securenow 7.5.0 → 7.6.0

package/docs/ENVIRONMENTS.md

@@ -0,0 +1,60 @@
+# SecureNow Environments
+
+SecureNow uses one app id for one application, then separates data by deployment environment.
+
+## Recommended Model
+
+- Use the same `app.key` for local, preview, staging, and production.
+- Set `config.runtime.deploymentEnvironment` in `.securenow/credentials.json`.
+- Default local setup writes `local`.
+- Production runtime credentials should write `production`.
+- The SDK sends this value as the OpenTelemetry `deployment.environment` resource attribute.
+- The firewall sync sends the same environment to SecureNow so app firewall settings can differ per environment.
+
+Example local file:
+
+```json
+{
+  "app": {
+    "key": "00000000-0000-0000-0000-000000000000",
+    "name": "my-app",
+    "instance": "https://freetrial.securenow.ai:4318"
+  },
+  "config": {
+    "runtime": {
+      "deploymentEnvironment": "local"
+    }
+  }
+}
+```
+
+Example production flow:
+
+```bash
+npx securenow credentials runtime --env production
+```
+
+This writes `.securenow/credentials.production.json`. Deploy the generated JSON as a secret file and mount or copy it to:
+
+```text
+<app-root>/.securenow/credentials.json
+```
+
+## Investigation Defaults
+
+Forensics, firewall status, and security investigation tools default to `production`. Use `--env local`, `--env staging`, or `--env all` when you explicitly want another scope.
+
+```bash
+npx securenow traces --app <app-key> --env production
+npx securenow logs --app <app-key> --env local
+npx securenow forensics "show suspicious IPs in the last hour" --app <app-key> --env production
+npx securenow firewall disable --app <app-key> --env local
+```
+
+## Firewall Defaults
+
+- Production defaults to firewall on.
+- Local, preview, staging, and test default to firewall off until explicitly enabled.
+- Blocklists and allowlists are still app-scoped, but the app firewall toggle and threshold are environment-scoped.
+
+This keeps local development friction low while preserving production as the primary security boundary.

package/docs/EXPRESS-SETUP-GUIDE.md

@@ -717,3 +717,6 @@ NODE_ENV=production
 ---
 
 **Your Express app is now fully observable!** 🎉
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Run `npx securenow login`, `npx securenow init`, and for production generate `npx securenow credentials runtime --env production`; mount/copy that file as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.

package/docs/FIREWALL-GUIDE.md

@@ -434,3 +434,6 @@ npx securenow firewall test-ip 1.2.3.4
 - [Environment Variables Reference](./ENVIRONMENT-VARIABLES.md) — All configuration options
 - [All Frameworks Quick Start](./ALL-FRAMEWORKS-QUICKSTART.md) — Framework setup guides
 - [Automatic IP Capture](./AUTOMATIC-IP-CAPTURE.md) — How client IPs are resolved
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. `npx securenow login` writes the firewall key locally; `npx securenow credentials runtime --env production` creates the tokenless production file to mount/copy as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.

package/docs/INDEX.md

@@ -1,6 +1,8 @@
 # SecureNow Documentation
 
-Complete documentation for SecureNow - OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt with tracing and logging.
+Complete documentation for SecureNow - OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt with tracing, logging, body capture, and firewall protection.
+
+**Current setup model:** local and production configuration live in `.securenow/credentials.json`. Run `npx securenow login`, then `npx securenow init`. For production, generate a tokenless runtime file with `npx securenow credentials runtime --env production` and mount/copy it to `.securenow/credentials.json`. Older guides may mention env vars as legacy fallbacks; new integrations should use the credentials file.
 
 ## 📚 Table of Contents
 
@@ -65,12 +67,8 @@ Complete documentation for SecureNow - OpenTelemetry instrumentation for Node.js
 
 ### ⚙️ Configuration
 
-- **[Environment Variables Complete Reference](ENVIRONMENT-VARIABLES.md)** - All variables explained
-  - Required variables
-  - Optional variables
-  - Configuration examples
-  - Best practices
-  - Priority and overrides
+- **[Credentials Reference](ENVIRONMENT-VARIABLES.md)** - `.securenow/credentials.json` fields, secure defaults, and legacy fallbacks
+- **[Environment Separation](ENVIRONMENTS.md)** - One app id across local, preview, staging, and production
 
 ### 🔐 Next.js Body Capture
 
@@ -141,7 +139,7 @@ Complete documentation for SecureNow - OpenTelemetry instrumentation for Node.js
 ### "I want to block malicious IPs automatically"
 1. Start with [Firewall Guide](FIREWALL-GUIDE.md)
 2. Create an API key: [API Keys Guide](API-KEYS-GUIDE.md)
-3. Configure environment variables: [Environment Variables Reference](ENVIRONMENT-VARIABLES.md)
+3. Review credentials fields: [Credentials Reference](ENVIRONMENT-VARIABLES.md)
 
 ### "I need to capture IP addresses and headers"
 1. Read [Automatic IP Capture](AUTOMATIC-IP-CAPTURE.md)

package/docs/LOGGING-GUIDE.md

@@ -699,3 +699,6 @@ logger.emit({
 - **Issues**: [GitHub Issues](https://github.com/your-repo/securenow-npm)
 - **Documentation**: [Full Docs](./INDEX.md)
 - **Website**: [securenow.ai](http://securenow.ai/)
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Run `npx securenow login`, `npx securenow init`, and for production generate `npx securenow credentials runtime --env production`; mount/copy that file as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.

package/docs/MCP-GUIDE.md

@@ -20,6 +20,14 @@ npx -p securenow securenow-mcp
 The local MCP server reads the same project-local `.securenow/credentials.json`
 as the CLI and SDK. No production deployment is required.
 
+## Environment Scope
+
+MCP tools use the same environment model as the CLI and UI: one app key across
+local, preview, staging, and production, separated by
+`config.runtime.deploymentEnvironment`. Investigation tools default to
+`production`. Pass `environment: "local"`, `"staging"`, `"preview"`, or
+`"all"` only when that scope is intentional.
+
 ## Hosted MCP
 
 For hosted clients, expose the secured API endpoint:

package/docs/NEXTJS-GUIDE.md

@@ -386,4 +386,7 @@ ISC
 ---
 
 **Made with ❤️ for the Next.js and SecureNow community**
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Run `npx securenow login`, `npx securenow init`, and for production generate `npx securenow credentials runtime --env production`; mount/copy that file as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.
 

package/docs/NEXTJS-QUICKSTART.md

@@ -9,7 +9,7 @@ npm install securenow
 # 2. Pick (or create) your app in the browser — writes .securenow/ locally
 npx securenow login
 
-# 3. Scaffold instrumentation.ts and wrap next.config.js
+# 3. Scaffold instrumentation.ts and update next.config.js
 npx securenow init
 
 # 4. Run
@@ -25,23 +25,29 @@ No `.env.local` edits. No API key copy-paste. The app you picked in step 2 is wh
 **`instrumentation.ts`** (or `.js`, auto-detected):
 
 ```typescript
-import { registerSecureNow } from 'securenow/nextjs';
-export function register() {
-  registerSecureNow();
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
 }
 ```
 
-It also tells you to wrap `next.config.js`:
+For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` when it can safely patch the file:
 
 ```javascript
-const { withSecureNow } = require('securenow/nextjs-webpack-config');
+const nextConfig = {
+  serverExternalPackages: ['securenow'],
+};
 
-module.exports = withSecureNow({
-  // your existing config
-});
+export default nextConfig;
 ```
 
-`withSecureNow()` auto-detects Next.js 14 vs 15 vs 16 and sets the right externalization config.
+For older Next.js, use `experimental.serverComponentsExternalPackages`. If you already have custom `instrumentation.*` or a complex `next.config.*`, `init` prints a Codex/Claude-ready prompt with the exact edits to merge instead of guessing.
 
 ---
 
@@ -57,21 +63,23 @@ Start your app. In the console you should see:
 Then:
 
 ```bash
-npx securenow test-span      # emit a test span
-npx securenow traces         # see it appear
+npx securenow test-span      # emits with config.runtime.deploymentEnvironment
+npx securenow traces --env local
+npx securenow status --env local
 ```
 
 If `traces` shows your span under the app name you picked, you're done.
 
 ---
 
-## Overriding for CI / Docker / Vercel
+## Production / Docker / Vercel
 
-`.securenow/credentials.json` is for local dev. For anywhere you can't run `npx securenow login`, set env vars — they always win:
+Production uses the same credentials shape. Generate a tokenless runtime file:
 
 ```bash
-SECURENOW_APPID=<app-key-uuid>              # from: npx securenow apps
-SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
+npx securenow credentials runtime --env production
 ```
 
+Deploy `.securenow/credentials.production.json` as a secret file and mount or copy it to `<app-root>/.securenow/credentials.json`. It contains `app`, `apiKey`, `config`, and explanations, but no CLI OAuth token.
+
 See [NEXTJS-GUIDE.md](./NEXTJS-GUIDE.md) for Vercel, standalone builds, and edge runtime details.

package/docs/NUXT-GUIDE.md

@@ -168,3 +168,6 @@ export default defineNuxtConfig({
   },
 });
 ```
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Run `npx securenow login`, `npx securenow init`, and for production generate `npx securenow credentials runtime --env production`; mount/copy that file as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.

package/docs/QUICKSTART-BODY-CAPTURE.md

@@ -288,3 +288,6 @@ export const POST = withSecureNow(handler);
 
 
 
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Body capture defaults live under `config.capture.*`; run `npx securenow init` to create secure defaults. Env-var examples in this older guide are legacy fallback snippets.

package/docs/REQUEST-BODY-CAPTURE.md

@@ -581,4 +581,7 @@ SECURENOW_SENSITIVE_FIELDS=""  # Don't do this!
 ---
 
 **Made with security in mind** 🔒
+# Current setup note
+
+Use `.securenow/credentials.json` for local and production. Body capture defaults live under `config.capture.*`; run `npx securenow init` to create secure defaults. Env-var examples in this older guide are legacy fallback snippets.
 

package/firewall-cloud.js

@@ -21,10 +21,10 @@ const MIN_PUSH_INTERVAL_MS = 30000;
 
 // ────── Cloudflare ──────
 
-async function cloudflareSync(ips) {
-  const token = process.env.CLOUDFLARE_API_TOKEN;
-  const accountId = process.env.CLOUDFLARE_ACCOUNT_ID;
-  if (!token || !accountId) throw new Error('Missing CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID');
+async function cloudflareSync(ips) {
+  const token = _options?.cloudflare?.apiToken;
+  const accountId = _options?.cloudflare?.accountId;
+  if (!token || !accountId) throw new Error('Missing CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID');
 
   const listName = 'securenow-blocklist';
 
@@ -82,9 +82,9 @@ async function awsSync(ips) {
     throw new Error('AWS WAF requires @aws-sdk/client-wafv2 — install it: npm i @aws-sdk/client-wafv2');
   }
 
-  const ipSetId = process.env.AWS_WAF_IP_SET_ID;
-  const ipSetName = process.env.AWS_WAF_IP_SET_NAME || 'securenow-blocklist';
-  const scope = process.env.AWS_WAF_SCOPE || 'REGIONAL';
+  const ipSetId = _options?.aws?.wafIpSetId;
+  const ipSetName = _options?.aws?.wafIpSetName || 'securenow-blocklist';
+  const scope = _options?.aws?.wafScope || 'REGIONAL';
   if (!ipSetId) throw new Error('Missing AWS_WAF_IP_SET_ID');
 
   const client = new WAFV2.WAFV2Client({});
@@ -117,8 +117,8 @@ async function gcpSync(ips) {
     throw new Error('GCP Cloud Armor requires @google-cloud/compute — install it: npm i @google-cloud/compute');
   }
 
-  const project = process.env.GCP_PROJECT_ID;
-  const policyName = process.env.GCP_SECURITY_POLICY;
+  const project = _options?.gcp?.projectId;
+  const policyName = _options?.gcp?.securityPolicy;
   if (!project || !policyName) throw new Error('Missing GCP_PROJECT_ID or GCP_SECURITY_POLICY');
 
   const client = new compute.SecurityPoliciesClient();
@@ -191,7 +191,7 @@ async function sync(ips) {
   if (now - _lastPushTime < MIN_PUSH_INTERVAL_MS) return;
   _lastPushTime = now;
 
-  const dryRun = process.env.SECURENOW_FIREWALL_CLOUD_DRY_RUN === '1';
+  const dryRun = _options?.cloudDryRun === true;
   if (dryRun) {
     if (_options.log) console.log('[securenow] Firewall cloud: dry-run — would push %d IPs to %s', ips.length, _provider);
     return;

package/firewall-only.js

@@ -7,36 +7,38 @@
  *   node -r securenow/firewall-only app.js
  *   NODE_OPTIONS='-r securenow/firewall-only' next start
  *
- * Reads .env via dotenv (if installed), then initialises the HTTP-level
- * firewall when an API key is resolvable (env var or .securenow/credentials.json).
+ * Reads .securenow/credentials.json first, with legacy env vars supported only
+ * as fallbacks. Initialises the HTTP-level firewall when a snk_live_ API key
+ * is resolvable.
  */
 
 try { require('dotenv').config(); } catch (_) {}
 
-const env = (k) =>
-  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
+const appConfig = require('./app-config');
+const firewallOptions = appConfig.resolveFirewallOptions();
 
-const { resolveApiKey, resolveAppKey } = require('./app-config');
-const firewallApiKey = resolveApiKey();
-const appKey = resolveAppKey();
-
-// SECURENOW_FIREWALL_ENABLED=0 is a hard local override (ops escape hatch).
+// config.firewall.enabled=false disables the local SDK firewall.
 // In all other cases the toggle lives in the dashboard; default ON when an
 // API key is present.
-if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
-  require('./firewall').init({
-    apiKey: firewallApiKey,
-    appKey: appKey || null,
-    apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-    versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-    syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-    failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-    statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-    log: env('SECURENOW_FIREWALL_LOG') !== '0',
-    tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-    iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-    cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
-  });
+if (firewallOptions.apiKey && firewallOptions.enabled) {
+  require('./firewall').init({
+    apiKey: firewallOptions.apiKey,
+    appKey: firewallOptions.appKey,
+    environment: firewallOptions.environment,
+    apiUrl: firewallOptions.apiUrl,
+    versionCheckInterval: firewallOptions.versionCheckInterval,
+    syncInterval: firewallOptions.syncInterval,
+    failMode: firewallOptions.failMode,
+    statusCode: firewallOptions.statusCode,
+    log: firewallOptions.log,
+    tcp: firewallOptions.tcp,
+    iptables: firewallOptions.iptables,
+    cloud: firewallOptions.cloud,
+    cloudDryRun: firewallOptions.cloudDryRun,
+    cloudflare: firewallOptions.cloudflare,
+    aws: firewallOptions.aws,
+    gcp: firewallOptions.gcp,
+  });
 
   const shutdown = () => { try { require('./firewall').shutdown(); } catch (_) {} };
   process.on('SIGINT', shutdown);

package/firewall.js

@@ -98,9 +98,17 @@ function handleRetryAfter(res) {
 
 // ────── HTTP helpers ──────
 
-function buildUrl(apiUrl, path) {
-  return apiUrl.replace(/\/+$/, '') + '/api/v1' + path;
-}
+function buildUrl(apiUrl, path) {
+  return apiUrl.replace(/\/+$/, '') + '/api/v1' + path;
+}
+
+function buildFirewallUrl(path) {
+  const query = new URLSearchParams();
+  if (_options && _options.appKey) query.set('app', _options.appKey);
+  if (_options && _options.environment) query.set('env', _options.environment);
+  const suffix = query.toString() ? `?${query.toString()}` : '';
+  return buildUrl(_options.apiUrl, path) + suffix;
+}
 
 function jitter(baseMs) {
   return baseMs * (0.8 + Math.random() * 0.4);
@@ -139,10 +147,14 @@ function httpGet(url, extraHeaders, timeout, callback) {
 
 // ────── Unified Sync (v2 — single request for everything) ──────
 
-function doUnifiedSync(callback) {
-  const appQuery = _options.appKey ? `?app=${encodeURIComponent(_options.appKey)}` : '';
-  const url = buildUrl(_options.apiUrl, '/firewall/sync') + appQuery;
-  const headers = {};
+function doUnifiedSync(callback) {
+  const query = new URLSearchParams();
+  if (_options.appKey) query.set('app', _options.appKey);
+  if (_options.environment) query.set('env', _options.environment);
+  const suffix = query.toString() ? `?${query.toString()}` : '';
+  const url = buildUrl(_options.apiUrl, '/firewall/sync') + suffix;
+  const headers = {};
+  if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
   if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
 
@@ -229,9 +241,10 @@ function doUnifiedSync(callback) {
 
 // ────── Legacy Sync (v1 — separate endpoints, kept for backward compat) ──────
 
-function legacyBlocklistSync(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
-  const headers = {};
+function legacyBlocklistSync(callback) {
+  const url = buildFirewallUrl('/firewall/blocklist');
+  const headers = {};
+  if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastSyncEtag) headers['If-None-Match'] = _lastSyncEtag;
   else if (_lastModified) headers['If-Modified-Since'] = _lastModified;
 
@@ -257,9 +270,10 @@ function legacyBlocklistSync(callback) {
   });
 }
 
-function legacyAllowlistSync(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
-  const headers = {};
+function legacyAllowlistSync(callback) {
+  const url = buildFirewallUrl('/firewall/allowlist');
+  const headers = {};
+  if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastAllowlistSyncEtag) headers['If-None-Match'] = _lastAllowlistSyncEtag;
   else if (_lastAllowlistModified) headers['If-Modified-Since'] = _lastAllowlistModified;
 
@@ -283,9 +297,10 @@ function legacyAllowlistSync(callback) {
   });
 }
 
-function legacyVersionCheck(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
-  const headers = {};
+function legacyVersionCheck(callback) {
+  const url = buildFirewallUrl('/firewall/blocklist/version');
+  const headers = {};
+  if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastVersion) headers['If-None-Match'] = _lastVersion;
 
   httpGet(url, headers, 5000, (err, res, data) => {
@@ -305,9 +320,10 @@ function legacyVersionCheck(callback) {
   });
 }
 
-function legacyAllowlistVersionCheck(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
-  const headers = {};
+function legacyAllowlistVersionCheck(callback) {
+  const url = buildFirewallUrl('/firewall/allowlist/version');
+  const headers = {};
+  if (_options.environment) headers['X-SecureNow-Environment'] = _options.environment;
   if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
 
   httpGet(url, headers, 5000, (err, res, data) => {
@@ -655,9 +671,10 @@ function patchHttpLayer() {
 // ────── Init ──────
 
 function init(options) {
-  _options = options;
-
-  if (_options.log) console.log('[securenow] Firewall: ENABLED');
+  _options = options;
+
+  if (_options.log) console.log('[securenow] Firewall: ENABLED');
+  if (_options.log && _options.environment) console.log('[securenow] Firewall: environment=%s', _options.environment);
 
   patchHttpLayer();
   if (_options.log) console.log('[securenow] Firewall: Layer 1 (HTTP 403)      active');
@@ -672,7 +689,7 @@ function init(options) {
       if (_options.log) console.warn('[securenow] Firewall: Layer 2 (TCP drop)       failed:', e.message);
     }
   } else {
-    if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       disabled (set SECURENOW_FIREWALL_TCP=1)');
+    if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       disabled (set config.firewall.tcp=true)');
   }
 
   if (_options.iptables) {
@@ -685,7 +702,7 @@ function init(options) {
       if (_options.log) console.warn('[securenow] Firewall: Layer 3 (iptables)       failed:', e.message);
     }
   } else {
-    if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       disabled (set SECURENOW_FIREWALL_IPTABLES=1)');
+    if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       disabled (set config.firewall.iptables=true)');
   }
 
   if (_options.cloud) {
@@ -698,7 +715,7 @@ function init(options) {
       if (_options.log) console.warn('[securenow] Firewall: Layer 4 (Cloud WAF)      failed:', e.message);
     }
   } else {
-    if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      disabled (set SECURENOW_FIREWALL_CLOUD=cloudflare|aws|gcp)');
+    if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      disabled (set config.firewall.cloud=cloudflare|aws|gcp)');
   }
 
   startSyncLoop();
@@ -742,10 +759,11 @@ function getStats() {
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,
     unifiedSync: _useUnifiedSync,
-    remoteEnabled: _remoteEnabled,
-    appKey: _options ? _options.appKey || null : null,
-  };
-}
+    remoteEnabled: _remoteEnabled,
+    appKey: _options ? _options.appKey || null : null,
+    environment: _options ? _options.environment || null : null,
+  };
+}
 
 // Layers (TCP / iptables / cloud) read the matcher to populate kernel-level
 // rules. When the remote toggle is off, return null so they treat the policy

package/free-trial-banner.js

@@ -4,7 +4,7 @@
  * Free Trial Banner — auto-injects a visible "Testing Environment" banner
  * into HTML pages served by apps using the SecureNow free trial instance.
  *
- * Opt-out: set SECURENOW_HIDE_BANNER=1
+ * Opt-out: set config.runtime.hideBanner=true in .securenow/credentials.json
  */
 
 const FREETRIAL_HOST = 'freetrial.securenow.ai';