoggerProvider({ resource: logResource });
-      loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
-      logs.setGlobalLoggerProvider(loggerProvider);
-      const _logger = loggerProvider.getLogger('console', '1.0.0');
-      const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
-      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-      const _emit = (sn, st, args) => {
-        try {
-          _logger.emit({
-            severityNumber: sn,
-            severityText: st,
-            body: args.map(a => (typeof a === 'object' && a !== null)
-              ? (() => { try { return JSON.stringify(a); } catch { return String(a); } })()
-              : String(a)).join(' '),
-            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
-          });
-        } catch (_) {}
-      };
-      console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
-      console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
-      console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
-      console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
-      console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
-      const _shutdownLogs = async () => {
-        try { await Promise.resolve(loggerProvider.forceFlush?.()); } catch (_) {}
-        try { await Promise.resolve(loggerProvider.shutdown?.()); } catch (_) {}
-      };
-      process.on('SIGINT',  _shutdownLogs);
-      process.on('SIGTERM', _shutdownLogs);
-      process.on('beforeExit', _shutdownLogs);
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
-    } else {
-      console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
-    }
-    isRegistered = true;
-    console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
-    console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
-    console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');
-    console.log('[securenow]    • User-Agent, Referer, Origin, Accept headers');
-    console.log('[securenow]    • Protocol, Host, Port (proxy-aware)');
-    console.log('[securenow]    • Geographic data (Vercel/Cloudflare)');
-    console.log('[securenow]    • Request IDs, CSRF tokens, Auth presence');
-    console.log('[securenow]    • Response status, content-type, content-length');
-    console.log('[securenow] ⚠️  Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
-    if (captureBody) {
-      console.log('[securenow] 💡 For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
-    }
-    // Optional test span
-    if (String(env('SECURENOW_TEST_SPAN')) === '1') {
-      const api = require('@opentelemetry/api');
-      const tracer = api.trace.getTracer('securenow-nextjs');
-      const span = tracer.startSpan('securenow.nextjs.startup');
-      span.setAttribute('next.runtime', process.env.NEXT_RUNTIME || 'nodejs');
-      span.end();
-      console.log('[securenow] 🧪 Test span created');
-    }
-  } catch (error) {
-    console.error('[securenow] Failed to initialize OpenTelemetry:', error);
-    if (isVercel) {
-      console.error('[securenow] Make sure you have @vercel/otel installed: npm install @vercel/otel');
-    } else {
-      console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
-    }
-  }
-}
-module.exports = {
-  registerSecureNow,
-};
+'use strict';
+/**
+ * SecureNow Next.js Integration using @vercel/otel
+ *
+ * Usage in Next.js app:
+ *
+ * 1. Add serverExternalPackages to next.config.js (REQUIRED to avoid webpack bundling issues):
+ *
+ *    const nextConfig = {
+ *      serverExternalPackages: [
+ *        "securenow",
+ *        "@opentelemetry/sdk-node",
+ *        "@opentelemetry/auto-instrumentations-node",
+ *        "@opentelemetry/instrumentation-http",
+ *        "@opentelemetry/exporter-trace-otlp-http",
+ *        "@opentelemetry/exporter-logs-otlp-http",
+ *        "@opentelemetry/sdk-logs",
+ *        "@opentelemetry/instrumentation",
+ *        "@opentelemetry/resources",
+ *        "@opentelemetry/semantic-conventions",
+ *        "@opentelemetry/api",
+ *        "@opentelemetry/api-logs",
+ *        "@vercel/otel",
+ *      ],
+ *    };
+ *
+ * 2. Create instrumentation.ts (or .js) in your project root:
+ *
+ *    import { registerSecureNow } from 'securenow/nextjs';
+ *    export function register() {
+ *      registerSecureNow();
+ *    }
+ *
+ * 3. Set environment variables:
+ *    SECURENOW_APPID=my-nextjs-app
+ *    SECURENOW_INSTANCE=http://your-otlp-backend:4318
+ */
+const { randomUUID } = require('crypto');
+const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
+const parseHeaders = str => {
+  const out = {}; if (!str) return out;
+  for (const raw of String(str).split(',')) {
+    const s = raw.trim(); if (!s) continue;
+    const i = s.indexOf('='); if (i === -1) continue;
+    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
+  }
+  return out;
+};
+let isRegistered = false;
+// Default sensitive fields to redact from request bodies
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      // Recursively redact nested objects
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  return redacted;
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  let redacted = query;
+  // Redact sensitive fields in GraphQL arguments and variables
+  // Matches patterns like: password: "value" or password:"value" or password:'value'
+  sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
+    const patterns = [
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        if (suffix) {
+          return `${prefix}[REDACTED]${suffix}`;
+        } else {
+          return `${prefix}[REDACTED]`;
+        }
+      });
+    });
+  });
+  return redacted;
+}
+/**
+ * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
+ * @param {Object} options - Optional configuration
+ * @param {string} options.serviceName - Service name (defaults to SECURENOW_APPID or OTEL_SERVICE_NAME)
+ * @param {string} options.endpoint - Traces endpoint (defaults to SECURENOW_INSTANCE)
+ * @param {boolean} options.noUuid - Don't append UUID to service name
+ */
+function registerSecureNow(options = {}) {
+  // Only register once
+  if (isRegistered) {
+    console.log('[securenow] Already registered, skipping...');
+    return;
+  }
+  // Skip for Edge runtime
+  if (process.env.NEXT_RUNTIME === 'edge') {
+    console.log('[securenow] Skipping Edge runtime (Node.js only)');
+    return;
+  }
+  // Detect environment outside try block for error handling
+  const isVercel = !!(env('VERCEL') || env('VERCEL_ENV') || env('VERCEL_URL'));
+  try {
+    console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
+    // -------- Configuration --------
+    const rawBase = (
+      options.serviceName ||
+      env('OTEL_SERVICE_NAME') ||
+      env('SECURENOW_APPID') ||
+      ''
+    ).trim().replace(/^['"]|['"]$/g, '');
+    const baseName = rawBase || null;
+    const noUuid = options.noUuid ?? (String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
+    // service.name
+    let serviceName;
+    if (baseName) {
+      serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
+    } else {
+      serviceName = `nextjs-app-${randomUUID()}`;
+      console.warn('[securenow] ⚠️  No SECURENOW_APPID or OTEL_SERVICE_NAME provided. Using fallback: %s', serviceName);
+      console.warn('[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env.local for better tracking');
+    }
+    // -------- Endpoint Configuration --------
+    const endpointBase = (
+      options.endpoint ||
+      env('SECURENOW_INSTANCE') ||
+      env('OTEL_EXPORTER_OTLP_ENDPOINT') ||
+      'https://freetrial.securenow.ai:4318'
+    ).replace(/\/$/, '');
+    const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
+    const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
+    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
+    // -------- Body Capture Configuration --------
+    const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' ||
+                       String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
+                       options.captureBody === true;
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    // -------- Log environment detection --------
+    if (!isVercel) {
+      console.log('[securenow] 🖥️  Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
+    }
+    // -------- Use different initialization based on environment --------
+    const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
+    // Configure HTTP instrumentation with comprehensive header capture
+    const httpInstrumentation = new HttpInstrumentation({
+      requireParentforOutgoingSpans: false,
+      requireParentforIncomingSpans: false,
+      ignoreIncomingRequestHook: (request) => {
+        // Never ignore - we want to trace all requests
+        return false;
+      },
+      requestHook: (span, request) => {
+        // SYNCHRONOUS ONLY - no async operations to avoid timing issues
+        try {
+          // Capture all headers
+          const headers = request.headers || {};
+          // ======== IP ADDRESS CAPTURE ========
+          // Try different header sources for IP (priority order)
+          const forwardedFor = headers['x-forwarded-for'];
+          const realIp = headers['x-real-ip'];
+          const cfConnectingIp = headers['cf-connecting-ip']; // Cloudflare
+          const clientIp = headers['x-client-ip'];
+          const socketIp = request.socket?.remoteAddress;
+          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
+          let primaryIp = socketIp || 'unknown';
+          if (isProxied) {
+            if (forwardedFor) {
+              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
+              for (let i = chain.length - 1; i >= 0; i--) {
+                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
+              }
+            } else {
+              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
+            }
+          }
+          // ======== PROTOCOL & CONNECTION ========
+          const scheme = headers['x-forwarded-proto'] ||
+                        (request.socket?.encrypted ? 'https' : 'http');
+          const host = headers['x-forwarded-host'] || headers['host'] || '';
+          const port = headers['x-forwarded-port'] || request.socket?.localPort || '';
+          // ======== REQUEST METADATA ========
+          const userAgent = headers['user-agent'] || '';
+          const referer = headers['referer'] || headers['referrer'] || '';
+          const accept = headers['accept'] || '';
+          const acceptLanguage = headers['accept-language'] || '';
+          const acceptEncoding = headers['accept-encoding'] || '';
+          const contentType = headers['content-type'] || '';
+          const contentLength = headers['content-length'] || '';
+          const origin = headers['origin'] || '';
+          // ======== PROXY & LOAD BALANCER ========
+          const originalUri = headers['x-original-uri'] || '';
+          const originalMethod = headers['x-original-method'] || '';
+          const requestId = headers['x-request-id'] || headers['x-trace-id'] || headers['x-correlation-id'] || '';
+          // ======== SET ALL ATTRIBUTES ========
+          const attributes = {
+            // IP & Network
+            'http.client_ip': primaryIp,
+            'http.forwarded_for': forwardedFor || '',
+            'http.real_ip': realIp || '',
+            'http.socket_ip': socketIp || '',
+            // Protocol & Host
+            'http.scheme': scheme,
+            'http.host': host,
+            'http.port': port.toString(),
+            'http.forwarded_proto': headers['x-forwarded-proto'] || '',
+            'http.forwarded_host': headers['x-forwarded-host'] || '',
+            // Request Details
+            'http.user_agent': userAgent,
+            'http.referer': referer,
+            'http.origin': origin,
+            'http.accept': accept,
+            'http.accept_language': acceptLanguage,
+            'http.accept_encoding': acceptEncoding,
+            'http.content_type': contentType,
+            'http.content_length': contentLength,
+            // Proxy & Routing
+            'http.original_uri': originalUri,
+            'http.original_method': originalMethod,
+            'http.request_id': requestId,
+            // Connection Info
+            'http.connection': headers['connection'] || '',
+            'http.upgrade': headers['upgrade'] || '',
+          };
+          // Set all attributes at once
+          span.setAttributes(attributes);
+          // ======== GEOGRAPHIC DATA ========
+          // Vercel geo headers
+          if (headers['x-vercel-ip-country']) {
+            span.setAttributes({
+              'http.geo.country': headers['x-vercel-ip-country'],
+              'http.geo.region': headers['x-vercel-ip-country-region'] || '',
+              'http.geo.city': headers['x-vercel-ip-city'] || '',
+              'http.geo.latitude': headers['x-vercel-ip-latitude'] || '',
+              'http.geo.longitude': headers['x-vercel-ip-longitude'] || '',
+              'http.geo.timezone': headers['x-vercel-ip-timezone'] || '',
+            });
+          }
+          // Cloudflare geo headers
+          if (headers['cf-ipcountry']) {
+            span.setAttributes({
+              'http.geo.country': headers['cf-ipcountry'],
+              'http.geo.cf_ray': headers['cf-ray'] || '',
+              'http.geo.cf_visitor': headers['cf-visitor'] || '',
+            });
+          }
+          // Cloudflare additional headers
+          if (headers['cf-connecting-ip']) {
+            span.setAttribute('http.cf.connecting_ip', headers['cf-connecting-ip']);
+          }
+          // ======== SECURITY HEADERS ========
+          if (headers['x-csrf-token']) {
+            span.setAttribute('http.security.csrf_token_present', 'true');
+          }
+          if (headers['authorization']) {
+            span.setAttribute('http.security.auth_present', 'true');
+            // Never log the actual token!
+          }
+          if (headers['cookie']) {
+            span.setAttribute('http.security.cookies_present', 'true');
+            // Never log actual cookies!
+          }
+          // Debug log in development
+          if (env('NODE_ENV') === 'development' || env('OTEL_LOG_LEVEL') === 'debug') {
+            console.log('[securenow] 📡 Captured IP: %s (from: %s)',
+              primaryIp,
+              forwardedFor ? 'x-forwarded-for' : realIp ? 'x-real-ip' : socketIp ? 'socket' : 'unknown'
+            );
+          }
+          // -------- Request Body NOT captured at HTTP instrumentation level --------
+          // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
+          // Next.js manages request streams internally and reading them here causes conflicts
+          // Body capture must be done in Next.js middleware using request.clone()
+        } catch (error) {
+          // Silently fail to not break the request
+          if (env('OTEL_LOG_LEVEL') === 'debug') {
+            console.error('[securenow] ⚠️  Error in requestHook:', error.message);
+          }
+        }
+      },
+      responseHook: (span, response) => {
+        try {
+          // Capture response metadata
+          span.setAttributes({
+            'http.status_code': response.statusCode || 0,
+            'http.status_message': response.statusMessage || '',
+            'http.response.content_type': response.headers?.['content-type'] || '',
+            'http.response.content_length': response.headers?.['content-length'] || '',
+          });
+        } catch (error) {
+          // Silently fail
+        }
+      },
+    });
+    // -------- Guard against OTLP exporter socket errors --------
+    // The OTLP HTTP exporter uses keep-alive connections that can be reset by
+    // the remote end (ECONNRESET / "socket hang up"). These transient errors
+    // sometimes escape as unhandled exceptions or rejections. We catch them
+    // here and log at debug level instead of crashing the host app.
+    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+    function _isOtlpTransientError(err) {
+      if (!err) return false;
+      if (_TRANSIENT_CODES.has(err.code)) return true;
+      if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+      return false;
+    }
+    function _looksLikeOtlpStack(err) {
+      const s = err && err.stack;
+      if (!s) return false;
+      return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
+        || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
+    }
+    const _diagDebug = (env('OTEL_LOG_LEVEL') || '').toLowerCase() === 'debug';
+    process.on('uncaughtException', (err, origin) => {
+      if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
+        if (_diagDebug) {
+          console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
+        }
+        return;
+      }
+      throw err;
+    });
+    process.on('unhandledRejection', (reason) => {
+      if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
+        if (_diagDebug) {
+          console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
+        }
+        return;
+      }
+      throw reason;
+    });
+    if (isVercel) {
+      // -------- Vercel Environment: Use @vercel/otel --------
+      const { registerOTel } = require('@vercel/otel');
+      registerOTel({
+        serviceName: serviceName,
+        attributes: {
+          'deployment.environment': env('NODE_ENV') || env('VERCEL_ENV') || 'development',
+          'service.version': process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
+          'vercel.region': process.env.VERCEL_REGION || undefined,
+        },
+        instrumentations: [httpInstrumentation],
+        instrumentationConfig: {
+          fetch: {
+            // Propagate context to your backend APIs
+            propagateContextUrls: [
+              /^https?:\/\/localhost/,
+              /^https?:\/\/.*\.vercel\.app/,
+              // Add your backend domains here
+            ],
+            // Optionally ignore certain URLs
+            ignoreUrls: [
+              /_next\/static/,
+              /_next\/image/,
+              /\.map$/,
+            ],
+          },
+        },
+      });
+    } else {
+      // -------- Self-Hosted (EC2/PM2): Use Vanilla OpenTelemetry SDK --------
+      const { NodeSDK } = require('@opentelemetry/sdk-node');
+      const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
+      const { Resource } = require('@opentelemetry/resources');
+      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
+      const traceExporter = new OTLPTraceExporter({
+        url: tracesUrl,
+        headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'))
+      });
+      const sdk = new NodeSDK({
+        serviceName: serviceName,
+        traceExporter: traceExporter,
+        instrumentations: [httpInstrumentation],
+        resource: new Resource({
+          [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || env('VERCEL_ENV') || 'production',
+          [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
+        }),
+      });
+      sdk.start();
+      console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
+      // -------- Logging (self-hosted only) --------
+      const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+      if (loggingEnabled) {
+        try {
+          const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
+          const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
+          const logExporter = new OTLPLogExporter({
+            url: logsUrl,
+            headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS')),
+          });
+          const loggerProvider = new LoggerProvider({
+            resource: new Resource({
+              [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || 'production',
+            }),
+          });
+          loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
+          // Patch console to forward logs as OTLP log records
+          const logger = loggerProvider.getLogger('console', '1.0.0');
+          const SeverityNumber = { INFO: 9, WARN: 13, ERROR: 17 };
+          const origLog = console.log;
+          const origWarn = console.warn;
+          const origError = console.error;
+          const { context: otelContext, trace: otelTrace } = require('@opentelemetry/api');
+          function _emitLog(sn, st, args) {
+            try {
+              const activeCtx = otelContext.active();
+              const spanCtx = otelTrace.getSpanContext(activeCtx);
+              logger.emit({
+                severityNumber: sn,
+                severityText: st,
+                body: args.map(String).join(' '),
+                ...(spanCtx && { context: activeCtx }),
+              });
+            } catch (_) {}
+          }
+          console.log = (...args) => {
+            origLog.apply(console, args);
+            _emitLog(SeverityNumber.INFO, 'INFO', args);
+          };
+          console.warn = (...args) => {
+            origWarn.apply(console, args);
+            _emitLog(SeverityNumber.WARN, 'WARN', args);
+          };
+          console.error = (...args) => {
+            origError.apply(console, args);
+            _emitLog(SeverityNumber.ERROR, 'ERROR', args);
+          };
+          console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+          // Auto-log every incoming HTTP request/response
+          try {
+            const http = require('http');
+            const originalEmit = http.Server.prototype.emit;
+            http.Server.prototype.emit = function (event, req, res) {
+              if (event === 'request' && req && res) {
+                const start = Date.now();
+                const method = req.method;
+                const url = req.url;
+                res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
+                  const duration = Date.now() - start;
+                  const status = res.statusCode;
+                  const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';
+                  const ua = req.headers['user-agent'] || '-';
+                  const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
+                  const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
+                  const severityText = status >= 500 ? 'ERROR' : status >= 400 ? 'WARN' : 'INFO';
+                  origLog.call(console, '[securenow] %s %s %d %dms', method, url, status, duration);
+                  try {
+                    logger.emit({
+                      severityNumber: severity,
+                      severityText,
+                      body,
+                      attributes: {
+                        'http.method': method,
+                        'http.url': url,
+                        'http.status_code': status,
+                        'http.duration_ms': duration,
+                        'http.client_ip': String(ip).split(',')[0].trim(),
+                        'http.user_agent': ua,
+                      },
+                      ...(reqSpanCtx && { context: reqCtx }),
+                    });
+                  } catch (_) {}
+                });
+              }
+              return originalEmit.apply(this, arguments);
+            };
+            console.log('[securenow] 📋 HTTP request logging: ENABLED');
+          } catch (_) {}
+          // Graceful shutdown for logs
+          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
+          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
+        } catch (e) {
+          console.warn('[securenow] ⚠️  Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
+        }
+      } else {
+        console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
+      }
+    }
+    isRegistered = true;
+    // Free trial banner (optional — may not be bundled in standalone builds)
+    try {
+      const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
+      if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+        patchHttpForBanner();
+      }
+    } catch (_) {}
+    console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
+    console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
+    console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');
+    console.log('[securenow]    • User-Agent, Referer, Origin, Accept headers');
+    console.log('[securenow]    • Protocol, Host, Port (proxy-aware)');
+    console.log('[securenow]    • Geographic data (Vercel/Cloudflare)');
+    console.log('[securenow]    • Request IDs, CSRF tokens, Auth presence');
+    console.log('[securenow]    • Response status, content-type, content-length');
+    console.log('[securenow] ⚠️  Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
+    if (captureBody) {
+      console.log('[securenow] 💡 For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
+    }
+    // Optional test span
+    if (String(env('SECURENOW_TEST_SPAN')) === '1') {
+      const api = require('@opentelemetry/api');
+      const tracer = api.trace.getTracer('securenow-nextjs');
+      const span = tracer.startSpan('securenow.nextjs.startup');
+      span.setAttribute('next.runtime', process.env.NEXT_RUNTIME || 'nodejs');
+      span.end();
+      console.log('[securenow] 🧪 Test span created');
+    }
+  } catch (error) {
+    console.error('[securenow] Failed to initialize OpenTelemetry:', error);
+    if (isVercel) {
+      console.error('[securenow] Make sure you have @vercel/otel installed: npm install @vercel/otel');
+    } else {
+      console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
+    }
+  }
+  // Firewall — runs independently from OTel so it works even if tracing fails
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      require('./firewall').init({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+}
+module.exports = {
+  registerSecureNow,
+};