securenow 7.4.0 → 7.5.1

package/NPM_README.md

@@ -23,6 +23,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - [Installation](#installation)
 - [Quick Start](#quick-start)
 - [CLI -- Command Line Interface](#cli--command-line-interface)
+- [MCP for Codex and Claude](#mcp-for-codex-and-claude)
 - [Framework-Specific Setup](#framework-specific-setup)
   - [Express.js](#expressjs)
   - [Next.js](#nextjs)
@@ -59,13 +60,13 @@ yarn add securenow
 
 ### 1. Automatic Setup (Recommended)
 
-Run login — it's a browser flow that picks an app and, since v7.1.0, also offers one-click firewall onboarding:
+Run login — it's a browser flow that picks or creates an app and connects the firewall automatically:
 
 ```bash
 npx securenow login
 ```
 
-During the browser step you can choose **Enable the Firewall?** — if you accept, the dashboard mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`) and the CLI writes it into `.securenow/credentials.json`. No env vars, no copy-pasting keys.
+During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
 
 For framework scaffolding (Next.js `instrumentation.ts`, etc.) use:
 
@@ -153,9 +154,8 @@ The `securenow` CLI gives you full access to the SecureNow platform from the ter
 
 ```bash
 # Log in (opens browser for OAuth + app picker)
-# Since v7.1.0 the browser flow also offers one-click firewall onboarding —
-# accept "Enable the Firewall?" to have the CLI mint and store the API key
-# in .securenow/credentials.json automatically (no env var needed).
+# The browser flow mints and stores the firewall API key automatically in
+# .securenow/credentials.json (no env var needed).
 npx securenow login
 
 # Or use a token for CI/headless environments
@@ -185,6 +185,21 @@ npx securenow init --key snk_live_abc123...
 
 For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript) and tells you how to update `next.config.js` with `withSecureNow()`. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
 
+### MCP for Codex and Claude
+
+SecureNow includes a local stdio MCP server that uses the same credentials and API client as the CLI:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or
+npx -p securenow securenow-mcp
+```
+
+The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason.
+
+For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
+
 ### Managing Applications
 
 ```bash
@@ -626,7 +641,7 @@ fastify.listen({ port: 3000 }, (err) => {
 });
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Fastify -- the body capture hook conflicts with Fastify's internal stream handling.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
 
 ---
 
@@ -749,7 +764,7 @@ const init = async () => {
 init().catch((err) => { console.error(err); process.exit(1); });
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Hapi -- the body capture hook consumes the request stream before Hapi's payload parser.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
 
 ---
 
@@ -893,7 +908,7 @@ serve({ fetch: app.fetch, port: 3000 }, () => console.log('Hono running on port
 node -r securenow/register app.mjs
 ```
 
-> **Important:** Set `SECURENOW_CAPTURE_BODY=0` with Hono. Do **not** add `require('securenow/register')` inside `.mjs` files.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. For Hono ESM apps, keep using the `node -r securenow/register app.mjs` preload instead of adding `require('securenow/register')` inside `.mjs` files.
 
 ---
 
@@ -1079,14 +1094,14 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Framework | Traces | Logs | Body Capture | Firewall | Notes |
 |-----------|--------|------|--------------|----------|-------|
 | Express | Yes | Yes | Yes | Yes | Fully compatible |
-| Fastify | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0` required |
+| Fastify | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
 | Koa | Yes | Yes | Yes | Yes | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | Yes | Use `-r ts-node/register` |
-| Hapi | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0` required |
+| Hapi | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
 | h3 | Yes | Yes | Yes | Yes | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | Yes | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
-| Hono | Yes | Yes | **No** | Yes | `SECURENOW_CAPTURE_BODY=0`; ESM `-r` flag |
+| Hono | Yes | Yes | Yes | Yes | Use ESM `-r` preload |
 | Feathers | Yes | Yes | Yes | Yes | Uses Express transport |
 | Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `withSecureNow()` |
 | Nuxt 3 | Yes | Yes | Yes | Yes | Use `securenow/nuxt` module |
@@ -1097,12 +1112,12 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 
 SecureNow can automatically block IPs from your blocklist at the application layer. No code changes -- just provide an API key (via `securenow login`, the `api-key` CLI, or env var) and the firewall activates.
 
-### Enable the Firewall
+### Firewall Is Enabled by Default
 
 Pick whichever fits your environment:
 
 ```bash
-# (a) Zero-config (v7.1+): login + opt in to the firewall in the browser.
+# (a) Zero-config (v7.4+): login picks/creates an app and connects the firewall.
 # Key is minted and written to .securenow/credentials.json automatically.
 npx securenow login
 
@@ -1237,16 +1252,16 @@ See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for the full reference.
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `1` to enable, `0` to disable. | `1` |
+| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `0` to disable. | `1` |
 
 #### Request Body Capture
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `SECURENOW_CAPTURE_BODY` | Enable request body capture in traces. Set to `1` to enable. | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture request bodies in traces. Set to `0` to disable. | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
-| `SECURENOW_CAPTURE_MULTIPART` | Enable multipart/form-data capture. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `1` to enable. | `0` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data metadata. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `0` to disable. | `1` |
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1384,13 +1399,13 @@ node app.js
 
 ## Request Body Capture
 
-SecureNow can capture HTTP request bodies in traces for debugging purposes. This is disabled by default.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `SECURENOW_CAPTURE_BODY=0` only when you need a local opt-out.
 
-### Enable Body Capture
+### Body Capture Defaults
 
 ```bash
-export SECURENOW_CAPTURE_BODY=1
 export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
+# export SECURENOW_CAPTURE_BODY=0     # optional opt-out
 ```
 
 ### Supported Content Types
@@ -1398,11 +1413,11 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-- `multipart/form-data` (requires `SECURENOW_CAPTURE_MULTIPART=1`)
+- `multipart/form-data` (metadata capture is on unless `SECURENOW_CAPTURE_MULTIPART=0`)
 
 ### Multipart Body Capture (v5.8.0+)
 
-Enable with `SECURENOW_CAPTURE_MULTIPART=1` to capture multipart/form-data requests. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
+Multipart/form-data metadata capture is enabled by default. Set `SECURENOW_CAPTURE_MULTIPART=0` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
 
 **What gets captured:**
 - **Text fields** -- field name and value (up to 1000 chars), with sensitive fields auto-redacted
@@ -1731,10 +1746,11 @@ curl http://localhost:4318/v1/logs
 
 ### Request Body Not Captured
 
-**Check 1: Is body capture enabled?**
+**Check 1: Make sure body capture was not explicitly disabled**
 
 ```bash
-export SECURENOW_CAPTURE_BODY=1
+echo $SECURENOW_CAPTURE_BODY
+# Should be empty, 1, or true. Remove SECURENOW_CAPTURE_BODY=0 to re-enable defaults.
 ```
 
 **Check 2: Verify content type**
@@ -1915,7 +1931,7 @@ const dbLogger = getLogger('database', '1.0.0');
 const apiLogger = getLogger('api', '1.0.0');
 ```
 
-### 6. Enable Body Capture Only in Development
+### 6. Disable Body Capture Outside Development
 
 ```bash
 # .env.development

package/README.md

@@ -12,9 +12,9 @@ Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt — traces, logs, body
 # 1. Install
 npm install securenow
 
-# 2. Pick (or create) your app in the browser — writes .securenow/ locally.
-#    Since v7.1.0, the browser step also offers one-click firewall onboarding:
-#    say yes and the CLI stores a scoped API key in the same file — no env vars.
+# 2. Pick (or create) your app in the browser - writes .securenow/ locally.
+#    Since v7.4.0, the browser step enables the app firewall and stores
+#    a scoped firewall API key in the same file - no env vars.
 npx securenow login
 
 # 3. Start your app — one flag is all it takes
@@ -137,7 +137,7 @@ Resolution order (first non-empty wins):
 
 ```bash
 # Setup
-npx securenow login                 # browser auth + app picker + firewall onboarding (saves to ./.securenow/)
+npx securenow login                 # browser auth + app picker + firewall enabled by default
 npx securenow login --global        # save to ~/.securenow/ instead
 npx securenow login --token <TOKEN> # headless (CI)
 npx securenow init                  # scaffold Next.js instrumentation files
@@ -168,6 +168,21 @@ Full reference: run `npx securenow help` or see [CLI Reference](#cli-reference)
 
 ---
 
+## MCP for Codex and Claude
+
+SecureNow ships a local stdio MCP server for agent clients:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or run directly:
+npx -p securenow securenow-mcp
+```
+
+The MCP server reuses the same project-local `.securenow/credentials.json` as the CLI and SDK. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, plus resources for the bundled SecureNow docs and setup prompts.
+
+---
+
 ## Environment variables (optional)
 
 Only set these if you want to override the zero-config defaults.
@@ -178,7 +193,7 @@ Only set these if you want to override the zero-config defaults.
 | `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
 | `SECURENOW_API_KEY` | from credentials file | Enables firewall + collector routing |
 | `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` for Fastify/Hapi/Hono. |
+| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
 | `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
 | `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
@@ -218,6 +233,7 @@ HTTP/HTTPS · GraphQL · gRPC · and many more via [@opentelemetry/auto-instrume
 ### Complete Guides
 - [Firewall](./docs/FIREWALL-GUIDE.md)
 - [API Keys](./docs/API-KEYS-GUIDE.md)
+- [MCP](./docs/MCP-GUIDE.md)
 - [Next.js Complete](./docs/NEXTJS-GUIDE.md)
 - [Nuxt 3 Complete](./docs/NUXT-GUIDE.md)
 - [Logging Complete](./docs/LOGGING-GUIDE.md)
@@ -244,7 +260,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 
 | Command | Description |
 |---|---|
-| `securenow login` | Browser auth + pick app + optional firewall key onboarding (writes ./.securenow/ by default) |
+| `securenow login` | Browser auth + pick app; firewall key is minted automatically (writes ./.securenow/ by default) |
 | `securenow login --global` | Save to ~/.securenow/ instead |
 | `securenow login --token <TOKEN>` | Headless (CI/servers) |
 | `securenow logout` | Clear project-local credentials |

package/SKILL-API.md

@@ -2,7 +2,9 @@
 
 Instrument any Node.js application with OpenTelemetry tracing, structured logging, request body capture, and a multi-layer IP firewall. Supports Express, Fastify, NestJS, Koa, Hapi, Next.js, Nuxt 3, Vite (browser), and raw `http.createServer` — with zero code changes for most setups.
 
-**CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
+**CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
+
+**MCP parity (v7.5+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reuses the same `.securenow/credentials.json` file as the CLI/SDK and exposes SecureNow tools, bundled docs resources, and setup prompts to agents.
 
 ## Installation
 
@@ -46,17 +48,19 @@ npx securenow init --key snk_live_...
 
 That's it. Traces and logs flow to your OTLP collector. No code changes for Express, Fastify, NestJS, Koa, Hapi, and raw Node.
 
-### 3. Enable the Firewall (Optional)
+### 3. Firewall Is Enabled by Default
 
-Since v7.1.0 the firewall key lives in your credentials file — no env var required:
+Since v7.4.0, the browser login flow connects the firewall automatically after
+the user picks or creates an app. The firewall key lives in your credentials
+file — no env var required:
 
 ```bash
-npx securenow login              # pick app + click "Enable firewall" in browser
-# or, if you already have one:
-npx securenow api-key set snk_live_abc123...
+npx securenow login              # pick/create app; firewall key is minted automatically
+# or, if you already have one:
+npx securenow api-key set snk_live_abc123...
 ```
 
-Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. Setting `SECURENOW_API_KEY=snk_live_...` in the environment still works and takes precedence.
+Both paths write the key to `.securenow/credentials.json` (auto-gitignored) and the firewall activates on next start. Setting `SECURENOW_API_KEY=snk_live_...` in the environment still works and takes precedence.
 
 The firewall syncs your blocklist and enforces it on every request — zero code changes.
 
@@ -263,7 +267,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable. Since **v7.1.0** the key is read from `.securenow/credentials.json` (written by `npx securenow login` or `securenow api-key set`), so the `SECURENOW_API_KEY` env var is optional. Resolution order: env (must start with `snk_live_`) → project `./.securenow/credentials.json` → global `~/.securenow/credentials.json`.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.4.0**, `npx securenow login` enables the selected app firewall and writes the key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. The `SECURENOW_API_KEY` env var is optional. Resolution order: env (must start with `snk_live_`) → project `./.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -275,8 +279,8 @@ Layer 1: HTTP Handler      →  403 JSON response (always active)
 ### Activate
 
 ```bash
-# Zero-config (recommended) — writes the key to .securenow/credentials.json
-npx securenow login              # pick app + click "Enable firewall"
+# Zero-config (recommended) — writes the key to .securenow/credentials.json
+npx securenow login              # pick/create app; firewall connects automatically
 # or, if you already have a key:
 npx securenow api-key set snk_live_abc123...
 
@@ -478,9 +482,9 @@ securenow redact @request.json --fields internal_id,sessionHash
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `SECURENOW_LOGGING_ENABLED` | Enable OTLP log export | `1` |
-| `SECURENOW_CAPTURE_BODY` | Capture HTTP request bodies | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture HTTP request bodies | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Max body size in bytes | `10240` |
-| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data (streaming, metadata only) | `0` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data (streaming, metadata only) | `1` |
 | `SECURENOW_SENSITIVE_FIELDS` | Comma-separated extra fields to redact | — |
 | `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated packages to skip (e.g. `fs,dns`) | — |
 | `SECURENOW_TEST_SPAN` | `1` to emit a test span on startup | `0` |
@@ -551,16 +555,15 @@ No code changes to the application needed.
 
 ```bash
 npm install securenow
-npx securenow login              # pick app + "Enable firewall" in browser
+npx securenow login              # pick/create app; firewall key is minted automatically
 ```
 
-`securenow login` writes session, app, and firewall key to `.securenow/credentials.json` (auto-gitignored). The `init` command still works for manual setup — it creates `instrumentation.ts` and suggests `next.config` changes. Most users only need this `.env.local`:
+`securenow login` enables the selected app's firewall toggle and writes session, app, and firewall key to `.securenow/credentials.json` (auto-gitignored). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. The `init` command still works for manual setup — it creates `instrumentation.ts` and suggests `next.config` changes. Most users only need this `.env.local`:
 
 ```
 SECURENOW_APPID=my-nextjs-app
 SECURENOW_INSTANCE=https://your-collector:4318
-SECURENOW_CAPTURE_BODY=1
-# SECURENOW_API_KEY=snk_live_...   (otherwise lives in .securenow/credentials.json)
+# SECURENOW_API_KEY=snk_live_...   (otherwise lives in .securenow/credentials.json)
 ```
 
 ### Enable Firewall With Zero Tracing Overhead

package/SKILL-CLI.md

@@ -13,7 +13,18 @@ npm install securenow
 npx securenow <command>
 ```
 
-**Full parity with the SDK:** every capability the `securenow` Node SDK exposes has a CLI counterpart — redaction, CIDR matching, log/span emission, firewall preload, config inspection. If you can do it in code, you can do it from the terminal.
+**Full parity with the SDK:** every capability the `securenow` Node SDK exposes has a CLI counterpart — redaction, CIDR matching, log/span emission, firewall preload, config inspection. If you can do it in code, you can do it from the terminal.
+
+**MCP parity (v7.5+):** the same package also ships a local stdio MCP server for Codex, Claude, and other MCP clients:
+
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+# or
+npx -p securenow securenow-mcp
+```
+
+The MCP server reuses `.securenow/credentials.json` and exposes apps, traces, logs, firewall, IP intelligence, forensics, notifications, remediation tools, bundled docs resources, and setup prompts. Write tools require `confirm:true` plus a reason.
 
 ### Authenticate
 
@@ -24,9 +35,9 @@ securenow login --token <JWT>   # headless / CI login (get token from dashboard
 securenow whoami            # verify session (shows email, app, auth source)
 ```
 
-**Zero-config flow (v7+):** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)**, **name**, and **instance URL** in `.securenow/credentials.json`. The SDK reads this file at boot and sends traces/logs to the right app bucket — **no env vars required for local dev**.
-
-**Firewall onboarding (v7.1+):** after picking the app, `securenow login` asks "Enable the Firewall?" in the browser. If you accept, the dashboard mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes and the CLI writes it into `.securenow/credentials.json` automatically — no `SECURENOW_API_KEY` env var needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
+**Zero-config flow (v7+):** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)**, **name**, and **instance URL** in `.securenow/credentials.json`. The SDK reads this file at boot and sends traces/logs to the right app bucket — **no env vars required for local dev**.
+
+**Default-on security (v7.4+):** after picking or creating the app, `securenow login` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 
 Credentials resolve in order: `SECURENOW_TOKEN` env var → project `.securenow/credentials.json` → global `~/.securenow/credentials.json`.
 
@@ -245,7 +256,7 @@ securenow firewall status                    # layers, sync time, blocked count,
 securenow firewall test-ip <ip>              # check if IP would be blocked
 ```
 
-**Zero-config setup (v7.1+):** running `securenow login` and opting into "Enable the Firewall?" in the browser auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`) and writes it to the credentials file. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
+**Zero-config setup (v7.4+):** running `securenow login` enables the selected app's firewall toggle, auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and writes it to the credentials file after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
 
 ### Blocklist — Block Malicious IPs
 

package/cli/diagnostics.js

@@ -39,6 +39,7 @@ function resolvedConfig() {
   const apiUrl = config.getApiUrl();
   const loggingEnabled = !/^(0|false)$/i.test(String(process.env.SECURENOW_LOGGING_ENABLED ?? ''));
   const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
+  const captureMultipart = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_MULTIPART ?? ''));
   const firewallEnabled =
     !!apiKey && process.env.SECURENOW_FIREWALL_ENABLED !== '0';
 
@@ -52,6 +53,7 @@ function resolvedConfig() {
     apiUrl,
     loggingEnabled,
     captureBody,
+    captureMultipart,
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
@@ -62,6 +64,21 @@ function resolvedConfig() {
   };
 }
 
+function maskSecret(value) {
+  if (!value) return '';
+  const text = String(value);
+  if (text.length <= 12) return '***';
+  return `${text.slice(0, 12)}...${text.slice(-4)}`;
+}
+
+function redactConfig(cfg) {
+  return {
+    ...cfg,
+    headers: cfg.headers ? '***' : '',
+    apiKey: cfg.apiKey ? maskSecret(cfg.apiKey) : '',
+  };
+}
+
 function parseHeaders(str) {
   const out = {};
   if (!str) return out;
@@ -305,6 +322,7 @@ function env(_args, flags) {
     SECURENOW_API_URL: cfg.apiUrl,
     SECURENOW_LOGGING_ENABLED: cfg.loggingEnabled ? '1' : '0',
     SECURENOW_CAPTURE_BODY: cfg.captureBody ? '1' : '0',
+    SECURENOW_CAPTURE_MULTIPART: cfg.captureMultipart ? '1' : '0',
     SECURENOW_NO_UUID: process.env.SECURENOW_NO_UUID || `(auto: ${require('../app-config').resolveNoUuid() ? '1' : '0'})`,
     SECURENOW_FIREWALL_TCP: process.env.SECURENOW_FIREWALL_TCP || '0',
     SECURENOW_FIREWALL_IPTABLES: process.env.SECURENOW_FIREWALL_IPTABLES || '0',
@@ -313,7 +331,7 @@ function env(_args, flags) {
   };
 
   if (flags.json) {
-    ui.json({ resolved: cfg, env: vars });
+    ui.json({ resolved: redactConfig(cfg), env: vars });
     return;
   }
 
@@ -324,6 +342,7 @@ function env(_args, flags) {
     ['Logs endpoint', cfg.logsEndpoint],
     ['Logging', cfg.loggingEnabled ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
+    ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Firewall', cfg.firewallEnabled ? ui.c.green('enabled') : ui.c.dim('disabled (no API key)')],
   ]);
 
@@ -377,7 +396,7 @@ async function doctor(_args, flags) {
   const ok = checks.every((c) => c.ok);
 
   if (flags.json) {
-    ui.json({ ok, resolved: cfg, checks, warnings });
+    ui.json({ ok, resolved: redactConfig(cfg), checks, warnings });
     process.exit(ok ? 0 : 1);
   }
 

package/cli/init.js

@@ -1,24 +1,52 @@
 'use strict';
 
-const fs = require('fs');
-const path = require('path');
-const ui = require('./ui');
-
-const INSTRUMENTATION_JS = `export async function register() {
-  if (process.env.NEXT_RUNTIME === 'nodejs') {
-    const { registerSecureNow } = require('securenow/nextjs');
-    registerSecureNow();
-  }
-}
-`;
-
-const INSTRUMENTATION_TS = `export async function register() {
-  if (process.env.NEXT_RUNTIME === 'nodejs') {
-    const { registerSecureNow } = require('securenow/nextjs');
-    registerSecureNow();
-  }
-}
-`;
+const fs = require('fs');
+const path = require('path');
+const ui = require('./ui');
+const config = require('./config');
+
+const DEFAULT_ENV = {
+  SECURENOW_LOGGING_ENABLED: '1',
+  SECURENOW_CAPTURE_BODY: '1',
+  SECURENOW_CAPTURE_MULTIPART: '1',
+  SECURENOW_FIREWALL_ENABLED: '1',
+};
+
+const INSTRUMENTATION_JS = `import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+
+  process.env.SECURENOW_LOGGING_ENABLED ??= '1';
+  process.env.SECURENOW_CAPTURE_BODY ??= '1';
+  process.env.SECURENOW_CAPTURE_MULTIPART ??= '1';
+  process.env.SECURENOW_FIREWALL_ENABLED ??= '1';
+
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
+}
+`;
+
+const INSTRUMENTATION_TS = `import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+
+  process.env.SECURENOW_LOGGING_ENABLED ??= '1';
+  process.env.SECURENOW_CAPTURE_BODY ??= '1';
+  process.env.SECURENOW_CAPTURE_MULTIPART ??= '1';
+  process.env.SECURENOW_FIREWALL_ENABLED ??= '1';
+
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
+}
+`;
 
 function detectProject(dir) {
   const pkgPath = path.join(dir, 'package.json');
@@ -165,37 +193,52 @@ function initNode(dir, project) {
   }
 }
 
-function initEnv(dir, flags) {
-  const envFiles = ['.env', '.env.local'];
-  let envPath = null;
-
-  for (const f of envFiles) {
-    const p = path.join(dir, f);
-    if (fs.existsSync(p)) {
-      const content = fs.readFileSync(p, 'utf8');
-      if (content.includes('SECURENOW_API_KEY')) {
-        ui.info(`SECURENOW_API_KEY already set in ${f}`);
-        return;
-      }
-      envPath = p;
-      break;
-    }
-  }
-
-  if (!envPath) envPath = path.join(dir, '.env.local');
-
-  const apiKey = flags.key || flags['api-key'] || '';
-  if (apiKey) {
-    const existing = fs.existsSync(envPath) ? fs.readFileSync(envPath, 'utf8') : '';
-    const sep = existing && !existing.endsWith('\n') ? '\n' : '';
-    fs.appendFileSync(envPath, `${sep}SECURENOW_API_KEY=${apiKey}\n`, 'utf8');
-    ui.success(`Added SECURENOW_API_KEY to ${path.basename(envPath)}`);
-  } else {
-    ui.warn(`Add your API key to ${path.basename(envPath)}:`);
-    console.log('');
-    console.log('  SECURENOW_API_KEY=snk_live_...');
-    console.log('');
-  }
-}
+function initEnv(dir, flags) {
+  const envFiles = ['.env', '.env.local'];
+  let envPath = null;
+
+  for (const f of envFiles) {
+    const p = path.join(dir, f);
+    if (fs.existsSync(p)) {
+      envPath = p;
+      break;
+    }
+  }
+
+  if (!envPath) envPath = path.join(dir, '.env.local');
+
+  const existing = fs.existsSync(envPath) ? fs.readFileSync(envPath, 'utf8') : '';
+  const additions = [];
+  for (const [key, value] of Object.entries(DEFAULT_ENV)) {
+    if (!hasEnvKey(existing, key)) additions.push(`${key}=${value}`);
+  }
+
+  const explicitApiKey = flags.key || flags['api-key'] || '';
+  const hasApiKey = hasEnvKey(existing, 'SECURENOW_API_KEY');
+  if (explicitApiKey && !hasApiKey) additions.push(`SECURENOW_API_KEY=${explicitApiKey}`);
+
+  if (additions.length > 0) {
+    const sep = existing && !existing.endsWith('\n') ? '\n' : '';
+    fs.appendFileSync(envPath, `${sep}${additions.join('\n')}\n`, 'utf8');
+    ui.success(`Updated ${path.basename(envPath)} with SecureNow defaults`);
+  } else {
+    ui.info(`${path.basename(envPath)} already contains SecureNow defaults`);
+  }
+
+  if (hasApiKey || explicitApiKey) {
+    ui.info(`SECURENOW_API_KEY is set in ${path.basename(envPath)}`);
+  } else if (config.getApiKey()) {
+    ui.info('Using firewall API key from project .securenow/credentials.json');
+  } else {
+    ui.warn(`Add your API key to ${path.basename(envPath)}:`);
+    console.log('');
+    console.log('  SECURENOW_API_KEY=snk_live_...');
+    console.log('');
+  }
+}
+
+function hasEnvKey(content, key) {
+  return new RegExp(`^\\s*${key}\\s*=`, 'm').test(content || '');
+}
 
 module.exports = { init };