npm - securenow - Versions diffs - 7.4.0 → 7.5.1 - Mend

securenow 7.4.0 → 7.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/NPM_README.md +40 -24
package/README.md +22 -6
package/SKILL-API.md +19 -16
package/SKILL-CLI.md +16 -5
package/cli/diagnostics.js +21 -2
package/cli/init.js +94 -51
package/cli/ui.js +22 -12
package/cli.js +14 -9
package/docs/ALL-FRAMEWORKS-QUICKSTART.md +21 -18
package/docs/API-KEYS-GUIDE.md +2 -2
package/docs/ENVIRONMENT-VARIABLES.md +10 -9
package/docs/FIREWALL-GUIDE.md +5 -4
package/docs/MCP-GUIDE.md +50 -0
package/mcp/catalog.js +770 -0
package/mcp/server.js +238 -0
package/nextjs-auto-capture.d.ts +1 -1
package/package.json +10 -2

package/cli/ui.js CHANGED Viewed

@@ -111,13 +111,21 @@ function keyValue(pairs) {
   }
 }
-function heading(text) {
-  console.log(`\n${c.bold(c.cyan(text))}`);
-}
-function subheading(text) {
-  console.log(`\n  ${c.bold(text)}`);
-}
+function heading(text) {
+  console.log(`\n${c.bold(c.cyan(text))}`);
+}
+function header(text) {
+  heading(text);
+}
+function bold(text) {
+  return c.bold(text);
+}
+function subheading(text) {
+  console.log(`\n  ${c.bold(text)}`);
+}
 function success(msg) {
   console.log(`${c.green('✓')} ${msg}`);
@@ -361,11 +369,13 @@ function durationColor(ms) {
 module.exports = {
   c,
   NO_COLOR,
-  stripAnsi,
-  table,
-  keyValue,
-  heading,
-  subheading,
+  stripAnsi,
+  table,
+  keyValue,
+  heading,
+  header,
+  bold,
+  subheading,
   success,
   error,
   warn,

package/cli.js CHANGED Viewed

@@ -365,14 +365,19 @@ const COMMANDS = {
     usage: 'securenow doctor [--json]',
     run: (a, f) => require('./cli/diagnostics').doctor(a, f),
   },
-  env: {
-    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
-    usage: 'securenow env [--json]',
-    run: (a, f) => require('./cli/diagnostics').env(a, f),
-  },
-  version: {
-    desc: 'Show CLI version',
-    run: () => {
+  env: {
+    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
+    usage: 'securenow env [--json]',
+    run: (a, f) => require('./cli/diagnostics').env(a, f),
+  },
+  mcp: {
+    desc: 'Start the SecureNow MCP server over stdio',
+    usage: 'securenow mcp',
+    run: () => require('./mcp/server'),
+  },
+  version: {
+    desc: 'Show CLI version',
+    run: () => {
       try {
         const pkg = require('./package.json');
         console.log(`securenow v${pkg.version}`);
@@ -437,7 +442,7 @@ function showHelp(commandName) {
     'Firewall': ['firewall'],
     'Remediation': ['blocklist', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'test-span'],
-    'Utilities': ['redact', 'cidr', 'doctor', 'env'],
+    'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],
   };

package/docs/ALL-FRAMEWORKS-QUICKSTART.md CHANGED Viewed

@@ -119,9 +119,10 @@ SECURENOW_NO_UUID=1
 |----------|---------|---------|
 | `SECURENOW_APPID` | Your app key (from `securenow apps create`) | **Required** |
 | `SECURENOW_INSTANCE` | OTLP collector endpoint | `https://freetrial.securenow.ai:4318` |
-| `SECURENOW_LOGGING_ENABLED` | Auto-forward all `console.*` calls as OTLP logs | `0` |
+| `SECURENOW_LOGGING_ENABLED` | Auto-forward all `console.*` calls as OTLP logs | `1` |
 | `SECURENOW_NO_UUID` | Keep `service.name` equal to your app key (no UUID suffix) | `0` |
-| `SECURENOW_CAPTURE_BODY` | Capture request/response bodies in traces | `0` |
+| `SECURENOW_CAPTURE_BODY` | Capture request/response bodies in traces | `1` |
+| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart field/file metadata | `1` |
 | `SECURENOW_MAX_BODY_SIZE` | Max captured body size in bytes | `10240` |
 | `SECURENOW_SENSITIVE_FIELDS` | Extra field names to auto-redact (comma-separated) | — |
 | `SECURENOW_TRUSTED_PROXIES` | Comma-separated proxy IPs for X-Forwarded-For | — |
@@ -137,7 +138,8 @@ SECURENOW_APPID=my-app-prod
 SECURENOW_INSTANCE=https://collector.yourcompany.com:4318
 SECURENOW_LOGGING_ENABLED=1
 SECURENOW_NO_UUID=1
-SECURENOW_CAPTURE_BODY=0
+SECURENOW_CAPTURE_BODY=1
+SECURENOW_CAPTURE_MULTIPART=1
 SECURENOW_TRUSTED_PROXIES=10.0.0.1,10.0.0.2
 NODE_ENV=production
 ```
@@ -203,7 +205,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -249,7 +251,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 ---
@@ -299,7 +301,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -376,7 +378,7 @@ Add both to your `package.json`:
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -426,7 +428,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (payload stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 ---
@@ -473,7 +475,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -528,7 +530,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -591,7 +593,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -632,7 +634,7 @@ node -r securenow/register app.mjs
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | **No** — set `SECURENOW_CAPTURE_BODY=0` (stream conflict) |
+| Body Capture | Yes - default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 ---
@@ -687,7 +689,7 @@ node app.js
 |---------|-----------|
 | Traces | Yes |
 | Logs | Yes |
-| Body Capture | Yes — set `SECURENOW_CAPTURE_BODY=1` |
+| Body Capture | Yes - default on |
 ---
@@ -1284,7 +1286,8 @@ pm2 start ecosystem.config.cjs
   script: 'app.mjs',
   node_args: '-r securenow/register',
   env: {
-    SECURENOW_CAPTURE_BODY: '0',  // Required for Hono
+    SECURENOW_CAPTURE_BODY: '1',
+    SECURENOW_CAPTURE_MULTIPART: '1',
     /* ... other vars ... */
   }
 }
@@ -1315,14 +1318,14 @@ CMD ["node", "-r", "securenow/register", "app.js"]
 | Framework | Traces | Logs | Body Capture | Init Method | Notes |
 |-----------|--------|------|--------------|-------------|-------|
 | Express | Yes | Yes | Yes | `require()` or `-r` | Fully compatible |
-| Fastify | Yes | Yes | **No** | `require()` or `-r` | Set `SECURENOW_CAPTURE_BODY=0` |
+| Fastify | Yes | Yes | Yes | `require()` or `-r` | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | Koa | Yes | Yes | Yes | `require()` or `-r` | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | `instrument.js` + `-r ./instrument.js` | Create `instrument.js` with `require('securenow/register')` |
-| Hapi | Yes | Yes | **No** | `require()` or `-r` | Set `SECURENOW_CAPTURE_BODY=0` |
+| Hapi | Yes | Yes | Yes | `require()` or `-r` | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | h3 | Yes | Yes | Yes | `require()` or `-r` | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | `require()` or `-r` | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | `require()` or `-r` | Raw `http.createServer` |
-| Hono | Yes | Yes | **No** | `-r` flag only (ESM) | Set `SECURENOW_CAPTURE_BODY=0` |
+| Hono | Yes | Yes | Yes | `-r` flag only (ESM) | Default on; set `SECURENOW_CAPTURE_BODY=0` only for a local stream conflict |
 | Feathers | Yes | Yes | Yes | `require()` or `-r` | Express transport |
 | Next.js | Yes | Yes | Yes | `instrumentation.ts` | Use `securenow init` |
@@ -1349,7 +1352,7 @@ Do **not** add `require('securenow/register')` inside `.mjs` files.
 ### Body capture crashes / empty payloads
-Set `SECURENOW_CAPTURE_BODY=0` for Fastify, Hapi, and Hono. These frameworks use custom stream handling that conflicts with the body capture hook.
+Body capture is on by default. If a specific framework version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override for that app.
 ### CLI says "Not logged in"

package/docs/API-KEYS-GUIDE.md CHANGED Viewed

@@ -54,8 +54,8 @@ Since v7.1.0, the firewall reads its API key from `.securenow/credentials.json`
 ### Writing the key to the credentials file
 ```bash
-# Interactive onboarding — picks/creates an app and, if you opt in,
-# mints a key scoped firewall:read + blocklist:read + allowlist:read
+# Interactive onboarding - picks/creates an app, enables that app's firewall,
+# and mints a key scoped firewall:read + blocklist:read + allowlist:read
 # (the "firewall" preset, used by default for CLI firewall onboarding)
 # and writes it to ./.securenow/credentials.json automatically.
 npx securenow login

package/docs/ENVIRONMENT-VARIABLES.md CHANGED Viewed

@@ -16,7 +16,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_INSTANCE** | Optional | `https://freetrial.securenow.ai:4318` | OTLP collector base URL |
 | **SECURENOW_API_KEY** | Optional | from credentials file | API key (same UUID as APPID). Enables firewall. |
 | **SECURENOW_LOGGING_ENABLED** | Optional | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| **SECURENOW_CAPTURE_BODY** | Optional | `1` (on) | Capture request body. Set to `0` for Fastify/Hapi/Hono. |
+| **SECURENOW_CAPTURE_BODY** | Optional | `1` (on) | Capture request body. Set to `0` only for a local stream conflict. |
 | **SECURENOW_CAPTURE_MULTIPART** | Optional | `1` (on) | Capture multipart field/file metadata. |
 | **SECURENOW_MAX_BODY_SIZE** | Optional | `10240` | Max body size in bytes |
 | **SECURENOW_SENSITIVE_FIELDS** | Optional | - | Comma-separated extra fields to redact |
@@ -288,11 +288,12 @@ export SECURENOW_LOGGING_ENABLED=0
 **Format:** `1` (enabled) or `0` (disabled)
-**Default:** `0` (disabled)
+**Default:** `1` (enabled)
 **Example:**
 ```bash
-export SECURENOW_CAPTURE_BODY=1
+# Default is enabled. Use this only to opt out:
+export SECURENOW_CAPTURE_BODY=0
 ```
 **Supported content types:**
@@ -300,8 +301,7 @@ export SECURENOW_CAPTURE_BODY=1
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-**Not captured (unless separately enabled):**
-- `multipart/form-data` — requires `SECURENOW_CAPTURE_MULTIPART=1` (see below)
+**Not captured:**
 - Bodies larger than `SECURENOW_MAX_BODY_SIZE`
 **Security:**
@@ -373,11 +373,12 @@ export SECURENOW_SENSITIVE_FIELDS="custom_secret,private_data,internal_id"
 **Format:** `1` (enabled) or `0` (disabled)
-**Default:** `0` (disabled)
+**Default:** `1` (enabled)
 **Example:**
 ```bash
-export SECURENOW_CAPTURE_MULTIPART=1
+# Default is enabled. Use this only to opt out:
+export SECURENOW_CAPTURE_MULTIPART=0
 ```
 **What gets captured:**
@@ -405,7 +406,7 @@ export SECURENOW_CAPTURE_MULTIPART=1
 **Parts limit:** 100 parts maximum per request (safety guard).
-**Requires:** `SECURENOW_CAPTURE_BODY=1` must also be set (multipart capture is gated behind general body capture).
+**Relationship to body capture:** multipart metadata capture has its own opt-out flag. Leave `SECURENOW_CAPTURE_MULTIPART` unset, `1`, or `true` to keep it enabled.
 **Since:** v5.8.0
@@ -533,7 +534,7 @@ export NODE_ENV=test
 export SECURENOW_API_KEY=snk_live_a1b2c3d4e5f6...
 ```
-**v7.1.0+:** the firewall also reads this key from `.securenow/credentials.json` (written by `securenow login` with firewall enabled, or by `securenow api-key set`). The env var only wins if it starts with `snk_live_` — otherwise the credentials file is used, so you can rely on the file for local dev without unsetting any stray env var. Setting an app UUID here (the old pre-7.1 habit) is ignored for firewall auth and would produce silent 401s; always use a `snk_live_...` key.
+**v7.4.0+:** the firewall also reads this key from `.securenow/credentials.json` (written by `securenow login`, which enables the selected app firewall by default, or by `securenow api-key set`). The env var only wins if it starts with `snk_live_` — otherwise the credentials file is used, so you can rely on the file for local dev without unsetting any stray env var. Setting an app UUID here (the old pre-7.1 habit) is ignored for firewall auth and would produce silent 401s; always use a `snk_live_...` key.
 ---

package/docs/FIREWALL-GUIDE.md CHANGED Viewed

@@ -47,10 +47,11 @@ All layers share the same in-memory blocklist, synced from the SecureNow API usi
 Two ways to get the firewall wired up — pick whichever fits:
 ```bash
-# (a) Zero-config (v7.1+): run login and choose "Enable firewall" in the browser.
-# The dashboard mints a key scoped firewall:read + blocklist:read + allowlist:read
-# and the CLI writes it to .securenow/credentials.json. No further config needed.
-npx securenow login
+# (a) Zero-config (v7.4+): run login, pick/create an app, and connect.
+# The selected app's firewall toggle is enabled automatically.
+# The dashboard mints a key scoped firewall:read + blocklist:read + allowlist:read
+# and the CLI writes it to .securenow/credentials.json. No further config needed.
+npx securenow login
 # (b) Already have a key? Drop it into the credentials file directly:
 npx securenow api-key set snk_live_abc123...

package/docs/MCP-GUIDE.md ADDED Viewed

@@ -0,0 +1,50 @@
+# SecureNow MCP Guide
+SecureNow ships an MCP server for agent clients such as Codex and Claude.
+## Local stdio MCP
+Use this when the agent is running on the same machine as your project:
+```bash
+npx securenow login
+codex mcp add securenow -- npx securenow mcp
+```
+You can also run the server directly:
+```bash
+npx -p securenow securenow-mcp
+```
+The local MCP server reads the same project-local `.securenow/credentials.json`
+as the CLI and SDK. No production deployment is required.
+## Hosted MCP
+For hosted clients, expose the secured API endpoint:
+```text
+https://api.securenow.ai/mcp
+```
+The hosted endpoint must be authenticated with `Authorization: Bearer ...`.
+It accepts SecureNow JWT sessions and `snk_live_...` API keys through the same
+API auth path used by the rest of SecureNow.
+## Security Model
+- Read tools require the matching `*:read` scope.
+- Write tools require the matching `*:write` scope or `applications:write` for
+  app firewall settings.
+- Write tools also require `confirm: true` and a non-empty `reason`.
+- Full tokens and API keys are never returned by tools or resources.
+- Hosted MCP validates browser origins and rate-limits requests.
+- Tool calls are proxied through existing API routes so tenant isolation and
+  scope enforcement stay centralized.
+## Tools
+The MCP exposes applications, traces, logs, firewall, IP intelligence,
+forensics, notifications, blocklist, allowlist, trusted IPs, analytics, bundled
+docs resources, and setup prompts.