securenow 6.0.2 → 7.0.0-anas

package/package.json

@@ -1,164 +1,172 @@
-{
-  "name": "securenow",
-  "version": "6.0.2",
-  "description": "OpenTelemetry instrumentation for Node.js and Next.js - Send traces and logs to SigNoz or any OTLP backend",
-  "type": "commonjs",
-  "main": "register.js",
-  "types": "register.d.ts",
-  "bin": {
-    "securenow": "cli.js"
-  },
-  "scripts": {
-    "postinstall": "node postinstall.js || exit 0"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/securenow-ai/securenow-npm.git"
-  },
-  "homepage": "https://securenow.ai",
-  "bugs": {
-    "url": "https://github.com/securenow-ai/securenow-npm/issues",
-    "email": "support@securenow.ai"
-  },
-  "author": "SecureNow <support@securenow.ai> (https://securenow.ai)",
-  "keywords": [
-    "opentelemetry",
-    "otel",
-    "tracing",
-    "logging",
-    "logs",
-    "observability",
-    "apm",
-    "monitoring",
-    "nextjs",
-    "next.js",
-    "signoz",
-    "instrumentation",
-    "telemetry",
-    "distributed-tracing",
-    "node",
-    "express",
-    "fastify",
-    "nestjs"
-  ],
-  "exports": {
-    ".": {
-      "types": "./register.d.ts",
-      "default": "./register.js"
-    },
-    "./register": {
-      "types": "./register.d.ts",
-      "default": "./register.js"
-    },
-    "./tracing": {
-      "types": "./tracing.d.ts",
-      "default": "./tracing.js"
-    },
-    "./console-instrumentation": {
-      "default": "./console-instrumentation.js"
-    },
-    "./nextjs": {
-      "types": "./nextjs.d.ts",
-      "default": "./nextjs.js"
-    },
-    "./nextjs-auto-capture": {
-      "types": "./nextjs-auto-capture.d.ts",
-      "default": "./nextjs-auto-capture.js"
-    },
-    "./nextjs-middleware": {
-      "types": "./nextjs-middleware.d.ts",
-      "default": "./nextjs-middleware.js"
-    },
-    "./nextjs-wrapper": {
-      "types": "./nextjs-wrapper.d.ts",
-      "default": "./nextjs-wrapper.js"
-    },
-    "./nextjs-webpack-config": "./nextjs-webpack-config.js",
-    "./register-vite": "./register-vite.js",
-    "./web-vite": {
-      "import": "./web-vite.mjs",
-      "default": "./web-vite.mjs"
-    }
-  },
-  "files": [
-    "register.js",
-    "register.d.ts",
-    "tracing.js",
-    "tracing.d.ts",
-    "console-instrumentation.js",
-    "nextjs.js",
-    "nextjs.d.ts",
-    "nextjs-auto-capture.js",
-    "nextjs-auto-capture.d.ts",
-    "nextjs-middleware.js",
-    "nextjs-middleware.d.ts",
-    "nextjs-wrapper.js",
-    "nextjs-wrapper.d.ts",
-    "nextjs-webpack-config.js",
-    "cli.js",
-    "postinstall.js",
-    "register-vite.js",
-    "web-vite.mjs",
-    "examples/",
-    "docs/ALL-FRAMEWORKS-QUICKSTART.md",
-    "docs/ARCHITECTURE.md",
-    "docs/AUTO-BODY-CAPTURE.md",
-    "docs/CHANGELOG-NEXTJS.md",
-    "docs/NEXTJS-WEBPACK-WARNINGS.md",
-    "docs/AUTO-SETUP.md",
-    "docs/AUTOMATIC-IP-CAPTURE.md",
-    "docs/BODY-CAPTURE-QUICKSTART.md",
-    "docs/CUSTOMER-GUIDE.md",
-    "docs/EASIEST-SETUP.md",
-    "docs/ENVIRONMENT-VARIABLES.md",
-    "docs/EXPRESS-BODY-CAPTURE.md",
-    "docs/EXPRESS-SETUP-GUIDE.md",
-    "docs/INDEX.md",
-    "docs/LOGGING-GUIDE.md",
-    "docs/LOGGING-QUICKSTART.md",
-    "docs/NEXTJS-BODY-CAPTURE.md",
-    "docs/NEXTJS-GUIDE.md",
-    "docs/NEXTJS-QUICKSTART.md",
-    "docs/NEXTJS-WRAPPER-APPROACH.md",
-    "docs/QUICKSTART-BODY-CAPTURE.md",
-    "docs/REDACTION-EXAMPLES.md",
-    "docs/REQUEST-BODY-CAPTURE.md",
-    "docs/VERCEL-OTEL-MIGRATION.md",
-    "README.md",
-    "LICENSE"
-  ],
-  "dependencies": {
-    "@opentelemetry/api": "1.7.0",
-    "@opentelemetry/api-logs": "^0.47.0",
-    "@opentelemetry/auto-instrumentations-node": "0.47.0",
-    "@opentelemetry/exporter-logs-otlp-http": "^0.47.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.47.0",
-    "@opentelemetry/instrumentation": "0.47.0",
-    "@opentelemetry/instrumentation-document-load": "0.47.0",
-    "@opentelemetry/instrumentation-fetch": "0.47.0",
-    "@opentelemetry/instrumentation-http": "^0.208.0",
-    "@opentelemetry/instrumentation-user-interaction": "0.47.0",
-    "@opentelemetry/instrumentation-xml-http-request": "0.47.0",
-    "@opentelemetry/resources": "1.20.0",
-    "@opentelemetry/sdk-logs": "^0.47.0",
-    "@opentelemetry/sdk-node": "0.47.0",
-    "@opentelemetry/sdk-trace-web": "1.20.0",
-    "@opentelemetry/semantic-conventions": "1.20.0",
-    "@vercel/otel": "^1.14.0",
-    "dotenv": "^17.2.1",
-    "uuid": "^9.0.0"
-  },
-  "peerDependencies": {
-    "next": ">=13.0.0"
-  },
-  "peerDependenciesMeta": {
-    "next": {
-      "optional": true
-    }
-  },
-  "overrides": {
-    "@opentelemetry/api": "1.7.0"
-  },
-  "sideEffects": true,
-  "license": "ISC"
-}
+{
+  "name": "securenow",
+  "version": "7.0.0-anas",
+  "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
+  "type": "commonjs",
+  "main": "register.js",
+  "types": "register.d.ts",
+  "bin": {
+    "securenow": "cli.js"
+  },
+  "scripts": {
+    "postinstall": "node postinstall.js || exit 0"
+  },
+  "keywords": [
+    "opentelemetry",
+    "otel",
+    "tracing",
+    "logging",
+    "logs",
+    "observability",
+    "apm",
+    "monitoring",
+    "cli",
+    "nextjs",
+    "next.js",
+    "instrumentation",
+    "telemetry",
+    "distributed-tracing",
+    "node",
+    "express",
+    "fastify",
+    "nestjs",
+    "nuxt",
+    "nuxt3",
+    "nitro",
+    "vue",
+    "firewall",
+    "ip-blocking",
+    "waf",
+    "security"
+  ],
+  "exports": {
+    ".": {
+      "types": "./register.d.ts",
+      "default": "./register.js"
+    },
+    "./register": {
+      "types": "./register.d.ts",
+      "default": "./register.js"
+    },
+    "./tracing": {
+      "types": "./tracing.d.ts",
+      "default": "./tracing.js"
+    },
+    "./console-instrumentation": {
+      "default": "./console-instrumentation.js"
+    },
+    "./nextjs": {
+      "types": "./nextjs.d.ts",
+      "default": "./nextjs.js"
+    },
+    "./nextjs-auto-capture": {
+      "types": "./nextjs-auto-capture.d.ts",
+      "default": "./nextjs-auto-capture.js"
+    },
+    "./nextjs-middleware": {
+      "types": "./nextjs-middleware.d.ts",
+      "default": "./nextjs-middleware.js"
+    },
+    "./nextjs-wrapper": {
+      "types": "./nextjs-wrapper.d.ts",
+      "default": "./nextjs-wrapper.js"
+    },
+    "./nextjs-webpack-config": "./nextjs-webpack-config.js",
+    "./package.json": "./package.json",
+    "./nuxt": {
+      "types": "./nuxt.d.ts",
+      "import": "./nuxt.mjs",
+      "default": "./nuxt.mjs"
+    },
+    "./firewall": {
+      "default": "./firewall.js"
+    },
+    "./firewall-only": {
+      "default": "./firewall-only.js"
+    },
+    "./cidr": {
+      "default": "./cidr.js"
+    },
+    "./resolve-ip": {
+      "default": "./resolve-ip.js"
+    },
+    "./register-vite": "./register-vite.js",
+    "./web-vite": {
+      "import": "./web-vite.mjs",
+      "default": "./web-vite.mjs"
+    },
+    "./app-config": {
+      "default": "./app-config.js"
+    }
+  },
+  "files": [
+    "register.js",
+    "register.d.ts",
+    "tracing.js",
+    "tracing.d.ts",
+    "console-instrumentation.js",
+    "nextjs.js",
+    "nextjs.d.ts",
+    "nextjs-auto-capture.js",
+    "nextjs-auto-capture.d.ts",
+    "nextjs-middleware.js",
+    "nextjs-middleware.d.ts",
+    "nextjs-wrapper.js",
+    "nextjs-wrapper.d.ts",
+    "nextjs-webpack-config.js",
+    "nuxt.mjs",
+    "nuxt.d.ts",
+    "nuxt-server-plugin.mjs",
+    "cli.js",
+    "cli/",
+    "free-trial-banner.js",
+    "resolve-ip.js",
+    "cidr.js",
+    "firewall.js",
+    "firewall-only.js",
+    "firewall-tcp.js",
+    "firewall-iptables.js",
+    "firewall-cloud.js",
+    "postinstall.js",
+    "register-vite.js",
+    "web-vite.mjs",
+    "app-config.js",
+    "examples/",
+    "docs/",
+    "README.md",
+    "NPM_README.md",
+    "CONSUMING-APPS-GUIDE.md",
+    "SKILL-CLI.md",
+    "SKILL-API.md"
+  ],
+  "dependencies": {
+    "@opentelemetry/api": "1.7.0",
+    "@opentelemetry/api-logs": "0.47.0",
+    "@opentelemetry/auto-instrumentations-node": "0.47.0",
+    "@opentelemetry/exporter-logs-otlp-http": "0.47.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.47.0",
+    "@opentelemetry/instrumentation": "0.47.0",
+    "@opentelemetry/instrumentation-document-load": "0.47.0",
+    "@opentelemetry/instrumentation-fetch": "0.47.0",
+    "@opentelemetry/instrumentation-http": "0.47.0",
+    "@opentelemetry/instrumentation-mongodb": "0.46.0",
+    "@opentelemetry/instrumentation-user-interaction": "0.47.0",
+    "@opentelemetry/instrumentation-xml-http-request": "0.47.0",
+    "@opentelemetry/resources": "1.20.0",
+    "@opentelemetry/sdk-logs": "0.47.0",
+    "@opentelemetry/sdk-node": "0.47.0",
+    "@opentelemetry/sdk-trace-web": "1.20.0",
+    "@opentelemetry/semantic-conventions": "1.20.0",
+    "dotenv": "^17.2.1",
+    "uuid": "^9.0.0"
+  },
+  "optionalDependencies": {
+    "@vercel/otel": "^1.14.0"
+  },
+  "overrides": {
+    "@opentelemetry/api": "1.7.0",
+    "@opentelemetry/api-logs": "0.47.0"
+  },
+  "sideEffects": true,
+  "license": "ISC"
+}

package/postinstall.js

@@ -11,6 +11,35 @@ const fs = require('fs');
 const path = require('path');
 const readline = require('readline');
 
+// Make sure `.securenow/` is in the project's .gitignore so credentials never get committed.
+function ensureGitignore() {
+  try {
+    // Skip if we're not in an npm install of a user project
+    // (e.g., securenow's own CI, or nested install under another node_modules).
+    const cwd = process.cwd();
+    if (!fs.existsSync(path.join(cwd, 'package.json'))) return;
+    if (cwd.includes(`${path.sep}node_modules${path.sep}`)) return;
+
+    const gitignorePath = path.join(cwd, '.gitignore');
+    const entry = '.securenow/';
+    const header = '# SecureNow local credentials';
+
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      const alreadyListed = content.split('\n').some((line) => line.trim() === entry);
+      if (!alreadyListed) {
+        const prefix = content.endsWith('\n') ? '' : '\n';
+        fs.appendFileSync(gitignorePath, `${prefix}\n${header}\n${entry}\n`);
+      }
+    } else if (fs.existsSync(path.join(cwd, '.git'))) {
+      // Only create a new .gitignore if this is actually a git repo.
+      fs.writeFileSync(gitignorePath, `${header}\n${entry}\n`);
+    }
+  } catch {
+    // Non-fatal
+  }
+}
+
 // Check if we're in a Next.js project
 function isNextJsProject() {
   try {
@@ -53,7 +82,7 @@ export function register() {
  *   SECURENOW_APPID=my-nextjs-app
  * 
  * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   SECURENOW_INSTANCE=http://your-otlp-backend:4318
  *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
  *   OTEL_LOG_LEVEL=info
  */
@@ -77,13 +106,12 @@ export function register() {
  *   SECURENOW_APPID=my-nextjs-app
  * 
  * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   SECURENOW_INSTANCE=http://your-otlp-backend:4318
  *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
  *   OTEL_LOG_LEVEL=info
  *   
- * Optional: Enable request body capture
- *   SECURENOW_CAPTURE_BODY=1
- *   (Also create middleware.ts to activate - run: npx securenow init)
+ * Optional: Disable request body capture (enabled by default)
+ *   SECURENOW_CAPTURE_BODY=0
  */
 `;
   
@@ -150,9 +178,9 @@ function createEnvTemplate(targetPath) {
 # Required: Your application identifier
 SECURENOW_APPID=my-nextjs-app
 
-# Optional: Your SigNoz/OpenTelemetry collector endpoint
+# Optional: Your OTLP-compatible backend / collector endpoint
 # Default: https://freetrial.securenow.ai:4318
-SECURENOW_INSTANCE=http://your-signoz-server:4318
+SECURENOW_INSTANCE=http://your-otlp-backend:4318
 
 # Optional: API key or authentication headers
 # OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"
@@ -160,8 +188,8 @@ SECURENOW_INSTANCE=http://your-signoz-server:4318
 # Optional: Log level (debug|info|warn|error)
 # OTEL_LOG_LEVEL=info
 
-# Optional: Enable request body capture (requires middleware.ts)
-# SECURENOW_CAPTURE_BODY=1
+# Optional: Disable request body capture (enabled by default)
+# SECURENOW_CAPTURE_BODY=0
 # SECURENOW_MAX_BODY_SIZE=10240
 # SECURENOW_SENSITIVE_FIELDS=email,phone
 `;
@@ -176,6 +204,9 @@ function isTypeScriptProject() {
 
 // Main setup function
 async function setup() {
+  // Always make sure .securenow/ is gitignored (cheap, non-destructive).
+  ensureGitignore();
+
   // Skip if not in Next.js project
   if (!isNextJsProject()) {
     console.log('[securenow] Not a Next.js project, skipping auto-setup');
@@ -270,14 +301,11 @@ async function setup() {
         console.log('│                                                 │');
         console.log('│  1. Edit .env.local and set:                   │');
         console.log('│     SECURENOW_APPID=your-app-name              │');
-        console.log('│     SECURENOW_INSTANCE=http://signoz:4318      │');
-        if (shouldCreateMiddleware) {
-          console.log('│     SECURENOW_CAPTURE_BODY=1                   │');
-        }
+        console.log('│     SECURENOW_INSTANCE=http://your-otlp-backend:4318 │');
         console.log('│                                                 │');
         console.log('│  2. Run your app: npm run dev                  │');
         console.log('│                                                 │');
-        console.log('│  3. Check SigNoz for traces!                   │');
+        console.log('│  3. Check SecureNow for traces!                │');
         console.log('│                                                 │');
         if (shouldCreateMiddleware) {
           console.log('│  📝 Body capture enabled with auto-redaction   │');

package/register.d.ts

@@ -56,7 +56,7 @@ export {};
  *     node_args: '-r securenow/register',
  *     env: {
  *       SECURENOW_APPID: 'my-app',
- *       SECURENOW_INSTANCE: 'http://signoz:4318',
+ *       SECURENOW_INSTANCE: 'http://your-otlp-backend:4318',
  *       SECURENOW_CAPTURE_BODY: '1',
  *     }
  *   }]

package/register.js

@@ -1,14 +1,49 @@
-// securenow/preload.js
+// securenow/register.js — the only preload customers need:
+//   node --require securenow/register app.js
+//
+// For ESM apps ("type": "module"), this file auto-registers the
+// OpenTelemetry ESM loader hook via module.register() (Node >=20.6).
+// On older Node versions it falls back to a warning.
 'use strict';
 
-// load .env into process.env before anything else
+// 1. load .env before anything else
 try {
   require('dotenv').config();
   console.log('[securenow] dotenv loaded from', process.env.DOTENV_CONFIG_PATH || '.env');
 } catch (e) {
-  // dotenv is optional — only warn if it’s missing
   console.warn('[securenow] dotenv not found or failed to load');
 }
 
-// then run the real tracer preload
+// 2. Auto-register the ESM loader hook so customers never need --import
+(() => {
+  try {
+    const fs = require('fs');
+    const path = require('path');
+    const pkgPath = path.resolve(process.cwd(), 'package.json');
+    if (!fs.existsSync(pkgPath)) return;
+
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    if (pkg.type !== 'module') return;
+
+    // Already registered via --import?
+    const execArgv = process.execArgv.join(' ');
+    if (execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle')) return;
+
+    // Node >=20.6 exposes module.register() for programmatic ESM hooks
+    const mod = require('node:module');
+    if (typeof mod.register !== 'function') {
+      console.warn('[securenow] ESM app detected but Node %s lacks module.register().', process.version);
+      console.warn('[securenow]    Upgrade to Node >=20.6 or add: --import @opentelemetry/instrumentation/hook.mjs');
+      return;
+    }
+
+    const { pathToFileURL } = require('node:url');
+    mod.register('@opentelemetry/instrumentation/hook.mjs', pathToFileURL(__filename));
+    console.log('[securenow] ESM loader hook auto-registered (module.register)');
+  } catch (_) {
+    // Non-fatal — tracing.js will show its own ESM warning if the hook is missing
+  }
+})();
+
+// 3. Run the OTel SDK setup
 require('./tracing');

package/resolve-ip.js

@@ -0,0 +1,77 @@
+'use strict';
+
+const os = require('os');
+
+const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
+const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+
+const trustedProxyCsv = (process.env.SECURENOW_TRUSTED_PROXIES || '').trim();
+const trustedProxySet = trustedProxyCsv
+  ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean))
+  : null;
+
+let _hostIp = null;
+function getHostIp() {
+  if (_hostIp !== null) return _hostIp;
+  try {
+    const ifaces = os.networkInterfaces();
+    for (const name of Object.keys(ifaces)) {
+      for (const iface of ifaces[name]) {
+        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
+      }
+    }
+  } catch (_) {}
+  _hostIp = '';
+  return _hostIp;
+}
+
+function isFromTrustedProxy(socketIp) {
+  if (!socketIp) return false;
+  const normalized = socketIp.replace(/^::ffff:/, '');
+  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
+  return PRIVATE_IP_RE.test(socketIp);
+}
+
+/**
+ * Resolve the real client IP from an HTTP request, respecting trusted proxies.
+ * Reads X-Forwarded-For / X-Real-IP only when the direct connection comes
+ * from a private/trusted proxy IP. Prevents client-side IP spoofing.
+ */
+function resolveClientIp(request) {
+  const socketIp = request.socket?.remoteAddress || '';
+  if (!isFromTrustedProxy(socketIp)) return socketIp;
+
+  const fwd = request.headers['x-forwarded-for'];
+  if (fwd) {
+    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
+    for (let i = chain.length - 1; i >= 0; i--) {
+      if (!isFromTrustedProxy(chain[i])) return chain[i];
+    }
+    return socketIp;
+  }
+  const headerIp = request.headers['x-real-ip'];
+  if (headerIp) return headerIp;
+
+  if (LOOPBACK_RE.test(socketIp)) {
+    const hostIp = getHostIp();
+    if (hostIp) return hostIp;
+  }
+  return socketIp;
+}
+
+/**
+ * Resolve IP from a raw TCP socket (no HTTP headers available).
+ * Normalizes IPv6-mapped IPv4 addresses.
+ */
+function resolveSocketIp(socket) {
+  const raw = socket?.remoteAddress || '';
+  return raw.replace(/^::ffff:/, '');
+}
+
+module.exports = {
+  resolveClientIp,
+  resolveSocketIp,
+  isFromTrustedProxy,
+  LOOPBACK_RE,
+  PRIVATE_IP_RE,
+};

package/tracing.d.ts

@@ -112,7 +112,7 @@ export interface LoggerProvider {
 }
 
 /**
- * Get a logger instance for sending structured logs to SigNoz
+ * Get a logger instance for sending structured logs to any OTLP-compatible backend
  * 
  * @param name - Logger name (e.g., 'my-service', 'auth-module')
  * @param version - Logger version (optional, defaults to '1.0.0')
@@ -178,5 +178,6 @@ export const loggerProvider: LoggerProvider | null;
  * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2
  * - OTEL_LOG_LEVEL=info|debug
  * - SECURENOW_TEST_SPAN=1
+ * - SECURENOW_TRUSTED_PROXIES=ip1,ip2       # Additional trusted proxy IPs for X-Forwarded-For
  * - OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=...    # Override logs endpoint
  */