securenow 7.4.0 → 7.5.0

package/NPM_README.md

@@ -23,6 +23,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - [Installation](#installation)
 - [Quick Start](#quick-start)
 - [CLI -- Command Line Interface](#cli--command-line-interface)
+- [MCP for Codex and Claude](#mcp-for-codex-and-claude)
 - [Framework-Specific Setup](#framework-specific-setup)
   - [Express.js](#expressjs)
   - [Next.js](#nextjs)
@@ -59,13 +60,13 @@ yarn add securenow
 
 ### 1. Automatic Setup (Recommended)
 
-Run login — it's a browser flow that picks an app and, since v7.1.0, also offers one-click firewall onboarding:
+Run login — it's a browser flow that picks or creates an app and connects the firewall automatically:
 
 ```bash
 npx securenow login
 ```
 
-During the browser step you can choose **Enable the Firewall?** — if you accept, the dashboard mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`) and the CLI writes it into `.securenow/credentials.json`. No env vars, no copy-pasting keys.
+During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
 
 For framework scaffolding (Next.js `instrumentation.ts`, etc.) use:
 
@@ -153,9 +154,8 @@ The `securenow` CLI gives you full access to the SecureNow platform from the ter
 
 ```bash
 # Log in (opens browser for OAuth + app picker)
-# Since v7.1.0 the browser flow also offers one-click firewall onboarding —
-# accept "Enable the Firewall?" to have the CLI mint and store the API key
-# in .securenow/credentials.json automatically (no env var needed).
+# The browser flow mints and stores the firewall API key automatically in
+# .securenow/credentials.json (no env var needed).
 npx securenow login
 
 # Or use a token for CI/headless environments
@@ -185,6 +185,21 @@ npx securenow init --key snk_live_abc123...
 
 For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript) and tells you how to update `next.config.js` with `withSecureNow()`. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
 
+### MCP for Codex and Claude
+
+SecureNow includes a local stdio MCP server that uses the same credentials and API client as the CLI:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or
+npx -p securenow securenow-mcp
+```
+
+The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason.
+
+For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
+
 ### Managing Applications
 
 ```bash
@@ -626,7 +641,7 @@ fastify.listen({ port: 3000 }, (err) => {
 });
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Fastify -- the body capture hook conflicts with Fastify's internal stream handling.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
 
 ---
 
@@ -749,7 +764,7 @@ const init = async () => {
 init().catch((err) => { console.error(err); process.exit(1); });
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Hapi -- the body capture hook consumes the request stream before Hapi's payload parser.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
 
 ---
 
@@ -893,7 +908,7 @@ serve({ fetch: app.fetch, port: 3000 }, () => console.log('Hono running on port
 node -r securenow/register app.mjs
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Hono. Do **not** add `require('securenow/register')` inside `.mjs` files.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. For Hono ESM apps, keep using the `node -r securenow/register app.mjs` preload instead of adding `require('securenow/register')` inside `.mjs` files.
 
 ---
 
@@ -1079,14 +1094,14 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Framework | Traces | Logs | Body Capture | Firewall | Notes |
 |-----------|--------|------|--------------|----------|-------|
 | Express | Yes | Yes | Yes | Yes | Fully compatible |
-| Fastify | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0` required |
+| Fastify | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
 | Koa | Yes | Yes | Yes | Yes | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | Yes | Use `-r ts-node/register` |
-| Hapi | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0` required |
+| Hapi | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
 | h3 | Yes | Yes | Yes | Yes | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | Yes | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
-| Hono | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0`; ESM `-r` flag |
+| Hono | Yes | Yes | Yes | Yes | Use ESM `-r` preload |
 | Feathers | Yes | Yes | Yes | Yes | Uses Express transport |
 | Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `withSecureNow()` |
 | Nuxt 3 | Yes | Yes | Yes | Yes | Use `securenow/nuxt` module |
@@ -1097,12 +1112,12 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 
 SecureNow can automatically block IPs from your blocklist at the application layer. No code changes -- just provide an API key (via `securenow login`, the `api-key` CLI, or env var) and the firewall activates.
 
-### Enable the Firewall
+### Firewall Is Enabled by Default
 
 Pick whichever fits your environment:
 
 ```bash
-# (a) Zero-config (v7.1+): login + opt in to the firewall in the browser.
+# (a) Zero-config (v7.4+): login picks/creates an app and connects the firewall.
 # Key is minted and written to .securenow/credentials.json automatically.
 npx securenow login
 
@@ -1237,16 +1252,16 @@ See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for the full reference.
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `1` to enable, `0` to disable. | `1` |
+| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `0` to disable. | `1` |
 
 #### Request Body Capture
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `SECURENOW_CAPTURE_BODY` | Enable request body capture in traces. Set to `1` to enable. | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture request bodies in traces. Set to `0` to disable. | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
-| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data capture. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `1` to enable. | `0` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data metadata. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `0` to disable. | `1` |
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1384,13 +1399,13 @@ node app.js
 
 ## Request Body Capture
 
-SecureNow can capture HTTP request bodies in traces for debugging purposes. This is disabled by default.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `SECURENOW_CAPTURE_BODY=0` only when you need a local opt-out.
 
-### Enable Body Capture
+### Body Capture Defaults
 
 ```bash
-export SECURENOW_CAPTURE_BODY=1
 export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
+# export SECURENOW_CAPTURE_BODY=0     # optional opt-out
 ```
 
 ### Supported Content Types
@@ -1398,11 +1413,11 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-- `multipart/form-data` (requires `SECURENOW_CAPTURE_MULTIPART=1`)
+- `multipart/form-data` (metadata capture is on unless `SECURENOW_CAPTURE_MULTIPART=0`)
 
 ### Multipart Body Capture (v5.8.0+)
 
-Enable with `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
+Multipart/form-data metadata capture is enabled by default. Set `SECURENOW_CAPTURE_MULTIPART=0` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
 
 **What gets captured:**
 - **Text fields** -- field name and value (up to 1000 chars), with sensitive fields auto-redacted
@@ -1731,10 +1746,11 @@ curl http://localhost:4318/v1/logs
 
 ### Request Body Not Captured
 
-**Check 1: Is body capture enabled?**
+**Check 1: Make sure body capture was not explicitly disabled**
 
 ```bash
-export SECURENOW_CAPTURE_BODY=1
+echo $SECURENOW_CAPTURE_BODY
+# Should be empty, 1, or true. Remove SECURENOW_CAPTURE_BODY=0 to re-enable defaults.
 ```
 
 **Check 2: Verify content type**
@@ -1915,7 +1931,7 @@ const dbLogger = getLogger('database', '1.0.0');
 const apiLogger = getLogger('api', '1.0.0');
 ```
 
-### 6. Enable Body Capture Only in Development
+### 6. Disable Body Capture Outside Development
 
 ```bash
 # .env.development

package/README.md

@@ -12,9 +12,9 @@ Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt — traces, logs, body
 # 1. Install
 npm install securenow
 
-# 2. Pick (or create) your app in the browser — writes .securenow/ locally.
-#    Since v7.1.0, the browser step also offers one-click firewall onboarding:
-#    say yes and the CLI stores a scoped API key in the same file — no env vars.
+# 2. Pick (or create) your app in the browser - writes .securenow/ locally.
+#    Since v7.4.0, the browser step enables the app firewall and stores
+#    a scoped firewall API key in the same file - no env vars.
 npx securenow login
 
 # 3. Start your app — one flag is all it takes
@@ -137,7 +137,7 @@ Resolution order (first non-empty wins):
 
 ```bash
 # Setup
-npx securenow login                 # browser auth + app picker + firewall onboarding (saves to ./.securenow/)
+npx securenow login                 # browser auth + app picker + firewall enabled by default
 npx securenow login --global        # save to ~/.securenow/ instead
 npx securenow login --token <TOKEN> # headless (CI)
 npx securenow init                  # scaffold Next.js instrumentation files
@@ -168,6 +168,21 @@ Full reference: run `npx securenow help` or see [CLI Reference](#cli-reference)
 
 ---
 
+## MCP for Codex and Claude
+
+SecureNow ships a local stdio MCP server for agent clients:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or run directly:
+npx -p securenow securenow-mcp
+```
+
+The MCP server reuses the same project-local `.securenow/credentials.json` as the CLI and SDK. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, plus resources for the bundled SecureNow docs and setup prompts.
+
+---
+
 ## Environment variables (optional)
 
 Only set these if you want to override the zero-config defaults.
@@ -178,7 +193,7 @@ Only set these if you want to override the zero-config defaults.
 | `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
 | `SECURENOW_API_KEY` | from credentials file | Enables firewall + collector routing |
 | `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` for Fastify/Hapi/Hono. |
+| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
 | `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
 | `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
@@ -218,6 +233,7 @@ HTTP/HTTPS · GraphQL · gRPC · and many more via [@opentelemetry/auto-instrume
 ### Complete Guides
 - [Firewall](./docs/FIREWALL-GUIDE.md)
 - [API Keys](./docs/API-KEYS-GUIDE.md)
+- [MCP](./docs/MCP-GUIDE.md)
 - [Next.js Complete](./docs/NEXTJS-GUIDE.md)
 - [Nuxt 3 Complete](./docs/NUXT-GUIDE.md)
 - [Logging Complete](./docs/LOGGING-GUIDE.md)
@@ -244,7 +260,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 
 | Command | Description |
 |---|---|
-| `securenow login` | Browser auth + pick app + optional firewall key onboarding (writes ./.securenow/ by default) |
+| `securenow login` | Browser auth + pick app; firewall key is minted automatically (writes ./.securenow/ by default) |
 | `securenow login --global` | Save to ~/.securenow/ instead |
 | `securenow login --token <TOKEN>` | Headless (CI/servers) |
 | `securenow logout` | Clear project-local credentials |

package/SKILL-API.md

@@ -2,7 +2,9 @@
 
 Instrument any Node.js application with OpenTelemetry tracing, structured logging, request body capture, and a multi-layer IP firewall. Supports Express, Fastify, NestJS, Koa, Hapi, Next.js, Nuxt 3, Vite (browser), and raw `http.createServer` — with zero code changes for most setups.
 
-**CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
+**CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
+
+**MCP parity (v7.5+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reuses the same `.securenow/credentials.json` file as the CLI/SDK and exposes SecureNow tools, bundled docs resources, and setup prompts to agents.
 
 ## Installation
 
@@ -46,17 +48,19 @@ npx securenow init --key snk_live_...
 
 That's it. Traces and logs flow to your OTLP collector. No code changes for Express, Fastify, NestJS, Koa, Hapi, and raw Node.
 
-### 3. Enable the Firewall (Optional)
+### 3. Firewall Is Enabled by Default
 
-Since v7.1.0 the firewall key lives in your credentials file — no env var required:
+Since v7.4.0, the browser login flow connects the firewall automatically after
+the user picks or creates an app. The firewall key lives in your credentials
+file — no env var required:
 
 ```bash
-npx securenow login              # pick app + click "Enable firewall" in browser
-# or, if you already have one:
-npx securenow api-key set snk_live_abc123...
+npx securenow login              # pick/create app; firewall key is minted automatically
+# or, if you already have one:
+npx securenow api-key set snk_live_abc123...
 ```
 
-Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. Setting `SECURENOW_API_KEY=snk_live_...` in the environment still works and takes precedence.
+Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. Setting `SECURENOW_API_KEY=snk_live_...` in the environment still works and takes precedence.
 
 The firewall syncs your blocklist and enforces it on every request — zero code changes.
 
@@ -263,7 +267,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable. Since **v7.1.0** the key is read from `.securenow/credentials.json` (written by `npx securenow login` or `securenow api-key set`), so the `SECURENOW_API_KEY` env var is optional. Resolution order: env (must start with `snk_live_`) → project `./.securenow/credentials.json` → global `~/.securenow/credentials.json`.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.4.0**, `npx securenow login` enables the selected app firewall and writes the key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. The `SECURENOW_API_KEY` env var is optional. Resolution order: env (must start with `snk_live_`) → project `./.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -275,8 +279,8 @@ Layer 1: HTTP Handler      →  403 JSON response (always active)
 ### Activate
 
 ```bash
-# Zero-config (recommended) — writes the key to .securenow/credentials.json
-npx securenow login              # pick app + click "Enable firewall"
+# Zero-config (recommended) — writes the key to .securenow/credentials.json
+npx securenow login              # pick/create app; firewall connects automatically
 # or, if you already have a key:
 npx securenow api-key set snk_live_abc123...
 
@@ -478,9 +482,9 @@ securenow redact @request.json --fields internal_id,sessionHash
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `SECURENOW_LOGGING_ENABLED` | Enable OTLP log export | `1` |
-| `SECURENOW_CAPTURE_BODY` | Capture HTTP request bodies | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture HTTP request bodies | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Max body size in bytes | `10240` |
-| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data (streaming, metadata only) | `0` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data (streaming, metadata only) | `1` |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated extra fields to redact | — |
 | `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated packages to skip (e.g. `fs,dns`) | — |
 | `SECURENOW_TEST_SPAN` | `1` to emit a test span on startup | `0` |
@@ -551,16 +555,15 @@ No code changes to the application needed.
 
 ```bash
 npm install securenow
-npx securenow login              # pick app + "Enable firewall" in browser
+npx securenow login              # pick/create app; firewall key is minted automatically
 ```
 
-`securenow login` writes session, app, and firewall key to `.securenow/credentials.json` (auto-gitignored). The `init` command still works for manual setup — it creates `instrumentation.ts` and suggests `next.config` changes. Most users only need this `.env.local`:
+`securenow login` enables the selected app's firewall toggle and writes session, app, and firewall key to `.securenow/credentials.json` (auto-gitignored). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. The `init` command still works for manual setup — it creates `instrumentation.ts` and suggests `next.config` changes. Most users only need this `.env.local`:
 
 ```
 SECURENOW_APPID=my-nextjs-app
 SECURENOW_INSTANCE=https://your-collector:4318
-SECURENOW_CAPTURE_BODY=1
-# SECURENOW_API_KEY=snk_live_...   (otherwise lives in .securenow/credentials.json)
+# SECURENOW_API_KEY=snk_live_...   (otherwise lives in .securenow/credentials.json)
 ```
 
 ### Enable Firewall With Zero Tracing Overhead

package/SKILL-CLI.md

@@ -13,7 +13,18 @@ npm install securenow
 npx securenow <command>
 ```
 
-**Full parity with the SDK:** every capability the `securenow` Node SDK exposes has a CLI counterpart — redaction, CIDR matching, log/span emission, firewall preload, config inspection. If you can do it in code, you can do it from the terminal.
+**Full parity with the SDK:** every capability the `securenow` Node SDK exposes has a CLI counterpart — redaction, CIDR matching, log/span emission, firewall preload, config inspection. If you can do it in code, you can do it from the terminal.
+
+**MCP parity (v7.5+):** the same package also ships a local stdio MCP server for Codex, Claude, and other MCP clients:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or
+npx -p securenow securenow-mcp
+```
+
+The MCP server reuses `.securenow/credentials.json` and exposes apps, traces, logs, firewall, IP intelligence, forensics, notifications, remediation tools, bundled docs resources, and setup prompts. Write tools require `confirm:true` plus a reason.
 
 ### Authenticate
 
@@ -24,9 +35,9 @@ securenow login --token <JWT>   # headless / CI login (get token from dashboard
 securenow whoami            # verify session (shows email, app, auth source)
 ```
 
-**Zero-config flow (v7+):** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)**, **name**, and **instance URL** in `.securenow/credentials.json`. The SDK reads this file at boot and sends traces/logs to the right app bucket — **no env vars required for local dev**.
-
-**Firewall onboarding (v7.1+):** after picking the app, `securenow login` asks "Enable the Firewall?" in the browser. If you accept, the dashboard mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes and the CLI writes it into `.securenow/credentials.json` automatically — no `SECURENOW_API_KEY` env var needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
+**Zero-config flow (v7+):** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)**, **name**, and **instance URL** in `.securenow/credentials.json`. The SDK reads this file at boot and sends traces/logs to the right app bucket — **no env vars required for local dev**.
+
+**Default-on security (v7.4+):** after picking or creating the app, `securenow login` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 
 Credentials resolve in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
@@ -245,7 +256,7 @@ securenow firewall status                    # layers, sync time, blocked count,
 securenow firewall test-ip <ip>              # check if IP would be blocked
 ```
 
-**Zero-config setup (v7.1+):** running `securenow login` and opting into "Enable the Firewall?" in the browser auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`) and writes it to the credentials file. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
+**Zero-config setup (v7.4+):** running `securenow login` enables the selected app's firewall toggle, auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and writes it to the credentials file after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
 
 ### Blocklist — Block Malicious IPs
 

package/cli.js

@@ -365,14 +365,19 @@ const COMMANDS = {
     usage: 'securenow doctor [--json]',
     run: (a, f) => require('./cli/diagnostics').doctor(a, f),
   },
-  env: {
-    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
-    usage: 'securenow env [--json]',
-    run: (a, f) => require('./cli/diagnostics').env(a, f),
-  },
-  version: {
-    desc: 'Show CLI version',
-    run: () => {
+  env: {
+    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
+    usage: 'securenow env [--json]',
+    run: (a, f) => require('./cli/diagnostics').env(a, f),
+  },
+  mcp: {
+    desc: 'Start the SecureNow MCP server over stdio',
+    usage: 'securenow mcp',
+    run: () => require('./mcp/server'),
+  },
+  version: {
+    desc: 'Show CLI version',
+    run: () => {
       try {
         const pkg = require('./package.json');
         console.log(`securenow v${pkg.version}`);
@@ -437,7 +442,7 @@ function showHelp(commandName) {
     'Firewall': ['firewall'],
     'Remediation': ['blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
-    'Utilities': ['redact', 'cidr', 'doctor', 'env'],
+    'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],
   };
 

package/docs/ALL-FRAMEWORKS-QUICKSTART.md

@@ -119,9 +119,10 @@ SECURENOW_NO_UUID=1
 |----------|---------|---------|
 | `SECURENOW_APPID` | Your app key (from `securenow apps create`) | **Required** |
 | `SECURENOW_INSTANCE` | OTLP collector endpoint | `https://freetrial.securenow.ai:4318` |
-| `SECURENOW_LOGGING_ENABLED` | Auto-forward all `console.*` calls as OTLP logs | `0` |
+| `SECURENOW_LOGGING_ENABLED` | Auto-forward all `console.*` calls as OTLP logs | `1` |
 | `SECURENOW_NO_UUID` | Keep `service.name` equal to your app key (no UUID suffix) | `0` |
-| `SECURENOW_CAPTURE_BODY` | Capture request/response bodies in traces | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture request/response bodies in traces | `1` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart field/file metadata | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Max captured body size in bytes | `10240` |
 | `SECURENOW_SENSITIVE_FIELDS` | Extra field names to auto-redact (comma-separated) | — |
 | `SECURENOW_TRUSTED_PROXIES` | Comma-separated proxy IPs for X-Forwarded-For | — |
@@ -137,7 +138,8 @@ SECURENOW_APPID=my-app-prod
 SECURENOW_INSTANCE=https://collector.yourcompany.com:4318
 SECURENOW_LOGGING_ENABLED=1
 SECURENOW_NO_UUID=1
-SECURENOW_CAPTURE_BODY=0
+SECURENOW_CAPTURE_BODY=1
+SECURENOW_CAPTURE_MULTIPART=1
 SECURENOW_TRUSTED_PROXIES=10.0.0.1,10.0.0.2
 NODE_ENV=production
 ```
@@ -203,7 +205,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -249,7 +251,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 
 ---
 
@@ -299,7 +301,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -376,7 +378,7 @@ Add both to your `package.json`:
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -426,7 +428,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (payload stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 
 ---
 
@@ -473,7 +475,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -528,7 +530,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -591,7 +593,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -632,7 +634,7 @@ node -r securenow/register app.mjs
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 
 ---
 
@@ -687,7 +689,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 
 ---
 
@@ -1284,7 +1286,8 @@ pm2 start ecosystem.config.cjs
   script: 'app.mjs',
   node_args: '-r securenow/register',
   env: {
-    SECURENOW_CAPTURE_BODY: '0',  // Required for Hono
+    SECURENOW_CAPTURE_BODY: '1',
+    SECURENOW_CAPTURE_MULTIPART: '1',
     /* ... other vars ... */
   }
 }
@@ -1315,14 +1318,14 @@ CMD ["node", "-r", "securenow/register", "app.js"]
 | Framework | Traces | Logs | Body Capture | Init Method | Notes |
 |-----------|--------|------|--------------|-------------|-------|
 | Express | Yes | Yes | Yes | `require()` or `-r` | Fully compatible |
-| Fastify | Yes | Yes | **No** | `require()` or `-r` | Set `SECURENOW_CAPTURE_BODY=0` |
+| Fastify | Yes | Yes | Yes | `require()` or `-r` | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | Koa | Yes | Yes | Yes | `require()` or `-r` | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | `instrument.js` + `-r ./instrument.js` | Create `instrument.js` with `require('securenow/register')` |
-| Hapi | Yes | Yes | **No** | `require()` or `-r` | Set `SECURENOW_CAPTURE_BODY=0` |
+| Hapi | Yes | Yes | Yes | `require()` or `-r` | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | h3 | Yes | Yes | Yes | `require()` or `-r` | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | `require()` or `-r` | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | `require()` or `-r` | Raw `http.createServer` |
-| Hono | Yes | Yes | **No** | `-r` flag only (ESM) | Set `SECURENOW_CAPTURE_BODY=0` |
+| Hono | Yes | Yes | Yes | `-r` flag only (ESM) | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | Feathers | Yes | Yes | Yes | `require()` or `-r` | Express transport |
 | Next.js | Yes | Yes | Yes | `instrumentation.ts` | Use `securenow init` |
 
@@ -1349,7 +1352,7 @@ Do **not** add `require('securenow/register')` inside `.mjs` files.
 
 ### Body capture crashes / empty payloads
 
-Set `SECURENOW_CAPTURE_BODY=0` for Fastify, Hapi, and Hono. These frameworks use custom stream handling that conflicts with the body capture hook.
+Body capture is on by default. If a specific framework version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override for that app.
 
 ### CLI says "Not logged in"
 

package/docs/API-KEYS-GUIDE.md

@@ -54,8 +54,8 @@ Since v7.1.0, the firewall reads its API key from `.securenow/credentials.json`
 ### Writing the key to the credentials file
 
 ```bash
-# Interactive onboarding — picks/creates an app and, if you opt in,
-# mints a key scoped firewall:read + blocklist:read + allowlist:read
+# Interactive onboarding - picks/creates an app, enables that app's firewall,
+# and mints a key scoped firewall:read + blocklist:read + allowlist:read
 # (the "firewall" preset, used by default for CLI firewall onboarding)
 # and writes it to ./.securenow/credentials.json automatically.
 npx securenow login