securenow 6.1.0 → 7.0.0-anas

package/app-config.js

@@ -0,0 +1,130 @@
+'use strict';
+
+/**
+ * Shared app-configuration resolver.
+ *
+ * Used by both the SDK (tracing.js, nextjs.js, nuxt-server-plugin.mjs) and
+ * the CLI to answer three questions with a single source of truth:
+ *
+ *   - Which app key routes this telemetry?  (resolveAppKey)
+ *   - What service.name label to show?      (resolveAppId)
+ *   - Which OTLP collector to hit?          (resolveInstance)
+ *
+ * Resolution order (first non-empty wins):
+ *
+ *   1. Explicit environment variable
+ *      (SECURENOW_API_KEY / SECURENOW_APPID / SECURENOW_INSTANCE)
+ *   2. Project-local credentials  (./.securenow/credentials.json)
+ *   3. Global credentials         (~/.securenow/credentials.json)
+ *   4. package.json#name (for appId only)
+ *   5. Hard default / null
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const FREE_TRIAL_INSTANCE = 'https://freetrial.securenow.ai:4318';
+
+function readJsonSafe(filepath) {
+  try {
+    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function loadLocalCredentials() {
+  try {
+    const cwd = typeof process !== 'undefined' && process.cwd ? process.cwd() : '.';
+    return readJsonSafe(path.join(cwd, '.securenow', 'credentials.json'));
+  } catch {
+    return null;
+  }
+}
+
+function loadGlobalCredentials() {
+  try {
+    return readJsonSafe(path.join(os.homedir(), '.securenow', 'credentials.json'));
+  } catch {
+    return null;
+  }
+}
+
+function loadCredentials() {
+  return loadLocalCredentials() || loadGlobalCredentials() || null;
+}
+
+function loadPackageJsonName() {
+  try {
+    const cwd = typeof process !== 'undefined' && process.cwd ? process.cwd() : '.';
+    const pkg = readJsonSafe(path.join(cwd, 'package.json'));
+    if (pkg && typeof pkg.name === 'string' && pkg.name.trim()) {
+      return pkg.name.trim().replace(/^@[^/]+\//, '');
+    }
+  } catch {}
+  return null;
+}
+
+function pick(value) {
+  if (value === undefined || value === null) return null;
+  const str = String(value).trim();
+  return str.length > 0 ? str : null;
+}
+
+function resolveAppKey() {
+  const fromEnv =
+    pick(process.env.SECURENOW_API_KEY) ||
+    pick(process.env.securenow);
+  if (fromEnv) return fromEnv;
+
+  const creds = loadCredentials();
+  if (creds && creds.app && pick(creds.app.key)) return pick(creds.app.key);
+  return null;
+}
+
+function resolveAppId() {
+  const fromEnv =
+    pick(process.env.OTEL_SERVICE_NAME) ||
+    pick(process.env.SECURENOW_APPID);
+  if (fromEnv) return fromEnv;
+
+  const creds = loadCredentials();
+  if (creds && creds.app && pick(creds.app.id)) return pick(creds.app.id);
+
+  return loadPackageJsonName();
+}
+
+function resolveInstance() {
+  const fromEnv =
+    pick(process.env.SECURENOW_INSTANCE) ||
+    pick(process.env.securenow_instance) ||
+    pick(process.env.OTEL_EXPORTER_OTLP_ENDPOINT);
+  if (fromEnv) return fromEnv.replace(/\/$/, '');
+
+  const creds = loadCredentials();
+  if (creds && creds.app && pick(creds.app.instance)) {
+    return pick(creds.app.instance).replace(/\/$/, '');
+  }
+  return FREE_TRIAL_INSTANCE;
+}
+
+function resolveAll() {
+  return {
+    appKey: resolveAppKey(),
+    appId: resolveAppId(),
+    instance: resolveInstance(),
+  };
+}
+
+module.exports = {
+  FREE_TRIAL_INSTANCE,
+  resolveAppKey,
+  resolveAppId,
+  resolveInstance,
+  resolveAll,
+  loadCredentials,
+  loadLocalCredentials,
+  loadGlobalCredentials,
+  loadPackageJsonName,
+};

package/cli/apps.js

@@ -295,7 +295,30 @@ async function setDefault(args) {
     process.exit(1);
   }
   config.setConfigValue('defaultApp', key);
-  ui.success(`Default application set to ${ui.c.bold(key)}`);
+
+  // Mirror into credentials.json so the SDK picks this app up with zero env vars.
+  try {
+    requireAuth();
+    const appData = await api.get(`/applications/${key}`);
+    const app = appData.application || appData;
+    let inst = null;
+    if (app.instanceId) {
+      try {
+        const instData = await api.get(`/instances/${app.instanceId}`);
+        inst = instData.instance || null;
+      } catch {}
+    }
+    config.setApp({
+      key: app.key,
+      id: app.name || app.key,
+      instance: instanceUrl(inst),
+    });
+    ui.success(`Default application set to ${ui.c.bold(app.name || key)}`);
+    ui.info(`SDK will use ${ui.c.dim(instanceUrl(inst))} for telemetry`);
+  } catch {
+    // If we can't reach the API (offline / invalid key), still set the CLI default.
+    ui.success(`Default application set to ${ui.c.bold(key)}`);
+  }
 }
 
 function extractRootDomains(hosts) {

package/cli/auth.js

@@ -44,6 +44,7 @@ async function loginWithBrowser() {
 
   return new Promise((resolve, reject) => {
     let pendingToken = null;
+    let pendingApp = null;
 
     const server = http.createServer((req, res) => {
       const url = new URL(req.url, `http://127.0.0.1`);
@@ -52,6 +53,9 @@ async function loginWithBrowser() {
         const token = url.searchParams.get('token');
         const error = url.searchParams.get('error');
         const returnedState = url.searchParams.get('state');
+        const appKey = url.searchParams.get('app_key');
+        const appId = url.searchParams.get('app_id');
+        const appInstance = url.searchParams.get('app_instance');
 
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
 
@@ -71,6 +75,13 @@ async function loginWithBrowser() {
 
         if (token) {
           pendingToken = token;
+          if (appKey || appId || appInstance) {
+            pendingApp = {
+              key: appKey || null,
+              id: appId || null,
+              instance: appInstance || null,
+            };
+          }
           const payload = decodeJwtPayload(token);
           const email = payload?.email || 'unknown account';
           const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
@@ -127,9 +138,11 @@ async function loginWithBrowser() {
         res.writeHead(200, { 'Content-Type': 'application/json' });
         res.end('{"ok":true}');
         const token = pendingToken;
+        const app = pendingApp;
         pendingToken = null;
+        pendingApp = null;
         server.close();
-        resolve(token);
+        resolve({ token, app });
         return;
       }
 
@@ -183,7 +196,8 @@ async function loginWithToken(token) {
 }
 
 async function login(args, flags) {
-  const local = !!flags.local;
+  // Default is project-local. Pass --global to save to ~/.securenow/ instead.
+  const local = flags.global ? false : true;
 
   if (flags.token) {
     const token = flags.token;
@@ -196,7 +210,7 @@ async function login(args, flags) {
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
-    if (local) ui.info('Credentials saved to project .securenow/ (local)');
+    ui.info(local ? 'Credentials saved to project .securenow/ (local)' : 'Credentials saved to ~/.securenow/ (global)');
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -205,16 +219,19 @@ async function login(args, flags) {
   }
 
   try {
-    const token = await loginWithBrowser();
+    const { token, app } = await loginWithBrowser();
     const payload = decodeJwtPayload(token);
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp, { local });
+    config.setAuth(token, email, exp, { local, app });
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
-    if (local) ui.info('Credentials saved to project .securenow/ (local)');
+    ui.info(local ? 'Credentials saved to project .securenow/ (local)' : 'Credentials saved to ~/.securenow/ (global)');
+    if (app && app.id) {
+      ui.info(`Linked to app ${ui.c.bold(app.id)}${app.key ? ` (${ui.c.dim(app.key)})` : ''}`);
+    }
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);
@@ -235,7 +252,8 @@ async function login(args, flags) {
 }
 
 async function logout(args, flags) {
-  const local = flags ? flags.local : undefined;
+  // Default: clear project-local. --global clears ~/.securenow/.
+  const local = !(flags && flags.global);
   const creds = config.loadCredentials();
   config.clearCredentials({ local });
   if (creds.email) {
@@ -243,7 +261,7 @@ async function logout(args, flags) {
   } else {
     ui.success('Logged out');
   }
-  if (local) ui.info('Cleared project-local credentials');
+  ui.info(local ? 'Cleared project-local credentials (.securenow/)' : 'Cleared global credentials (~/.securenow/)');
 }
 
 async function whoami() {

package/cli/config.js

@@ -118,8 +118,35 @@ function getToken() {
   return creds.token;
 }
 
-function setAuth(token, email, expiresAt, { local = false } = {}) {
-  saveCredentials({ token, email, expiresAt }, { local });
+function setAuth(token, email, expiresAt, { local = false, app = null } = {}) {
+  const payload = { token, email, expiresAt };
+  if (app && (app.key || app.id || app.instance)) {
+    payload.app = {
+      key: app.key || null,
+      id: app.id || null,
+      instance: app.instance || null,
+    };
+  }
+  saveCredentials(payload, { local });
+}
+
+function getApp() {
+  const creds = loadCredentials();
+  return creds && creds.app ? creds.app : null;
+}
+
+function setApp(app, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const existing = loadJSON(targetFile);
+  saveJSON(targetFile, {
+    ...existing,
+    app: {
+      key: app.key || null,
+      id: app.id || null,
+      instance: app.instance || null,
+    },
+  });
 }
 
 function ensureLocalGitignore() {
@@ -164,6 +191,8 @@ module.exports = {
   clearCredentials,
   getToken,
   setAuth,
+  getApp,
+  setApp,
   getAuthSource,
   hasLocalCredentials,
   ensureLocalGitignore,

package/cli/diagnostics.js

@@ -27,8 +27,8 @@ function resolvedConfig() {
   const headers = process.env.OTEL_EXPORTER_OTLP_HEADERS || '';
   const apiKey = process.env.SECURENOW_API_KEY || '';
   const apiUrl = config.getApiUrl();
-  const loggingEnabled = process.env.SECURENOW_LOGGING_ENABLED !== '0';
-  const captureBody = process.env.SECURENOW_CAPTURE_BODY === '1';
+  const loggingEnabled = !/^(0|false)$/i.test(String(process.env.SECURENOW_LOGGING_ENABLED ?? ''));
+  const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
   const firewallEnabled =
     !!apiKey && process.env.SECURENOW_FIREWALL_ENABLED !== '0';
 

package/cli.js

@@ -54,15 +54,18 @@ const COMMANDS = {
     run: (a, f) => require('./cli/init').init(a, f),
   },
   login: {
-    desc: 'Authenticate with SecureNow',
-    usage: 'securenow login [--token <TOKEN>] [--local]',
-    flags: { token: 'Authenticate with a token directly', local: 'Save credentials to this project only (.securenow/)' },
+    desc: 'Authenticate with SecureNow (saves to project .securenow/ by default)',
+    usage: 'securenow login [--token <TOKEN>] [--global]',
+    flags: {
+      token: 'Authenticate with a token directly',
+      global: 'Save credentials to ~/.securenow/ (shared across all projects)',
+    },
     run: (a, f) => require('./cli/auth').login(a, f),
   },
   logout: {
     desc: 'Clear stored credentials',
-    usage: 'securenow logout [--local]',
-    flags: { local: 'Clear project-local credentials only' },
+    usage: 'securenow logout [--global]',
+    flags: { global: 'Clear global credentials (~/.securenow/) instead of project-local' },
     run: (a, f) => require('./cli/auth').logout(a, f),
   },
   whoami: {

package/console-instrumentation.js

@@ -24,7 +24,7 @@
 const tracing = require('./tracing');
 
 if (!tracing.isLoggingEnabled()) {
-  console.warn('[securenow] Console instrumentation loaded but logging is not enabled. Set SECURENOW_LOGGING_ENABLED=1 to enable.');
+  console.warn('[securenow] Console instrumentation loaded but logging is disabled (SECURENOW_LOGGING_ENABLED=0).');
 }
 
 // Get a logger instance

package/nextjs-auto-capture.js

@@ -125,9 +125,8 @@ async function safeBodyCapture(request, span) {
  * Check if body capture is enabled
  */
 function isBodyCaptureEnabled() {
-  const enabled = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
-                  String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
-  return enabled;
+  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 to disable.
+  return !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
 }
 
 /**
@@ -184,7 +183,7 @@ if (isBodyCaptureEnabled()) {
     console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
   }
 } else {
-  console.log('[securenow] 📝 Automatic body capture: DISABLED (set SECURENOW_CAPTURE_BODY=1 to enable)');
+  console.log('[securenow] 📝 Automatic body capture: DISABLED (SECURENOW_CAPTURE_BODY=0)');
 }
 
 module.exports = {

package/nextjs-wrapper.js

@@ -49,8 +49,8 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
  * Capture body from Request object (clone to avoid consuming)
  */
 async function captureRequestBody(request) {
-  const captureBody = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
-                      String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
+  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 to disable.
+  const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
   
   if (!captureBody) return;
   if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;

package/nextjs.js

@@ -144,13 +144,11 @@ function registerSecureNow(options = {}) {
     console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
 
     // -------- Configuration --------
-    const rawBase = (
-      options.serviceName || 
-      env('OTEL_SERVICE_NAME') || 
-      env('SECURENOW_APPID') || 
-      ''
-    ).trim().replace(/^['"]|['"]$/g, '');
-    
+    // Resolution order: explicit options → env → .securenow/credentials.json → package.json#name
+    const appConfig = require('./app-config');
+    const resolvedApp = appConfig.resolveAll();
+
+    const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
     const baseName = rawBase || null;
     const noUuid = options.noUuid ?? (String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
 
@@ -160,17 +158,18 @@ function registerSecureNow(options = {}) {
       serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
     } else {
       serviceName = `nextjs-app-${randomUUID()}`;
-      console.warn('[securenow] ⚠️  No SECURENOW_APPID or OTEL_SERVICE_NAME provided. Using fallback: %s', serviceName);
-      console.warn('[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env.local for better tracking');
+      console.warn('[securenow] ⚠️  No app identity resolved. Using fallback: %s', serviceName);
+      console.warn('[securenow] 💡 Run `npx securenow login` or set SECURENOW_APPID in .env.local');
     }
 
     // -------- Endpoint Configuration --------
-    const endpointBase = (
-      options.endpoint || 
-      env('SECURENOW_INSTANCE') || 
-      env('OTEL_EXPORTER_OTLP_ENDPOINT') || 
-      'https://freetrial.securenow.ai:4318'
-    ).replace(/\/$/, '');
+    const endpointBase = (options.endpoint || resolvedApp.instance).replace(/\/$/, '');
+
+    // If credentials file provided an app key, surface it via x-api-key for collector routing.
+    if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
+      process.env.SECURENOW_API_KEY = resolvedApp.appKey;
+      process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
+    }
     
     const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
     const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
@@ -182,9 +181,8 @@ function registerSecureNow(options = {}) {
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
 
     // -------- Body Capture Configuration --------
-    const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || 
-                       String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
-                       options.captureBody === true;
+    // Opt-out default: set SECURENOW_CAPTURE_BODY=0 (or options.captureBody=false) to disable.
+    const captureBody = options.captureBody ?? !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
     const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
@@ -461,7 +459,8 @@ function registerSecureNow(options = {}) {
       console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
 
       // -------- Logging (self-hosted only) --------
-      const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+      // Opt-out default: set SECURENOW_LOGGING_ENABLED=0 to disable.
+      const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
       if (loggingEnabled) {
         try {
           const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
@@ -565,7 +564,7 @@ function registerSecureNow(options = {}) {
           console.warn('[securenow] ⚠️  Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
         }
       } else {
-        console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
+        console.log('[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)');
       }
     }
 

package/nuxt-server-plugin.mjs

@@ -18,6 +18,10 @@ import {
   SpanStatusCode,
 } from '@opentelemetry/api';
 import { v4 as uuidv4 } from 'uuid';
+import { createRequire } from 'node:module';
+
+const nodeRequire = createRequire(import.meta.url);
+const appConfig = nodeRequire('./app-config');
 
 // ── Helpers ──
 
@@ -73,14 +77,11 @@ function getRuntimeOptions() {
 export default defineNitroPlugin((nitroApp) => {
   const opts = getRuntimeOptions();
 
-  // ── Naming ──
-  const rawBase = (
-    opts.serviceName ||
-    env('OTEL_SERVICE_NAME') ||
-    env('SECURENOW_APPID') ||
-    ''
-  ).trim().replace(/^['"]|['"]$/g, '');
+  // Resolution order: opts → env → .securenow/credentials.json → package.json#name
+  const resolvedApp = appConfig.resolveAll();
 
+  // ── Naming ──
+  const rawBase = (opts.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
   const baseName = rawBase || null;
   const noUuid =
     opts.noUuid ??
@@ -93,23 +94,24 @@ export default defineNitroPlugin((nitroApp) => {
   } else {
     serviceName = `nuxt-app-${uuidv4()}`;
     console.warn(
-      '[securenow] ⚠️  No SECURENOW_APPID set. Using fallback: %s',
+      '[securenow] ⚠️  No app identity resolved. Using fallback: %s',
       serviceName,
     );
     console.warn(
-      '[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env for better tracking',
+      '[securenow] 💡 Run `npx securenow login` or set SECURENOW_APPID in .env',
     );
   }
 
   const serviceInstanceId = `${baseName || 'securenow'}-${uuidv4()}`;
 
   // ── Endpoints ──
-  const endpointBase = (
-    opts.endpoint ||
-    env('SECURENOW_INSTANCE') ||
-    env('OTEL_EXPORTER_OTLP_ENDPOINT') ||
-    'https://freetrial.securenow.ai:4318'
-  ).replace(/\/$/, '');
+  const endpointBase = (opts.endpoint || resolvedApp.instance).replace(/\/$/, '');
+
+  // Surface credentials-file app key as x-api-key for collector routing.
+  if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
+    process.env.SECURENOW_API_KEY = resolvedApp.appKey;
+    process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
+  }
 
   const tracesUrl =
     env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
@@ -129,10 +131,10 @@ export default defineNitroPlugin((nitroApp) => {
   });
 
   // ── Body capture config ──
+  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 (or opts.captureBody=false) to disable.
   const captureBody =
     opts.captureBody ??
-    (String(env('SECURENOW_CAPTURE_BODY')) === '1' ||
-      String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true');
+    !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
   const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
   const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '')
     .split(',')
@@ -238,10 +240,10 @@ export default defineNitroPlugin((nitroApp) => {
   );
 
   // ── Logging ──
+  // Opt-out default: set SECURENOW_LOGGING_ENABLED=0 (or opts.logging=false) to disable.
   const loggingEnabled =
     opts.logging ??
-    (String(env('SECURENOW_LOGGING_ENABLED')) === '1' ||
-      String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true');
+    !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
 
   let loggerProvider = null;
 
@@ -302,7 +304,7 @@ export default defineNitroPlugin((nitroApp) => {
     }
   } else {
     console.log(
-      '[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)',
+      '[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)',
     );
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "6.1.0",
+  "version": "7.0.0-anas",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -94,6 +94,9 @@
     "./web-vite": {
       "import": "./web-vite.mjs",
       "default": "./web-vite.mjs"
+    },
+    "./app-config": {
+      "default": "./app-config.js"
     }
   },
   "files": [
@@ -127,6 +130,7 @@
     "postinstall.js",
     "register-vite.js",
     "web-vite.mjs",
+    "app-config.js",
     "examples/",
     "docs/",
     "README.md",
@@ -153,29 +157,11 @@
     "@opentelemetry/sdk-node": "0.47.0",
     "@opentelemetry/sdk-trace-web": "1.20.0",
     "@opentelemetry/semantic-conventions": "1.20.0",
-    "@vercel/otel": "^1.14.0",
     "dotenv": "^17.2.1",
     "uuid": "^9.0.0"
   },
-  "peerDependencies": {
-    "next": ">=13.0.0",
-    "nuxt": ">=3.0.0",
-    "@aws-sdk/client-wafv2": ">=3.0.0",
-    "@google-cloud/compute": ">=4.0.0"
-  },
-  "peerDependenciesMeta": {
-    "next": {
-      "optional": true
-    },
-    "nuxt": {
-      "optional": true
-    },
-    "@aws-sdk/client-wafv2": {
-      "optional": true
-    },
-    "@google-cloud/compute": {
-      "optional": true
-    }
+  "optionalDependencies": {
+    "@vercel/otel": "^1.14.0"
   },
   "overrides": {
     "@opentelemetry/api": "1.7.0",

package/postinstall.js

@@ -11,6 +11,35 @@ const fs = require('fs');
 const path = require('path');
 const readline = require('readline');
 
+// Make sure `.securenow/` is in the project's .gitignore so credentials never get committed.
+function ensureGitignore() {
+  try {
+    // Skip if we're not in an npm install of a user project
+    // (e.g., securenow's own CI, or nested install under another node_modules).
+    const cwd = process.cwd();
+    if (!fs.existsSync(path.join(cwd, 'package.json'))) return;
+    if (cwd.includes(`${path.sep}node_modules${path.sep}`)) return;
+
+    const gitignorePath = path.join(cwd, '.gitignore');
+    const entry = '.securenow/';
+    const header = '# SecureNow local credentials';
+
+    if (fs.existsSync(gitignorePath)) {
+      const content = fs.readFileSync(gitignorePath, 'utf8');
+      const alreadyListed = content.split('\n').some((line) => line.trim() === entry);
+      if (!alreadyListed) {
+        const prefix = content.endsWith('\n') ? '' : '\n';
+        fs.appendFileSync(gitignorePath, `${prefix}\n${header}\n${entry}\n`);
+      }
+    } else if (fs.existsSync(path.join(cwd, '.git'))) {
+      // Only create a new .gitignore if this is actually a git repo.
+      fs.writeFileSync(gitignorePath, `${header}\n${entry}\n`);
+    }
+  } catch {
+    // Non-fatal
+  }
+}
+
 // Check if we're in a Next.js project
 function isNextJsProject() {
   try {
@@ -81,9 +110,8 @@ export function register() {
  *   OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-key"
  *   OTEL_LOG_LEVEL=info
  *   
- * Optional: Enable request body capture
- *   SECURENOW_CAPTURE_BODY=1
- *   (Also create middleware.ts to activate - run: npx securenow init)
+ * Optional: Disable request body capture (enabled by default)
+ *   SECURENOW_CAPTURE_BODY=0
  */
 `;
   
@@ -160,8 +188,8 @@ SECURENOW_INSTANCE=http://your-otlp-backend:4318
 # Optional: Log level (debug|info|warn|error)
 # OTEL_LOG_LEVEL=info
 
-# Optional: Enable request body capture (requires middleware.ts)
-# SECURENOW_CAPTURE_BODY=1
+# Optional: Disable request body capture (enabled by default)
+# SECURENOW_CAPTURE_BODY=0
 # SECURENOW_MAX_BODY_SIZE=10240
 # SECURENOW_SENSITIVE_FIELDS=email,phone
 `;
@@ -176,6 +204,9 @@ function isTypeScriptProject() {
 
 // Main setup function
 async function setup() {
+  // Always make sure .securenow/ is gitignored (cheap, non-destructive).
+  ensureGitignore();
+
   // Skip if not in Next.js project
   if (!isNextJsProject()) {
     console.log('[securenow] Not a Next.js project, skipping auto-setup');
@@ -271,9 +302,6 @@ async function setup() {
         console.log('│  1. Edit .env.local and set:                   │');
         console.log('│     SECURENOW_APPID=your-app-name              │');
         console.log('│     SECURENOW_INSTANCE=http://your-otlp-backend:4318 │');
-        if (shouldCreateMiddleware) {
-          console.log('│     SECURENOW_CAPTURE_BODY=1                   │');
-        }
         console.log('│                                                 │');
         console.log('│  2. Run your app: npm run dev                  │');
         console.log('│                                                 │');

package/tracing.js

@@ -268,14 +268,25 @@ const diagLevel = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
   console.log('[securenow] preload loaded pid=%d', process.pid);
 })();
 
-// -------- endpoints --------
-const endpointBase = (env('SECURENOW_INSTANCE') || env('OTEL_EXPORTER_OTLP_ENDPOINT') || 'https://freetrial.securenow.ai:4318').replace(/\/$/, '');
+// -------- endpoints & app resolution --------
+// Resolution order for endpoint/appId/apiKey: env → .securenow/credentials.json → package.json#name → defaults.
+const appConfig = require('./app-config');
+const resolvedApp = appConfig.resolveAll();
+
+const endpointBase = resolvedApp.instance.replace(/\/$/, '');
 const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
 const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
+
+// If the credentials file provided an app key and no OTLP headers are set,
+// surface it as x-api-key so the collector can route telemetry to the right app bucket.
+if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
+  process.env.SECURENOW_API_KEY = resolvedApp.appKey;
+  process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
+}
 const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
 
 // -------- naming rules --------
-const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');
+const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 const noUuid   = String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true';
 const strict   = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
@@ -302,12 +313,11 @@ const instancePrefix   = baseName || 'securenow';
 const serviceInstanceId = `${instancePrefix}-${uuidv4()}`;
 
 // Loud line per worker to prove what was used
-console.log('[securenow] pid=%d SECURENOW_APPID=%s OTEL_SERVICE_NAME=%s SECURENOW_NO_UUID=%s SECURENOW_STRICT=%s → service.name=%s instance.id=%s',
+console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=%s instance.id=%s',
   process.pid,
-  JSON.stringify(env('SECURENOW_APPID')),
-  JSON.stringify(env('OTEL_SERVICE_NAME')),
-  JSON.stringify(env('SECURENOW_NO_UUID')),
-  JSON.stringify(env('SECURENOW_STRICT')),
+  JSON.stringify(baseName),
+  JSON.stringify(endpointBase),
+  resolvedApp.appKey ? 'set' : 'none',
   serviceName,
   serviceInstanceId
 );
@@ -319,12 +329,13 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 }
 
 // -------- Body Capture Configuration --------
-const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true';
+// Opt-out defaults: set =0 or =false to disable.
+const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
 const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
-const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || String(env('SECURENOW_CAPTURE_MULTIPART')).toLowerCase() === 'true';
+const captureMultipart = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_MULTIPART') ?? ''));
 
 // -------- Trusted proxy IP resolution --------
 const { resolveClientIp, isFromTrustedProxy, LOOPBACK_RE } = require('./resolve-ip');
@@ -445,7 +456,7 @@ const httpInstrumentation = new HttpInstrumentation({
           } else {
             span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
             span.setAttribute('http.request.body.type', 'multipart');
-            span.setAttribute('http.request.body.note', 'Set SECURENOW_CAPTURE_MULTIPART=1 to enable');
+            span.setAttribute('http.request.body.note', 'Multipart capture disabled (SECURENOW_CAPTURE_MULTIPART=0)');
           }
         }
       }
@@ -456,7 +467,8 @@ const httpInstrumentation = new HttpInstrumentation({
 });
 
 // -------- Logging Configuration --------
-const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+// Opt-out default: set =0 or =false to disable.
+const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
 
 // Create shared resource for both traces and logs
 const sharedResource = new Resource({
@@ -572,7 +584,7 @@ const sdk = new NodeSDK({
     if (loggingEnabled) {
       console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
     } else {
-      console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
+      console.log('[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)');
     }
     if (captureBody) {
       console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
@@ -636,7 +648,7 @@ module.exports = {
   loggerProvider,
   getLogger: (name = 'default', version = '1.0.0') => {
     if (!loggerProvider) {
-      console.warn('[securenow] Logging is not enabled. Set SECURENOW_LOGGING_ENABLED=1 to enable logging.');
+      console.warn('[securenow] Logging is disabled (SECURENOW_LOGGING_ENABLED=0). Remove the override to enable.');
       return null;
     }
     return loggerProvider.getLogger(name, version);