securenow 7.0.0-anas.3 → 7.1.0

package/app-config.js

@@ -14,6 +14,10 @@
  *   - What human label to show?     (resolveAppName) — display only, never
  *                                     sent to the collector.
  *   - Which OTLP collector to hit?  (resolveInstance)
+ *   - Which firewall API key?       (resolveApiKey) — the snk_live_... key the
+ *                                     firewall sends as Bearer to /api/firewall
+ *                                     for blocklist sync. Separate from the
+ *                                     app routing key: this one is user-scoped.
  *
  * Resolution order (first non-empty wins):
  *
@@ -25,7 +29,7 @@
  *   5. Hard default / null
  *
  * Credentials file schema:
- *   { token, email, expiresAt, app: { key: <uuid>, name: <display>, instance } }
+ *   { token, email, expiresAt, apiKey: <snk_live_...>, app: { key, name, instance } }
  */
 
 const fs = require('fs');
@@ -112,6 +116,21 @@ function resolveAppId() {
   return resolveAppKey() || resolveAppName();
 }
 
+// Firewall / user-scoped API key (snk_live_...).
+// Distinct from resolveAppKey: that one is the application UUID for OTel
+// routing. This one authenticates the firewall blocklist sync to /api/firewall,
+// so it must look like a real `snk_live_` key — the app UUID won't pass auth.
+function resolveApiKey() {
+  const fromEnv = pick(process.env.SECURENOW_API_KEY);
+  if (fromEnv && fromEnv.startsWith('snk_live_')) return fromEnv;
+
+  const creds = loadCredentials();
+  const fromCreds = creds && pick(creds.apiKey);
+  if (fromCreds && fromCreds.startsWith('snk_live_')) return fromCreds;
+
+  return null;
+}
+
 function resolveInstance() {
   const fromEnv =
     pick(process.env.SECURENOW_INSTANCE) ||
@@ -143,6 +162,7 @@ module.exports = {
   resolveAppKey,
   resolveAppName,
   resolveAppId,
+  resolveApiKey,
   resolveInstance,
   resolveAll,
   loadCredentials,

package/cli/apiKey.js

@@ -0,0 +1,55 @@
+'use strict';
+
+const config = require('./config');
+const ui = require('./ui');
+
+function maskKey(key) {
+  if (!key || key.length < 16) return key || '';
+  return `${key.slice(0, 12)}••••••${key.slice(-4)}`;
+}
+
+async function set(args, flags) {
+  const key = args[0];
+  if (!key) {
+    ui.error('API key is required. Usage: securenow api-key set <snk_live_...>');
+    process.exit(1);
+  }
+  if (!key.startsWith('snk_live_')) {
+    ui.error('API key must start with "snk_live_"');
+    ui.info('Create one in the dashboard: Settings → API Keys');
+    process.exit(1);
+  }
+
+  const local = flags.global ? false : true;
+  config.setApiKey(key, { local });
+  if (local) config.ensureLocalGitignore();
+
+  ui.success(`API key saved (${maskKey(key)})`);
+  ui.info(local
+    ? 'Stored in project .securenow/credentials.json (local)'
+    : 'Stored in ~/.securenow/credentials.json (global)');
+  ui.info('The firewall will now pick it up automatically — no SECURENOW_API_KEY env var needed.');
+}
+
+async function clear(args, flags) {
+  const local = flags.global ? false : true;
+  const existing = config.getApiKey();
+  config.clearApiKey({ local });
+  if (existing) {
+    ui.success(`Cleared API key (${maskKey(existing)})`);
+  } else {
+    ui.info('No API key was stored');
+  }
+}
+
+async function show() {
+  const key = config.getApiKey();
+  if (!key) {
+    ui.info('No API key stored in credentials. Falling back to SECURENOW_API_KEY env var.');
+    return;
+  }
+  console.log(maskKey(key));
+  ui.info(`Source: ${config.getAuthSource()}`);
+}
+
+module.exports = { set, clear, show };

package/cli/auth.js

@@ -45,6 +45,7 @@ async function loginWithBrowser() {
   return new Promise((resolve, reject) => {
     let pendingToken = null;
     let pendingApp = null;
+    let pendingApiKey = null;
 
     const server = http.createServer((req, res) => {
       const url = new URL(req.url, `http://127.0.0.1`);
@@ -56,6 +57,7 @@ async function loginWithBrowser() {
         const appKey = url.searchParams.get('app_key');
         const appName = url.searchParams.get('app_name');
         const appInstance = url.searchParams.get('app_instance');
+        const apiKey = url.searchParams.get('api_key');
 
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
 
@@ -82,6 +84,9 @@ async function loginWithBrowser() {
               instance: appInstance || null,
             };
           }
+          if (apiKey && apiKey.startsWith('snk_live_')) {
+            pendingApiKey = apiKey;
+          }
           const payload = decodeJwtPayload(token);
           const email = payload?.email || 'unknown account';
           const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
@@ -139,10 +144,12 @@ async function loginWithBrowser() {
         res.end('{"ok":true}');
         const token = pendingToken;
         const app = pendingApp;
+        const apiKeyFromLogin = pendingApiKey;
         pendingToken = null;
         pendingApp = null;
+        pendingApiKey = null;
         server.close();
-        resolve({ token, app });
+        resolve({ token, app, apiKey: apiKeyFromLogin });
         return;
       }
 
@@ -219,12 +226,13 @@ async function login(args, flags) {
   }
 
   try {
-    const { token, app } = await loginWithBrowser();
+    const { token, app, apiKey } = await loginWithBrowser();
     const payload = decodeJwtPayload(token);
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
     config.setAuth(token, email, exp, { local, app });
+    if (apiKey) config.setApiKey(apiKey, { local });
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
@@ -232,6 +240,9 @@ async function login(args, flags) {
     if (app && (app.name || app.key)) {
       ui.info(`Linked to app ${ui.c.bold(app.name || app.key)}${app.key ? ` (${ui.c.dim(app.key)})` : ''}`);
     }
+    if (apiKey) {
+      ui.info(`Firewall API key saved — the firewall will activate automatically on next start`);
+    }
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
       ui.info(`Session expires in ${days} days`);

package/cli/config.js

@@ -135,6 +135,27 @@ function getApp() {
   return creds && creds.app ? creds.app : null;
 }
 
+function setApiKey(apiKey, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const existing = loadJSON(targetFile);
+  saveJSON(targetFile, { ...existing, apiKey });
+}
+
+function clearApiKey({ local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const existing = loadJSON(targetFile);
+  if (!existing || !existing.apiKey) return;
+  delete existing.apiKey;
+  saveJSON(targetFile, existing);
+}
+
+function getApiKey() {
+  const creds = loadCredentials();
+  return creds && creds.apiKey ? creds.apiKey : null;
+}
+
 function setApp(app, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
@@ -193,6 +214,9 @@ module.exports = {
   setAuth,
   getApp,
   setApp,
+  setApiKey,
+  clearApiKey,
+  getApiKey,
   getAuthSource,
   hasLocalCredentials,
   ensureLocalGitignore,

package/cli/diagnostics.js

@@ -25,7 +25,9 @@ function resolvedConfig() {
       ? `${process.env.OTEL_EXPORTER_OTLP_ENDPOINT.replace(/\/$/, '')}/v1/logs`
       : `${instance.replace(/\/$/, '')}/v1/logs`);
   const headers = process.env.OTEL_EXPORTER_OTLP_HEADERS || '';
-  const apiKey = process.env.SECURENOW_API_KEY || '';
+  // Resolve firewall API key the same way the SDK does: env, then
+  // .securenow/credentials.json (project-local, then global).
+  const apiKey = require('../app-config').resolveApiKey() || '';
   const apiUrl = config.getApiUrl();
   const loggingEnabled = !/^(0|false)$/i.test(String(process.env.SECURENOW_LOGGING_ENABLED ?? ''));
   const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));

package/cli.js

@@ -73,6 +73,30 @@ const COMMANDS = {
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
   },
+  'api-key': {
+    desc: 'Manage the firewall API key stored in .securenow/credentials.json',
+    usage: 'securenow api-key <subcommand> [options]',
+    sub: {
+      set: {
+        desc: 'Save an API key (snk_live_...) to the credentials file',
+        usage: 'securenow api-key set <snk_live_...> [--global]',
+        flags: { global: 'Save to ~/.securenow/ instead of project-local' },
+        run: (a, f) => require('./cli/apiKey').set(a, f),
+      },
+      clear: {
+        desc: 'Remove the stored API key',
+        usage: 'securenow api-key clear [--global]',
+        flags: { global: 'Clear from ~/.securenow/ instead of project-local' },
+        run: (a, f) => require('./cli/apiKey').clear(a, f),
+      },
+      show: {
+        desc: 'Print the masked API key currently in use',
+        usage: 'securenow api-key show',
+        run: () => require('./cli/apiKey').show(),
+      },
+    },
+    defaultSub: 'show',
+  },
   apps: {
     desc: 'Manage applications',
     usage: 'securenow apps <subcommand> [options]',

package/firewall-only.js

@@ -8,7 +8,7 @@
  *   NODE_OPTIONS='-r securenow/firewall-only' next start
  *
  * Reads .env via dotenv (if installed), then initialises the HTTP-level
- * firewall when SECURENOW_API_KEY is present.
+ * firewall when an API key is resolvable (env var or .securenow/credentials.json).
  */
 
 try { require('dotenv').config(); } catch (_) {}
@@ -16,7 +16,8 @@ try { require('dotenv').config(); } catch (_) {}
 const env = (k) =>
   process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
 
-const firewallApiKey = env('SECURENOW_API_KEY');
+const { resolveApiKey } = require('./app-config');
+const firewallApiKey = resolveApiKey();
 
 if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
   require('./firewall').init({

package/nextjs.js

@@ -610,8 +610,10 @@ function registerSecureNow(options = {}) {
     }
   }
 
-  // Firewall — runs independently from OTel so it works even if tracing fails
-  const firewallApiKey = env('SECURENOW_API_KEY');
+  // Firewall — runs independently from OTel so it works even if tracing fails.
+  // Key comes from env OR .securenow/credentials.json (set via
+  // `npx securenow api-key set snk_live_...`), so you don't need a .env entry.
+  const firewallApiKey = require('./app-config').resolveApiKey();
   if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
     try {
       require('./firewall').init({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.0.0-anas.3",
+  "version": "7.1.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",