securenow 7.3.0 → 7.5.0

package/docs/ENVIRONMENT-VARIABLES.md

@@ -16,7 +16,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_INSTANCE** | Optional | `https://freetrial.securenow.ai:4318` | OTLP collector base URL |
 | **SECURENOW_API_KEY** | Optional | from credentials file | API key (same UUID as APPID). Enables firewall. |
 | **SECURENOW_LOGGING_ENABLED** | Optional | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| **SECURENOW_CAPTURE_BODY** | Optional | `1` (on) | Capture request body. Set to `0` for Fastify/Hapi/Hono. |
+| **SECURENOW_CAPTURE_BODY** | Optional | `1` (on) | Capture request body. Set to `0` only for a local stream conflict. |
 | **SECURENOW_CAPTURE_MULTIPART** | Optional | `1` (on) | Capture multipart field/file metadata. |
 | **SECURENOW_MAX_BODY_SIZE** | Optional | `10240` | Max body size in bytes |
 | **SECURENOW_SENSITIVE_FIELDS** | Optional | - | Comma-separated extra fields to redact |
@@ -288,11 +288,12 @@ export SECURENOW_LOGGING_ENABLED=0
 
 **Format:** `1` (enabled) or `0` (disabled)
 
-**Default:** `0` (disabled)
+**Default:** `1` (enabled)
 
 **Example:**
 ```bash
-export SECURENOW_CAPTURE_BODY=1
+# Default is enabled. Use this only to opt out:
+export SECURENOW_CAPTURE_BODY=0
 ```
 
 **Supported content types:**
@@ -300,8 +301,7 @@ export SECURENOW_CAPTURE_BODY=1
 - `application/x-www-form-urlencoded`
 - `application/graphql`
 
-**Not captured (unless separately enabled):**
-- `multipart/form-data` — requires `SECURENOW_CAPTURE_MULTIPART=1` (see below)
+**Not captured:**
 - Bodies larger than `SECURENOW_MAX_BODY_SIZE`
 
 **Security:**
@@ -373,11 +373,12 @@ export SECURENOW_SENSITIVE_FIELDS="custom_secret,private_data,internal_id"
 
 **Format:** `1` (enabled) or `0` (disabled)
 
-**Default:** `0` (disabled)
+**Default:** `1` (enabled)
 
 **Example:**
 ```bash
-export SECURENOW_CAPTURE_MULTIPART=1
+# Default is enabled. Use this only to opt out:
+export SECURENOW_CAPTURE_MULTIPART=0
 ```
 
 **What gets captured:**
@@ -405,7 +406,7 @@ export SECURENOW_CAPTURE_MULTIPART=1
 
 **Parts limit:** 100 parts maximum per request (safety guard).
 
-**Requires:** `SECURENOW_CAPTURE_BODY=1` must also be set (multipart capture is gated behind general body capture).
+**Relationship to body capture:** multipart metadata capture has its own opt-out flag. Leave `SECURENOW_CAPTURE_MULTIPART` unset, `1`, or `true` to keep it enabled.
 
 **Since:** v5.8.0
 
@@ -533,7 +534,7 @@ export NODE_ENV=test
 export SECURENOW_API_KEY=snk_live_a1b2c3d4e5f6...
 ```
 
-**v7.1.0+:** the firewall also reads this key from `.securenow/credentials.json` (written by `securenow login` with firewall enabled, or by `securenow api-key set`). The env var only wins if it starts with `snk_live_` — otherwise the credentials file is used, so you can rely on the file for local dev without unsetting any stray env var. Setting an app UUID here (the old pre-7.1 habit) is ignored for firewall auth and would produce silent 401s; always use a `snk_live_...` key.
+**v7.4.0+:** the firewall also reads this key from `.securenow/credentials.json` (written by `securenow login`, which enables the selected app firewall by default, or by `securenow api-key set`). The env var only wins if it starts with `snk_live_` — otherwise the credentials file is used, so you can rely on the file for local dev without unsetting any stray env var. Setting an app UUID here (the old pre-7.1 habit) is ignored for firewall auth and would produce silent 401s; always use a `snk_live_...` key.
 
 ---
 

package/docs/FIREWALL-GUIDE.md

@@ -47,10 +47,11 @@ All layers share the same in-memory blocklist, synced from the SecureNow API usi
 Two ways to get the firewall wired up — pick whichever fits:
 
 ```bash
-# (a) Zero-config (v7.1+): run login and choose "Enable firewall" in the browser.
-# The dashboard mints a key scoped firewall:read + blocklist:read + allowlist:read
-# and the CLI writes it to .securenow/credentials.json. No further config needed.
-npx securenow login
+# (a) Zero-config (v7.4+): run login, pick/create an app, and connect.
+# The selected app's firewall toggle is enabled automatically.
+# The dashboard mints a key scoped firewall:read + blocklist:read + allowlist:read
+# and the CLI writes it to .securenow/credentials.json. No further config needed.
+npx securenow login
 
 # (b) Already have a key? Drop it into the credentials file directly:
 npx securenow api-key set snk_live_abc123...

package/docs/MCP-GUIDE.md

@@ -0,0 +1,50 @@
+# SecureNow MCP Guide
+
+SecureNow ships an MCP server for agent clients such as Codex and Claude.
+
+## Local stdio MCP
+
+Use this when the agent is running on the same machine as your project:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+```
+
+You can also run the server directly:
+
+```bash
+npx -p securenow securenow-mcp
+```
+
+The local MCP server reads the same project-local `.securenow/credentials.json`
+as the CLI and SDK. No production deployment is required.
+
+## Hosted MCP
+
+For hosted clients, expose the secured API endpoint:
+
+```text
+https://api.securenow.ai/mcp
+```
+
+The hosted endpoint must be authenticated with `Authorization: Bearer ...`.
+It accepts SecureNow JWT sessions and `snk_live_...` API keys through the same
+API auth path used by the rest of SecureNow.
+
+## Security Model
+
+- Read tools require the matching `*:read` scope.
+- Write tools require the matching `*:write` scope or `applications:write` for
+  app firewall settings.
+- Write tools also require `confirm: true` and a non-empty `reason`.
+- Full tokens and API keys are never returned by tools or resources.
+- Hosted MCP validates browser origins and rate-limits requests.
+- Tool calls are proxied through existing API routes so tenant isolation and
+  scope enforcement stay centralized.
+
+## Tools
+
+The MCP exposes applications, traces, logs, firewall, IP intelligence,
+forensics, notifications, blocklist, allowlist, trusted IPs, analytics, bundled
+docs resources, and setup prompts.