npm - securenow - Versions diffs - 6.0.2 → 7.0.0-anas - Mend

securenow 6.0.2 → 7.0.0-anas

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/CONSUMING-APPS-GUIDE.md +455 -0
package/NPM_README.md +2029 -0
package/README.md +297 -40
package/SKILL-API.md +634 -0
package/SKILL-CLI.md +454 -0
package/app-config.js +130 -0
package/cidr.js +83 -0
package/cli/apps.js +608 -0
package/cli/auth.js +298 -0
package/cli/client.js +115 -0
package/cli/config.js +202 -0
package/cli/diagnostics.js +387 -0
package/cli/firewall.js +100 -0
package/cli/fp.js +638 -0
package/cli/init.js +201 -0
package/cli/monitor.js +440 -0
package/cli/run.js +148 -0
package/cli/security.js +980 -0
package/cli/ui.js +386 -0
package/cli/utils.js +127 -0
package/cli.js +469 -455
package/console-instrumentation.js +147 -136
package/docs/ALL-FRAMEWORKS-QUICKSTART.md +1377 -455
package/docs/API-KEYS-GUIDE.md +233 -0
package/docs/ARCHITECTURE.md +3 -3
package/docs/AUTO-BODY-CAPTURE.md +1 -1
package/docs/AUTO-SETUP-SUMMARY.md +331 -0
package/docs/AUTO-SETUP.md +4 -4
package/docs/AUTOMATIC-IP-CAPTURE.md +5 -5
package/docs/BODY-CAPTURE-FIX.md +261 -0
package/docs/BODY-CAPTURE-QUICKSTART.md +2 -2
package/docs/CHANGELOG-NEXTJS.md +1 -35
package/docs/COMPLETION-REPORT.md +408 -0
package/docs/CUSTOMER-GUIDE.md +16 -16
package/docs/EASIEST-SETUP.md +5 -5
package/docs/ENVIRONMENT-VARIABLES.md +880 -652
package/docs/EXPRESS-BODY-CAPTURE.md +13 -12
package/docs/EXPRESS-SETUP-GUIDE.md +719 -720
package/docs/FINAL-SOLUTION.md +335 -0
package/docs/FIREWALL-GUIDE.md +426 -0
package/docs/IMPLEMENTATION-SUMMARY.md +410 -0
package/docs/INDEX.md +22 -4
package/docs/LOGGING-GUIDE.md +701 -708
package/docs/LOGGING-QUICKSTART.md +234 -255
package/docs/NEXTJS-BODY-CAPTURE-COMPARISON.md +323 -0
package/docs/NEXTJS-BODY-CAPTURE.md +2 -2
package/docs/NEXTJS-GUIDE.md +14 -14
package/docs/NEXTJS-QUICKSTART.md +1 -1
package/docs/NEXTJS-SETUP-COMPLETE.md +795 -0
package/docs/NEXTJS-WRAPPER-APPROACH.md +1 -1
package/docs/NUXT-GUIDE.md +166 -0
package/docs/QUICKSTART-BODY-CAPTURE.md +2 -2
package/docs/REDACTION-EXAMPLES.md +1 -1
package/docs/REQUEST-BODY-CAPTURE.md +19 -10
package/docs/SOLUTION-SUMMARY.md +312 -0
package/docs/VERCEL-OTEL-MIGRATION.md +3 -3
package/examples/README.md +6 -6
package/examples/instrumentation-with-auto-capture.ts +1 -1
package/examples/nextjs-env-example.txt +2 -2
package/examples/nextjs-instrumentation.js +1 -1
package/examples/nextjs-instrumentation.ts +1 -1
package/examples/nextjs-with-logging-example.md +6 -6
package/examples/nextjs-with-options.ts +1 -1
package/examples/test-nextjs-setup.js +1 -1
package/firewall-cloud.js +212 -0
package/firewall-iptables.js +139 -0
package/firewall-only.js +38 -0
package/firewall-tcp.js +74 -0
package/firewall.js +720 -0
package/free-trial-banner.js +174 -0
package/nextjs-auto-capture.js +198 -207
package/nextjs-middleware.js +186 -181
package/nextjs-webpack-config.js +88 -53
package/nextjs-wrapper.js +158 -158
package/nextjs.d.ts +1 -1
package/nextjs.js +638 -647
package/nuxt-server-plugin.mjs +425 -0
package/nuxt.d.ts +60 -0
package/nuxt.mjs +75 -0
package/package.json +172 -164
package/postinstall.js +42 -14
package/register.d.ts +1 -1
package/register.js +39 -4
package/resolve-ip.js +77 -0
package/tracing.d.ts +2 -1
package/tracing.js +318 -45
package/web-vite.mjs +239 -156
package/LICENSE +0 -15

package/nuxt-server-plugin.mjs ADDED Viewed

@@ -0,0 +1,425 @@
+/**
+ * SecureNow Nitro Server Plugin
+ *
+ * Initialises the OpenTelemetry SDK and hooks into Nitro's request lifecycle
+ * to create spans, capture metadata, and forward logs.
+ *
+ * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
+ */
+import { NodeSDK } from '@opentelemetry/sdk-node';
+import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
+import { Resource } from '@opentelemetry/resources';
+import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
+import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
+import {
+  context as otelContext,
+  trace as otelTrace,
+  SpanStatusCode,
+} from '@opentelemetry/api';
+import { v4 as uuidv4 } from 'uuid';
+import { createRequire } from 'node:module';
+const nodeRequire = createRequire(import.meta.url);
+const appConfig = nodeRequire('./app-config');
+// ── Helpers ──
+const env = (k) =>
+  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
+const parseHeaders = (str) => {
+  const out = {};
+  if (!str) return out;
+  for (const raw of String(str).split(',')) {
+    const s = raw.trim();
+    if (!s) continue;
+    const i = s.indexOf('=');
+    if (i === -1) continue;
+    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
+  }
+  return out;
+};
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+function redactSensitiveData(obj, fields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  for (const key of Object.keys(redacted)) {
+    const lower = key.toLowerCase();
+    if (fields.some((f) => lower.includes(f.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], fields);
+    }
+  }
+  return redacted;
+}
+// ── Runtime config helpers ──
+function getRuntimeOptions() {
+  try {
+    const cfg = useRuntimeConfig();
+    return cfg.securenow || {};
+  } catch {
+    return {};
+  }
+}
+// ── Plugin ──
+export default defineNitroPlugin((nitroApp) => {
+  const opts = getRuntimeOptions();
+  // Resolution order: opts → env → .securenow/credentials.json → package.json#name
+  const resolvedApp = appConfig.resolveAll();
+  // ── Naming ──
+  const rawBase = (opts.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
+  const baseName = rawBase || null;
+  const noUuid =
+    opts.noUuid ??
+    (String(env('SECURENOW_NO_UUID')) === '1' ||
+      String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
+  let serviceName;
+  if (baseName) {
+    serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
+  } else {
+    serviceName = `nuxt-app-${uuidv4()}`;
+    console.warn(
+      '[securenow] ⚠️  No app identity resolved. Using fallback: %s',
+      serviceName,
+    );
+    console.warn(
+      '[securenow] 💡 Run `npx securenow login` or set SECURENOW_APPID in .env',
+    );
+  }
+  const serviceInstanceId = `${baseName || 'securenow'}-${uuidv4()}`;
+  // ── Endpoints ──
+  const endpointBase = (opts.endpoint || resolvedApp.instance).replace(/\/$/, '');
+  // Surface credentials-file app key as x-api-key for collector routing.
+  if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
+    process.env.SECURENOW_API_KEY = resolvedApp.appKey;
+    process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
+  }
+  const tracesUrl =
+    env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
+  const logsUrl =
+    env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
+  const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+  // ── Resource ──
+  const resource = new Resource({
+    [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+    [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
+    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]:
+      env('NODE_ENV') || 'production',
+    [SemanticResourceAttributes.SERVICE_VERSION]:
+      process.env.npm_package_version || undefined,
+    'framework': 'nuxt',
+  });
+  // ── Body capture config ──
+  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 (or opts.captureBody=false) to disable.
+  const captureBody =
+    opts.captureBody ??
+    !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
+  const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+  const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '')
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+  // ── HTTP instrumentation ──
+  const httpInstrumentation = new HttpInstrumentation({
+    requestHook: (span, request) => {
+      try {
+        const hdrs = request.headers || {};
+        const fwd = hdrs['x-forwarded-for'];
+        const clientIp =
+          (fwd ? String(fwd).split(',')[0].trim() : null) ||
+          hdrs['x-real-ip'] ||
+          hdrs['cf-connecting-ip'] ||
+          hdrs['x-client-ip'] ||
+          request.socket?.remoteAddress ||
+          'unknown';
+        span.setAttributes({
+          'http.client_ip': clientIp,
+          'http.user_agent': hdrs['user-agent'] || '',
+          'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
+          'http.scheme':
+            hdrs['x-forwarded-proto'] ||
+            (request.socket?.encrypted ? 'https' : 'http'),
+          'http.referer': hdrs['referer'] || '',
+          'http.origin': hdrs['origin'] || '',
+          'http.request_id':
+            hdrs['x-request-id'] || hdrs['x-trace-id'] || '',
+        });
+        if (hdrs['authorization']) {
+          span.setAttribute('http.security.auth_present', 'true');
+        }
+        if (hdrs['cookie']) {
+          span.setAttribute('http.security.cookies_present', 'true');
+        }
+        // Body capture via stream listener (same approach as tracing.js)
+        if (
+          captureBody &&
+          request.method &&
+          ['POST', 'PUT', 'PATCH'].includes(request.method)
+        ) {
+          const ct = hdrs['content-type'] || '';
+          if (
+            ct.includes('application/json') ||
+            ct.includes('application/graphql') ||
+            ct.includes('application/x-www-form-urlencoded')
+          ) {
+            const chunks = [];
+            let size = 0;
+            request.on('data', (chunk) => {
+              size += chunk.length;
+              if (size <= maxBodySize) chunks.push(chunk);
+            });
+            request.on('end', () => {
+              if (size > maxBodySize) {
+                span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
+                return;
+              }
+              if (chunks.length === 0) return;
+              const raw = Buffer.concat(chunks).toString('utf8');
+              try {
+                const parsed = JSON.parse(raw);
+                const redacted = redactSensitiveData(parsed, allSensitiveFields);
+                span.setAttributes({
+                  'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+                  'http.request.body.type': ct.includes('graphql') ? 'graphql' : 'json',
+                  'http.request.body.size': size,
+                });
+              } catch {
+                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
+                span.setAttribute('http.request.body.parse_error', true);
+              }
+            });
+          }
+        }
+      } catch {
+        // never break the request
+      }
+    },
+  });
+  // ── Trace exporter + SDK ──
+  const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
+  const sdk = new NodeSDK({
+    traceExporter,
+    resource,
+    instrumentations: [httpInstrumentation],
+  });
+  sdk.start();
+  console.log('[securenow] 🚀 Nuxt OTel SDK started → %s', tracesUrl);
+  console.log(
+    '[securenow] service.name=%s instance.id=%s',
+    serviceName,
+    serviceInstanceId,
+  );
+  // ── Logging ──
+  // Opt-out default: set SECURENOW_LOGGING_ENABLED=0 (or opts.logging=false) to disable.
+  const loggingEnabled =
+    opts.logging ??
+    !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
+  let loggerProvider = null;
+  if (loggingEnabled) {
+    try {
+      const { OTLPLogExporter } = await import(
+        '@opentelemetry/exporter-logs-otlp-http'
+      );
+      const { LoggerProvider, BatchLogRecordProcessor } = await import(
+        '@opentelemetry/sdk-logs'
+      );
+      const logExporter = new OTLPLogExporter({ url: logsUrl, headers });
+      loggerProvider = new LoggerProvider({ resource });
+      loggerProvider.addLogRecordProcessor(
+        new BatchLogRecordProcessor(logExporter),
+      );
+      const logger = loggerProvider.getLogger('console', '1.0.0');
+      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+      const orig = {
+        log: console.log,
+        info: console.info,
+        warn: console.warn,
+        error: console.error,
+        debug: console.debug,
+      };
+      function emitLog(sn, st, args) {
+        try {
+          const ctx = otelContext.active();
+          const spanCtx = otelTrace.getSpanContext(ctx);
+          logger.emit({
+            severityNumber: sn,
+            severityText: st,
+            body: args
+              .map((a) =>
+                typeof a === 'object' && a !== null ? JSON.stringify(a) : String(a),
+              )
+              .join(' '),
+            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+            ...(spanCtx && { context: ctx }),
+          });
+        } catch {
+          // swallow
+        }
+      }
+      console.log = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.log.apply(console, a); };
+      console.info = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.info.apply(console, a); };
+      console.warn = (...a) => { emitLog(SEV.WARN, 'WARN', a); orig.warn.apply(console, a); };
+      console.error = (...a) => { emitLog(SEV.ERROR, 'ERROR', a); orig.error.apply(console, a); };
+      console.debug = (...a) => { emitLog(SEV.DEBUG, 'DEBUG', a); orig.debug.apply(console, a); };
+      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+    } catch (e) {
+      console.warn('[securenow] ⚠️  Logging setup failed:', e.message);
+    }
+  } else {
+    console.log(
+      '[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)',
+    );
+  }
+  if (captureBody) {
+    console.log(
+      '[securenow] 📝 Body capture: ENABLED (max %d bytes, redacting %d fields)',
+      maxBodySize,
+      allSensitiveFields.length,
+    );
+  }
+  // ── Free trial banner ──
+  try {
+    const { isFreeTrial, patchHttpForBanner } = await import('./free-trial-banner.js');
+    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+      patchHttpForBanner();
+    }
+  } catch {
+    // not critical
+  }
+  // ── Firewall — runs independently from OTel ──
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      const { init: fwInit } = await import('./firewall.js');
+      fwInit({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+  // ── Graceful shutdown ──
+  const shutdown = async (sig) => {
+    try {
+      await sdk.shutdown?.();
+      if (loggerProvider) await loggerProvider.shutdown?.();
+      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
+      console.log(`[securenow] Shut down on ${sig}`);
+    } catch {
+      // swallow
+    }
+  };
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
+  // ── Nitro request hooks for span enrichment ──
+  const tracer = otelTrace.getTracer('securenow-nuxt', '1.0.0');
+  const spanMap = new WeakMap();
+  nitroApp.hooks.hook('request', (event) => {
+    try {
+      const req = event.node.req;
+      const method = event.method || req.method || 'GET';
+      const path = event.path || req.url || '/';
+      const span = tracer.startSpan(`${method} ${path}`, {
+        attributes: {
+          'http.method': method,
+          'http.target': path,
+          'http.url': `${req.headers?.['x-forwarded-proto'] || 'http'}://${req.headers?.host || 'localhost'}${path}`,
+          'component': 'nuxt-nitro',
+        },
+      });
+      spanMap.set(event, span);
+    } catch {
+      // never break the request
+    }
+  });
+  nitroApp.hooks.hook('afterResponse', (event) => {
+    try {
+      const span = spanMap.get(event);
+      if (!span) return;
+      const status = event.node.res.statusCode || 200;
+      span.setAttribute('http.status_code', status);
+      if (status >= 500) {
+        span.setStatus({ code: SpanStatusCode.ERROR, message: `HTTP ${status}` });
+      }
+      span.end();
+      spanMap.delete(event);
+    } catch {
+      // swallow
+    }
+  });
+  nitroApp.hooks.hook('error', (error, { event }) => {
+    try {
+      const span = event ? spanMap.get(event) : null;
+      if (span) {
+        span.recordException(error);
+        span.setStatus({
+          code: SpanStatusCode.ERROR,
+          message: error.message || 'Internal Server Error',
+        });
+        span.end();
+        spanMap.delete(event);
+      }
+    } catch {
+      // swallow
+    }
+  });
+});

package/nuxt.d.ts ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * SecureNow Nuxt 3 Module TypeScript Declarations
+ */
+export interface SecureNowNuxtOptions {
+  /**
+   * Service name for OpenTelemetry traces.
+   * @default process.env.SECURENOW_APPID || process.env.OTEL_SERVICE_NAME
+   */
+  serviceName?: string;
+  /**
+   * OTLP endpoint base URL.
+   * @default process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318'
+   */
+  endpoint?: string;
+  /**
+   * Don't append UUID to service name (useful when running a single instance).
+   * @default false
+   */
+  noUuid?: boolean;
+  /**
+   * Capture request bodies (POST/PUT/PATCH) on traced spans.
+   * Sensitive fields are automatically redacted.
+   * @default false
+   */
+  captureBody?: boolean;
+  /**
+   * Enable console log forwarding as OTLP log records.
+   * @default false
+   */
+  logging?: boolean;
+}
+declare module 'nuxt/schema' {
+  interface NuxtConfig {
+    securenow?: SecureNowNuxtOptions;
+  }
+  interface NuxtOptions {
+    securenow?: SecureNowNuxtOptions;
+  }
+  interface RuntimeConfig {
+    securenow?: SecureNowNuxtOptions;
+  }
+}
+declare module '@nuxt/schema' {
+  interface NuxtConfig {
+    securenow?: SecureNowNuxtOptions;
+  }
+  interface NuxtOptions {
+    securenow?: SecureNowNuxtOptions;
+  }
+  interface RuntimeConfig {
+    securenow?: SecureNowNuxtOptions;
+  }
+}

package/nuxt.mjs ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * SecureNow Nuxt 3 Module
+ *
+ * Usage in nuxt.config.ts:
+ *
+ *   export default defineNuxtConfig({
+ *     modules: ['securenow/nuxt'],
+ *     securenow: {            // optional overrides
+ *       serviceName: 'my-nuxt-app',
+ *     },
+ *   });
+ *
+ * Environment variables (same as all SecureNow integrations):
+ *   SECURENOW_APPID, SECURENOW_INSTANCE, SECURENOW_LOGGING_ENABLED, etc.
+ */
+import { defineNuxtModule, createResolver, addServerPlugin } from '@nuxt/kit';
+const OTEL_EXTERNALS = [
+  'securenow',
+  '@opentelemetry/api',
+  '@opentelemetry/api-logs',
+  '@opentelemetry/sdk-node',
+  '@opentelemetry/sdk-logs',
+  '@opentelemetry/auto-instrumentations-node',
+  '@opentelemetry/instrumentation',
+  '@opentelemetry/instrumentation-http',
+  '@opentelemetry/exporter-trace-otlp-http',
+  '@opentelemetry/exporter-logs-otlp-http',
+  '@opentelemetry/resources',
+  '@opentelemetry/semantic-conventions',
+];
+export default defineNuxtModule({
+  meta: {
+    name: 'securenow',
+    configKey: 'securenow',
+    compatibility: { nuxt: '>=3.0.0' },
+  },
+  defaults: {
+    serviceName: undefined,
+    endpoint: undefined,
+    noUuid: undefined,
+    captureBody: undefined,
+    logging: undefined,
+  },
+  setup(options, nuxt) {
+    const { resolve } = createResolver(import.meta.url);
+    // ── Externalize OTel packages so Nitro doesn't bundle them ──
+    nuxt.hook('nitro:config', (nitroConfig) => {
+      nitroConfig.externals = nitroConfig.externals || {};
+      nitroConfig.externals.external = [
+        ...(nitroConfig.externals.external || []),
+        ...OTEL_EXTERNALS,
+      ];
+    });
+    // ── Pass module options to the server plugin via runtimeConfig ──
+    nuxt.options.runtimeConfig.securenow = {
+      serviceName: options.serviceName,
+      endpoint: options.endpoint,
+      noUuid: options.noUuid,
+      captureBody: options.captureBody,
+      logging: options.logging,
+    };
+    // ── Register Nitro server plugin ──
+    addServerPlugin(resolve('./nuxt-server-plugin'));
+    console.log('[securenow] Nuxt module loaded — server plugin registered');
+  },
+});