securenow 7.5.0 → 7.6.0

package/README.md

@@ -41,15 +41,22 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 {
   "token": "...",
   "email": "you@example.com",
+  "apiKey": "snk_live_...",
   "app": {
     "key": "<uuid>",
     "name": "my-backend",
     "instance": "https://freetrial.securenow.ai:4318"
+  },
+  "config": {
+    "runtime": { "deploymentEnvironment": "local" },
+    "logging": { "enabled": true },
+    "capture": { "body": true, "multipart": true, "maxBodySize": 10240 },
+    "firewall": { "enabled": true, "failMode": "open" }
   }
 }
 ```
 
-The SDK reads this file at boot and sends traces/logs directly to the right app bucket. The file is auto-added to `.gitignore` so it never lands in git.
+The SDK reads this file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. The file is auto-added to `.gitignore` so it never lands in git.
 
 ---
 
@@ -77,16 +84,31 @@ npx securenow init
 
 Creates `instrumentation.ts` and shows you how to wrap `next.config.js`:
 
+```typescript
+// instrumentation.ts
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+  const { registerSecureNow } = require('securenow/nextjs');
+  registerSecureNow({ captureBody: true });
+  require('securenow/nextjs-auto-capture');
+}
+```
+
+For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` when it can safely edit the file:
+
 ```javascript
-// next.config.js
-const { withSecureNow } = require('securenow/nextjs-webpack-config');
+const nextConfig = {
+  serverExternalPackages: ['securenow'],
+};
 
-module.exports = withSecureNow({
-  // your existing config
-});
+export default nextConfig;
 ```
 
-`withSecureNow()` auto-detects Next.js 14 vs 15 vs 16. See [Next.js Complete Guide](./docs/NEXTJS-GUIDE.md).
+If a custom config or existing instrumentation file needs human judgment, `init` prints a Codex/Claude-ready prompt with the exact edits to merge. See [Next.js Complete Guide](./docs/NEXTJS-GUIDE.md).
 
 ### Nuxt 3
 
@@ -110,26 +132,33 @@ See [Nuxt 3 Guide](./docs/NUXT-GUIDE.md).
 - ✅ Multipart upload metadata (field names, file names, sizes, content-types — never file content)
 - ✅ Firewall (500k+ known-bad IPs, refreshed hourly) — activates as soon as you've logged in
 
-All of these are **on by default**. Each can be disabled individually with an env var if needed (e.g. `SECURENOW_CAPTURE_BODY=0`).
+All of these are **on by default**. Tune them in `.securenow/credentials.json` under the `config` block.
 
 ---
 
-## Overriding via environment variables (CI, Docker, prod)
+## Production Without Env Vars
 
-`.securenow/credentials.json` is the zero-config path for local dev. For CI, containers, or prod servers where you can't run `npx securenow login`, set env vars — they always take precedence:
+Production uses the same file structure. Do not commit `.securenow/`; instead deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
+
+```text
+<app-root>/.securenow/credentials.json
+```
+
+Create that runtime file from a logged-in project:
 
 ```bash
-SECURENOW_APPID=<app-key-uuid>              # routing key (from dashboard or `npx securenow apps`)
-SECURENOW_INSTANCE=https://your-collector   # defaults to freetrial
-SECURENOW_API_KEY=<same uuid>               # enables the firewall
+npx securenow credentials runtime --env production
 ```
 
-Resolution order (first non-empty wins):
+It writes `.securenow/credentials.production.json`, with the same `app`, `apiKey`, `config`, and `_securenow.explanations` shape, but without the CLI OAuth `token`, `email`, or `expiresAt`. Store that JSON in your deployment secret manager and materialize it as `.securenow/credentials.json` at runtime.
+
+Resolution order:
 
-1. Environment variable
-2. Project-local `.securenow/credentials.json`
-3. Global `~/.securenow/credentials.json`
-4. `package.json#name` (label only — won't route telemetry)
+1. Project-local `.securenow/credentials.json`
+2. Global `~/.securenow/credentials.json`
+3. `package.json#name` (label only)
+
+Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
 
 ---
 
@@ -140,7 +169,8 @@ Resolution order (first non-empty wins):
 npx securenow login                 # browser auth + app picker + firewall enabled by default
 npx securenow login --global        # save to ~/.securenow/ instead
 npx securenow login --token <TOKEN> # headless (CI)
-npx securenow init                  # scaffold Next.js instrumentation files
+npx securenow init --env local      # scaffold framework files + local env scope
+npx securenow credentials runtime --env production # write tokenless production credentials file
 npx securenow api-key set snk_live_... # store firewall key in .securenow/credentials.json
 
 # Apps
@@ -155,7 +185,7 @@ npx securenow status                # dashboard summary
 npx securenow doctor                # diagnose config + connectivity
 
 # Security
-npx securenow firewall status
+npx securenow firewall status --env production
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
 npx securenow fp ai-fill --description "Stripe webhook POST /api/stripe/webhook"
 
@@ -183,15 +213,31 @@ The MCP server reuses the same project-local `.securenow/credentials.json` as th
 
 ---
 
-## Environment variables (optional)
+## Credentials Config
+
+Use `.securenow/credentials.json` fields for new local, CI, Docker, and production setups. The credentials file is the product path.
 
-Only set these if you want to override the zero-config defaults.
+| Field | Default | Purpose |
+|---|---|---|
+| `app.key` | selected during login | App routing UUID, sent as OTel `service.name` |
+| `app.instance` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
+| `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
+| `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
+| `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
+| `config.capture.body` | `true` | Capture JSON / form request bodies with redaction |
+| `config.capture.multipart` | `true` | Capture multipart metadata, never file content |
+| `config.capture.maxBodySize` | `10240` | Max bytes captured per body |
+| `config.capture.sensitiveFields` | `[]` | Extra field-name fragments to redact |
+| `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
+| `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
+
+Legacy env fallback aliases:
 
 | Variable | Default | Purpose |
 |---|---|---|
 | `SECURENOW_APPID` | from credentials file | App routing key (UUID) — sent as OTel `service.name` |
 | `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
-| `SECURENOW_API_KEY` | from credentials file | Enables firewall + collector routing |
+| `SECURENOW_API_KEY` | from credentials file | Scoped firewall API key (`snk_live_...`) |
 | `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
 | `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
 | `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
@@ -364,13 +410,14 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 
 | File | Purpose |
 |---|---|
-| `./.securenow/credentials.json` | Project-local token + app (default) |
+| `./.securenow/credentials.json` | Project-local or production runtime credentials |
+| `./.securenow/credentials.production.json` | Tokenless production file generated by `securenow credentials runtime --env production` |
 | `~/.securenow/credentials.json` | Global (with `login --global`) |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Resolution order: `SECURENOW_TOKEN` env → project `.securenow/` → global `~/.securenow/`.
+Resolution order: project `.securenow/` -> global `~/.securenow/` -> package name fallback. Legacy env vars are fallback-only for older installs.
 
-Override the API with `securenow config set apiUrl <url>` or `SECURENOW_API_URL`.
+Override the dashboard API with `securenow config set apiUrl <url>`.
 
 ---