securenow 7.5.0 → 7.6.0

package/mcp/catalog.js

@@ -5,7 +5,77 @@ const path = require('path');
 
 const TEXT = 'text/plain';
 const JSON_MIME = 'application/json';
-const MARKDOWN = 'text/markdown';
+const MARKDOWN = 'text/markdown';
+
+const UNIVERSAL_SECURENOW_SETUP_PROMPT = `You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
+
+Primary goals:
+- Use the latest published SecureNow npm package. Require securenow@7.5.1 or newer.
+- By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
+- If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
+- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
+
+Safety rules:
+- Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
+- Do not commit secrets. Ensure .securenow/ is in .gitignore.
+- Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
+- If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
+- Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
+- Preserve existing middleware, proxy, instrumentation, Docker, PM2, and start scripts.
+
+Runbook:
+1. Identify the project root, package manager, framework, start/build/test scripts, process manager files, Docker files, and existing middleware/proxy/instrumentation.
+2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
+   node -p "require('./node_modules/securenow/package.json').version"
+   npx securenow version
+   Stop and fix the install if either is below 7.5.1 or npx still resolves an older local package.
+3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, docs/MCP-GUIDE.md if present, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
+4. Mandatory auth gate:
+   - Run npx securenow whoami from the project root.
+   - If not logged in, run npx securenow login from the project root and wait for the browser flow.
+   - After the CLI exits, rerun npx securenow whoami.
+   - Do not proceed to app edits or verification until whoami succeeds.
+5. Validate project-local credentials without exposing secrets:
+   - Confirm .securenow/credentials.json exists.
+   - Confirm it has SecureNow's default config/explanations block.
+   - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
+   - Confirm .securenow/ is ignored by git.
+6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
+7. Configure the least invasive framework-specific integration:
+   - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.
+   - Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
+   - Express/Fastify/NestJS/Koa/Hapi/Hono/raw Node: preload securenow/register through existing scripts, NODE_OPTIONS, PM2 node_args, Docker CMD, or the process manager already used.
+   - Firewall-only: preload securenow/firewall-only or use the documented securenow run --firewall-only command. Do not add OTel/tracing/logging in this mode.
+   - Vite/browser-only: use only documented browser integration and state that server firewall protection requires a server runtime.
+8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/credentials.json:
+   - config.logging.enabled: true
+   - config.capture.body: true
+   - config.capture.multipart: true
+   - config.firewall.enabled: true
+   - config.firewall.failMode: "open"
+   - config.capture.maxBodySize: 10240
+   For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
+   Local credentials should use config.runtime.deploymentEnvironment="local". Production runtime credentials should use "production". The app key stays the same; traces, logs, firewall status, forensics, and CLI/MCP queries are scoped by environment.
+9. Verify firewall and threshold:
+   - Run npx securenow firewall apps and npx securenow firewall status.
+   - Confirm the selected app is present, firewallEnabled is true, and the SecureNow IPDB confidence threshold is visible.
+   - If firewallEnabled is false, run the documented per-app enable command, for example npx securenow firewall enable --app <appKey>, then verify again.
+10. End-to-end proof:
+   - Run npx securenow doctor.
+   - Run npx securenow env and confirm loggingEnabled, captureBody, captureMultipart, and firewallEnabled resolve to true or 1 from credentials/defaults, unless I explicitly requested firewall-only.
+   - If available and not in firewall-only mode, send telemetry:
+     npx securenow test-span securenow.onboarding
+     npx securenow log send "SecureNow onboarding test" --level info
+   - Run the repo build/test command if available.
+   - For MCP-capable clients, optionally smoke-test npx securenow mcp with the securenow_auth_status tool.
+
+Final response:
+- List every changed file.
+- Summarize installed SecureNow version and linked app name/key, masking secrets.
+- Show verification commands and pass/fail result.
+- Mention skipped checks and why.
+- Provide exact command(s) to start the protected app.`;
+
 
 function string(description) {
   return { type: 'string', description };
@@ -83,6 +153,10 @@ const timeRangeInput = {
   to: string('End time as ISO 8601, optional.'),
 };
 
+const environmentInput = {
+  environment: string('Deployment environment scope: production, staging, preview, local, test, or all. Default for investigations is production.'),
+};
+
 const TOOLS = [
   {
     name: 'securenow_auth_status',
@@ -151,7 +225,8 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/firewall/status',
-    inputSchema: objectSchema({}),
+    queryFields: ['environment'],
+    inputSchema: objectSchema({ ...environmentInput }),
   },
   {
     name: 'securenow_firewall_enable',
@@ -163,9 +238,11 @@ const TOOLS = [
     method: 'PATCH',
     endpoint: '/firewall/app/:appKey',
     pathParams: ['appKey'],
+    bodyFields: ['environment'],
     fixedBody: { enabled: true },
     inputSchema: objectSchema({
       appKey: string('Application key UUID.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['appKey', 'confirm', 'reason']),
   },
@@ -180,9 +257,11 @@ const TOOLS = [
     method: 'PATCH',
     endpoint: '/firewall/app/:appKey',
     pathParams: ['appKey'],
+    bodyFields: ['environment'],
     fixedBody: { enabled: false },
     inputSchema: objectSchema({
       appKey: string('Application key UUID.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['appKey', 'confirm', 'reason']),
   },
@@ -196,10 +275,11 @@ const TOOLS = [
     method: 'PATCH',
     endpoint: '/firewall/app/:appKey',
     pathParams: ['appKey'],
-    bodyFields: ['confidenceMinimum'],
+    bodyFields: ['confidenceMinimum', 'environment'],
     inputSchema: objectSchema({
       appKey: string('Application key UUID.'),
       confidenceMinimum: number('Minimum SecureNow IPDB abuse confidence score.', { minimum: 0, maximum: 100 }),
+      ...environmentInput,
       ...confirmSchema,
     }, ['appKey', 'confidenceMinimum', 'confirm', 'reason']),
   },
@@ -212,8 +292,10 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/firewall/check/:ip',
     pathParams: ['ip'],
+    queryFields: ['environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address to test.'),
+      ...environmentInput,
     }, ['ip']),
   },
   {
@@ -224,10 +306,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/traces',
-    queryFields: ['appKeys', 'from', 'to', 'limit'],
+    queryFields: ['appKeys', 'environment', 'from', 'to', 'limit'],
     normalize: { appKeys: normalizeAppKeys },
     inputSchema: objectSchema({
       ...appKeysInput,
+      ...environmentInput,
       ...timeRangeInput,
       limit: number('Maximum traces to return.', { minimum: 1, maximum: 200 }),
     }, ['appKeys']),
@@ -241,11 +324,12 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/traces/:traceId',
     pathParams: ['traceId'],
-    queryFields: ['appKeys'],
+    queryFields: ['appKeys', 'environment'],
     normalize: { appKeys: normalizeAppKeys },
     inputSchema: objectSchema({
       traceId: string('Trace id.'),
       ...appKeysInput,
+      ...environmentInput,
     }, ['traceId', 'appKeys']),
   },
   {
@@ -256,10 +340,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/logs',
-    queryFields: ['appKeys', 'from', 'to', 'severity', 'limit'],
+    queryFields: ['appKeys', 'environment', 'from', 'to', 'severity', 'limit'],
     normalize: { appKeys: normalizeAppKeys },
     inputSchema: objectSchema({
       ...appKeysInput,
+      ...environmentInput,
       ...timeRangeInput,
       severity: string('Optional severity filter.'),
       limit: number('Maximum logs to return.', { minimum: 1, maximum: 500 }),
@@ -274,11 +359,12 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/logs/trace/:traceId',
     pathParams: ['traceId'],
-    queryFields: ['appKeys'],
+    queryFields: ['appKeys', 'environment'],
     normalize: { appKeys: normalizeAppKeys },
     inputSchema: objectSchema({
       traceId: string('Trace id.'),
       ...appKeysInput,
+      ...environmentInput,
     }, ['traceId', 'appKeys']),
   },
   {
@@ -339,8 +425,12 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/ip/:ip/traces',
     pathParams: ['ip'],
+    queryFields: ['appKeys', 'environment'],
+    normalize: { appKeys: normalizeAppKeys },
     inputSchema: objectSchema({
       ip: string('IPv4 address.'),
+      ...appKeysInput,
+      ...environmentInput,
     }, ['ip']),
   },
   {
@@ -352,11 +442,12 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/forensics/query',
-    bodyFields: ['query', 'applicationId', 'instanceId'],
+    bodyFields: ['query', 'applicationId', 'instanceId', 'environment'],
     inputSchema: objectSchema({
       query: string('Natural-language forensic query.'),
       applicationId: string('Optional application database id.'),
       instanceId: string('Optional ClickHouse instance id.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['query', 'confirm', 'reason']),
   },
@@ -596,6 +687,7 @@ const PROMPTS = [
     arguments: [
       { name: 'ip', description: 'IP address to investigate.', required: true },
       { name: 'appKeys', description: 'Optional comma-separated app keys.', required: false },
+      { name: 'environment', description: 'Environment to investigate. Defaults to production; use all only when explicitly needed.', required: false },
     ],
   },
 ];
@@ -608,15 +700,9 @@ function promptMessages(name, args = {}) {
         content: {
           type: 'text',
           text: [
-            'Set up SecureNow end-to-end for this JavaScript/TypeScript project.',
             args.projectRoot ? `Project root: ${args.projectRoot}` : null,
-            'Install or upgrade to securenow@7.5.0 or newer first.',
-            'Run npx securenow whoami. If not logged in, run npx securenow login and stop until the browser flow completes.',
-            'After login, verify whoami succeeds and that .securenow/credentials.json contains the selected app and firewall API key.',
-            'Use the least invasive integration for the detected framework.',
-            'Keep tracing, logs, POST body capture, multipart metadata capture, and the per-app firewall enabled by default.',
-            'Verify with build/test plus npx securenow firewall apps/status and npx securenow env/doctor when available.',
-          ].filter(Boolean).join('\n'),
+            UNIVERSAL_SECURENOW_SETUP_PROMPT,
+          ].filter(Boolean).join('\n\n'),
         },
       },
     ];
@@ -632,7 +718,7 @@ function promptMessages(name, args = {}) {
             'Verify SecureNow default-on protection for this project.',
             args.appKey ? `App key: ${args.appKey}` : null,
             'Check npx securenow whoami, npx securenow api-key show, npx securenow firewall apps, and npx securenow firewall status.',
-            'Confirm traces, logs, SECURENOW_CAPTURE_BODY, SECURENOW_CAPTURE_MULTIPART, and firewall are enabled by default unless explicitly set to 0.',
+            'Confirm traces, logs, capture.body, capture.multipart, and firewall.enabled are enabled by .securenow/credentials.json defaults unless explicitly set false.',
             'Do not print full tokens or API keys.',
           ].filter(Boolean).join('\n'),
         },
@@ -649,6 +735,7 @@ function promptMessages(name, args = {}) {
           text: [
             `Investigate IP ${args.ip || '<ip>'} with SecureNow.`,
             args.appKeys ? `Scope to app keys: ${args.appKeys}` : null,
+            `Environment scope: ${args.environment || 'production'}.`,
             'Use IP intelligence first, then related traces/logs, then recommend remediation.',
             'Only block, allow, or trust the IP after explicit user confirmation.',
           ].filter(Boolean).join('\n'),

package/nextjs-auto-capture.d.ts

@@ -15,10 +15,13 @@
  * }
  * ```
  * 
- * Environment Variables:
- * - SECURENOW_CAPTURE_BODY=0 - Disable body capture (default: enabled)
- * - SECURENOW_MAX_BODY_SIZE=10240 - Max body size in bytes (default: 10KB)
- * - SECURENOW_SENSITIVE_FIELDS=field1,field2 - Additional sensitive fields to redact
+ * Configuration:
+ * - config.capture.body=false - Disable body capture (default: enabled)
+ * - config.capture.maxBodySize=10240 - Max body size in bytes (default: 10KB)
+ * - config.capture.sensitiveFields=["field"] - Additional sensitive fields to redact
+ *
+ * The SDK reads these from .securenow/credentials.json in local development
+ * and production. Legacy env vars are fallback-only for existing installs.
  * 
  * Features:
  * - Zero code changes required in API routes

package/nextjs-auto-capture.js

@@ -17,6 +17,8 @@
  */
 
 const { trace } = require('@opentelemetry/api');
+const appConfig = require('./app-config');
+const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -54,8 +56,8 @@ async function safeBodyCapture(request, span) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -125,8 +127,8 @@ async function safeBodyCapture(request, span) {
  * Check if body capture is enabled
  */
 function isBodyCaptureEnabled() {
-  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 to disable.
-  return !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
+  // Opt-out default: set config.capture.body=false to disable.
+  return !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
 }
 
 /**
@@ -183,7 +185,7 @@ if (isBodyCaptureEnabled()) {
     console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
   }
 } else {
-  console.log('[securenow] 📝 Automatic body capture: DISABLED (SECURENOW_CAPTURE_BODY=0)');
+  console.log('[securenow] Automatic body capture: DISABLED (config.capture.body=false)');
 }
 
 module.exports = {
@@ -194,5 +196,3 @@ module.exports = {
 };
 
 
-
-

package/nextjs-middleware.js

@@ -16,6 +16,8 @@
  */
 
 const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
+const appConfig = require('./app-config');
+const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -99,8 +101,8 @@ async function middleware(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only capture supported types
@@ -183,4 +185,3 @@ module.exports = {
 
 
 
-

package/nextjs-wrapper.js

@@ -16,6 +16,8 @@
  */
 
 const { trace } = require('@opentelemetry/api');
+const appConfig = require('./app-config');
+const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -49,8 +51,8 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
  * Capture body from Request object (clone to avoid consuming)
  */
 async function captureRequestBody(request) {
-  // Opt-out default: set SECURENOW_CAPTURE_BODY=0 to disable.
-  const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
+  // Opt-out default: set config.capture.body=false to disable.
+  const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
   
   if (!captureBody) return;
   if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
@@ -60,8 +62,8 @@ async function captureRequestBody(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -154,5 +156,3 @@ module.exports = {
 };
 
 
-
-

package/nextjs.d.ts

@@ -3,17 +3,23 @@
  */
 
 export interface RegisterOptions {
-  /**
-   * Service name for OpenTelemetry traces
-   * @default process.env.SECURENOW_APPID || process.env.OTEL_SERVICE_NAME
-   */
-  serviceName?: string;
-
-  /**
-   * OTLP endpoint for traces
-   * @default process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318'
-   */
-  endpoint?: string;
+  /**
+   * Service name for OpenTelemetry traces
+   * @default .securenow/credentials.json app.key/app.name
+   */
+  serviceName?: string;
+
+  /**
+   * OTLP endpoint for traces
+   * @default .securenow/credentials.json app.instance, or https://freetrial.securenow.ai:4318
+   */
+  endpoint?: string;
+
+  /**
+   * Deployment environment sent as OpenTelemetry deployment.environment.
+   * @default .securenow/credentials.json config.runtime.deploymentEnvironment
+   */
+  environment?: string;
 
   /**
    * Don't append UUID to service name
@@ -21,12 +27,12 @@ export interface RegisterOptions {
    */
   noUuid?: boolean;
 
-  /**
-   * Enable request body capture (Next.js middleware required)
-   * @default false
-   */
-  captureBody?: boolean;
-}
+   /**
+   * Enable request body capture
+   * @default true from .securenow/credentials.json secure defaults
+   */
+  captureBody?: boolean;
+}
 
 /**
  * Register SecureNow OpenTelemetry instrumentation for Next.js
@@ -34,14 +40,19 @@ export interface RegisterOptions {
  * @param options - Optional configuration options
  * 
  * @example
- * ```typescript
- * // instrumentation.ts
- * import { registerSecureNow } from 'securenow/nextjs';
- * 
- * export function register() {
- *   registerSecureNow();
- * }
- * ```
+ * ```typescript
+ * // instrumentation.ts
+ * import { createRequire } from 'node:module';
+ * 
+ * const require = createRequire(import.meta.url);
+ *
+ * export async function register() {
+ *   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+ *   const { registerSecureNow } = require('securenow/nextjs');
+ *   registerSecureNow({ captureBody: true });
+ *   require('securenow/nextjs-auto-capture');
+ * }
+ * ```
  * 
  * @example
  * ```typescript