securenow 7.5.0 → 7.6.0

package/cli/config.js

@@ -3,6 +3,7 @@
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const appConfig = require('../app-config');
 
 const CONFIG_DIR = path.join(os.homedir(), '.securenow');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
@@ -44,6 +45,10 @@ function saveJSON(filepath, data) {
   }
 }
 
+function credentialsFileForLocal(local) {
+  return local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+}
+
 function hasLocalCredentials() {
   return fs.existsSync(LOCAL_CREDENTIALS_FILE);
 }
@@ -86,12 +91,21 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  return loadJSON(resolveCredentialsFile());
+  const global = loadJSON(CREDENTIALS_FILE);
+  const local = fs.existsSync(LOCAL_CREDENTIALS_FILE) ? loadJSON(LOCAL_CREDENTIALS_FILE) : null;
+  return appConfig.withCredentialDefaults(appConfig.mergeCredentials(global, local)) || {};
 }
 
 function saveCredentials(creds, { local = false } = {}) {
-  const targetFile = local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
-  saveJSON(targetFile, creds);
+  const targetFile = credentialsFileForLocal(local);
+  saveJSON(targetFile, appConfig.withCredentialDefaults(creds) || {});
+}
+
+function ensureCredentialDefaults({ local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = credentialsFileForLocal(useLocal);
+  const existing = loadJSON(targetFile);
+  saveJSON(targetFile, appConfig.withCredentialDefaults(existing || {}) || {});
 }
 
 function clearCredentials({ local } = {}) {
@@ -119,7 +133,8 @@ function getToken() {
 }
 
 function setAuth(token, email, expiresAt, { local = false, app = null } = {}) {
-  const payload = { token, email, expiresAt };
+  const targetFile = credentialsFileForLocal(local);
+  const payload = { ...loadJSON(targetFile), token, email, expiresAt };
   if (app && (app.key || app.name || app.instance)) {
     payload.app = {
       key: app.key || null,
@@ -137,18 +152,18 @@ function getApp() {
 
 function setApiKey(apiKey, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const targetFile = credentialsFileForLocal(useLocal);
   const existing = loadJSON(targetFile);
-  saveJSON(targetFile, { ...existing, apiKey });
+  saveJSON(targetFile, appConfig.withCredentialDefaults({ ...existing, apiKey }) || { apiKey });
 }
 
 function clearApiKey({ local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const targetFile = credentialsFileForLocal(useLocal);
   const existing = loadJSON(targetFile);
   if (!existing || !existing.apiKey) return;
   delete existing.apiKey;
-  saveJSON(targetFile, existing);
+  saveJSON(targetFile, appConfig.withCredentialDefaults(existing) || existing);
 }
 
 function getApiKey() {
@@ -158,16 +173,16 @@ function getApiKey() {
 
 function setApp(app, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = useLocal ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
+  const targetFile = credentialsFileForLocal(useLocal);
   const existing = loadJSON(targetFile);
-  saveJSON(targetFile, {
+  saveJSON(targetFile, appConfig.withCredentialDefaults({
     ...existing,
     app: {
       key: app.key || null,
       name: app.name || null,
       instance: app.instance || null,
     },
-  });
+  }) || {});
 }
 
 function ensureLocalGitignore() {
@@ -186,7 +201,10 @@ function ensureLocalGitignore() {
 }
 
 function getApiUrl() {
-  return process.env.SECURENOW_API_URL || loadConfig().apiUrl;
+  if (process.env.SECURENOW_API_URL) return process.env.SECURENOW_API_URL;
+  const cfg = loadConfig();
+  if (cfg.apiUrl && cfg.apiUrl !== DEFAULTS.apiUrl) return cfg.apiUrl;
+  return appConfig.env('SECURENOW_API_URL') || cfg.apiUrl;
 }
 
 function getAppUrl() {
@@ -219,6 +237,7 @@ module.exports = {
   getApiKey,
   getAuthSource,
   hasLocalCredentials,
+  ensureCredentialDefaults,
   ensureLocalGitignore,
   getApiUrl,
   getAppUrl,

package/cli/credentials.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const config = require('./config');
+const ui = require('./ui');
+const appConfig = require('../app-config');
+
+function maskSecret(value) {
+  if (!value) return '';
+  const text = String(value);
+  if (text.length <= 12) return '***';
+  return `${text.slice(0, 8)}...${text.slice(-4)}`;
+}
+
+function buildRuntimeCredentials(options = {}) {
+  const creds = config.loadCredentials() || {};
+  const deploymentEnvironment =
+    options.environment ||
+    options.env ||
+    appConfig.resolveDeploymentEnvironment() ||
+    'production';
+  const runtime = appConfig.withCredentialDefaults({
+    apiKey: creds.apiKey || null,
+    app: {
+      key: creds.app?.key || null,
+      name: creds.app?.name || null,
+      instance: creds.app?.instance || appConfig.FREE_TRIAL_INSTANCE,
+    },
+    config: {
+      ...(creds.config || {}),
+      runtime: {
+        ...(creds.config?.runtime || {}),
+        deploymentEnvironment,
+      },
+    },
+    _securenow: {
+      ...(creds._securenow || {}),
+      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json in production. Do not commit it.',
+      runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
+      production: 'Production can use this same file shape instead of environment variables.',
+    },
+  });
+
+  delete runtime.token;
+  delete runtime.email;
+  delete runtime.expiresAt;
+  return runtime;
+}
+
+function writeFileSafe(filepath, data) {
+  fs.mkdirSync(path.dirname(filepath), { recursive: true, mode: 0o700 });
+  fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
+}
+
+async function runtime(_args, flags) {
+  const creds = buildRuntimeCredentials(flags);
+  const envName = creds.config?.runtime?.deploymentEnvironment || 'production';
+  const defaultOutput = envName === 'production'
+    ? path.join('.securenow', 'credentials.production.json')
+    : path.join('.securenow', `credentials.${envName}.json`);
+  const output = flags.out || flags.output || defaultOutput;
+  const warn = flags.stdout ? (msg) => console.error(`! ${msg}`) : ui.warn;
+
+  if (!creds.app || !creds.app.key) {
+    warn('No app key found. Run `npx securenow login` first so telemetry routes to the selected app.');
+  }
+  if (!creds.apiKey) {
+    warn('No firewall API key found. Run `npx securenow login` or `npx securenow api-key set snk_live_...` first.');
+  }
+
+  if (flags.stdout) {
+    console.log(JSON.stringify(creds, null, 2));
+    return;
+  }
+
+  writeFileSafe(path.resolve(process.cwd(), output), creds);
+  config.ensureLocalGitignore();
+
+  ui.success(`Wrote runtime credentials to ${output}`);
+  ui.info('Deploy this JSON as .securenow/credentials.json on the server/container.');
+  ui.info(`Environment: ${envName}`);
+  ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
+  ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);
+  ui.info('OAuth token/email were not included.');
+}
+
+module.exports = { runtime, buildRuntimeCredentials };

package/cli/diagnostics.js

@@ -4,76 +4,61 @@ const crypto = require('crypto');
 const url = require('url');
 const ui = require('./ui');
 const config = require('./config');
+const appConfig = require('../app-config');
 
-// ── Config resolution (mirrors tracing.js priority order) ──
-
-function resolvedConfig() {
-  // Mirror the SDK's resolution: env → credentials file → package.json#name.
-  // Doing it here means `securenow doctor` reports what the SDK will actually
-  // send — critical for diagnosing "my traces don't show up" (the common
-  // cause is a service.name mismatch with the dashboard's exact-match filter).
-  const appConfig = require('../app-config');
+function resolvedConfig(options = {}) {
   const resolvedApp = appConfig.resolveAll();
+  const endpoints = appConfig.resolveEndpoints();
+  const firewall = appConfig.resolveFirewallOptions();
   const noUuid = appConfig.resolveNoUuid();
+  const deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
+    options.environment || options.env || resolvedApp.deploymentEnvironment
+  );
 
-  const baseName = (process.env.OTEL_SERVICE_NAME || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '') || null;
+  const baseName = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '') || null;
   const serviceName = baseName
     ? (noUuid ? baseName : `${baseName}-<uuid-per-worker>`)
     : '(auto-generated)';
-  const instance =
-    resolvedApp.instance || 'https://freetrial.securenow.ai:4318';
-  const tracesEndpoint =
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT ||
-    (process.env.OTEL_EXPORTER_OTLP_ENDPOINT
-      ? `${process.env.OTEL_EXPORTER_OTLP_ENDPOINT.replace(/\/$/, '')}/v1/traces`
-      : `${instance.replace(/\/$/, '')}/v1/traces`);
-  const logsEndpoint =
-    process.env.OTEL_EXPORTER_OTLP_LOGS_ENDPOINT ||
-    (process.env.OTEL_EXPORTER_OTLP_ENDPOINT
-      ? `${process.env.OTEL_EXPORTER_OTLP_ENDPOINT.replace(/\/$/, '')}/v1/logs`
-      : `${instance.replace(/\/$/, '')}/v1/logs`);
-  const headers = process.env.OTEL_EXPORTER_OTLP_HEADERS || '';
-  // Resolve firewall API key the same way the SDK does: env, then
-  // .securenow/credentials.json (project-local, then global).
-  const apiKey = require('../app-config').resolveApiKey() || '';
-  const apiUrl = config.getApiUrl();
-  const loggingEnabled = !/^(0|false)$/i.test(String(process.env.SECURENOW_LOGGING_ENABLED ?? ''));
-  const captureBody = !/^(0|false)$/i.test(String(process.env.SECURENOW_CAPTURE_BODY ?? ''));
-  const firewallEnabled =
-    !!apiKey && process.env.SECURENOW_FIREWALL_ENABLED !== '0';
+  const apiKey = firewall.apiKey || '';
+  const firewallEnabled = !!apiKey && firewall.enabled;
 
   return {
     serviceName,
-    instance,
-    tracesEndpoint,
-    logsEndpoint,
-    headers,
+    appKey: resolvedApp.appKey || null,
+    deploymentEnvironment,
+    instance: endpoints.endpointBase,
+    tracesEndpoint: endpoints.tracesUrl,
+    logsEndpoint: endpoints.logsUrl,
+    headers: endpoints.headers,
     apiKey,
-    apiUrl,
-    loggingEnabled,
-    captureBody,
+    apiUrl: config.getApiUrl(),
+    loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
+    captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
+    captureMultipart: appConfig.boolEnv('SECURENOW_CAPTURE_MULTIPART', true),
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
-      tcp: firewallEnabled && process.env.SECURENOW_FIREWALL_TCP === '1',
-      iptables: firewallEnabled && process.env.SECURENOW_FIREWALL_IPTABLES === '1',
-      cloud: firewallEnabled ? process.env.SECURENOW_FIREWALL_CLOUD || null : null,
+      tcp: firewallEnabled && firewall.tcp,
+      iptables: firewallEnabled && firewall.iptables,
+      cloud: firewallEnabled ? firewall.cloud : null,
     },
   };
 }
 
-function parseHeaders(str) {
-  const out = {};
-  if (!str) return out;
-  for (const pair of str.split(',')) {
-    const [k, ...rest] = pair.split('=');
-    if (!k) continue;
-    out[k.trim()] = rest.join('=').trim();
-  }
-  return out;
+function maskSecret(value) {
+  if (!value) return '';
+  const text = String(value);
+  if (text.length <= 12) return '***';
+  return `${text.slice(0, 12)}...${text.slice(-4)}`;
 }
 
-// ── HTTP helpers ──
+function redactConfig(cfg) {
+  return {
+    ...cfg,
+    headers: cfg.headers && Object.keys(cfg.headers).length ? '***' : '',
+    apiKey: cfg.apiKey ? maskSecret(cfg.apiKey) : '',
+  };
+}
 
 function httpRequest({ method = 'POST', endpoint, headers = {}, body, timeoutMs = 5000 }) {
   return new Promise((resolve, reject) => {
@@ -104,8 +89,6 @@ function httpRequest({ method = 'POST', endpoint, headers = {}, body, timeoutMs
   });
 }
 
-// ── OTLP/HTTP JSON payloads ──
-
 function attr(key, value) {
   if (typeof value === 'number') {
     if (Number.isInteger(value)) return { key, value: { intValue: String(value) } };
@@ -118,7 +101,7 @@ function attr(key, value) {
 function resourceAttrs(cfg, extra = {}) {
   const base = {
     'service.name': cfg.serviceName,
-    'deployment.environment': process.env.NODE_ENV || 'development',
+    'deployment.environment': cfg.deploymentEnvironment || appConfig.resolveDeploymentEnvironment(),
     'telemetry.sdk.name': 'securenow-cli',
     'telemetry.sdk.language': 'nodejs',
     ...extra,
@@ -184,18 +167,19 @@ function buildLogPayload(cfg, { message, level = 'info', attributes = {} }) {
   };
 }
 
-// ── Commands ──
-
 async function testSpan(args, flags) {
-  const cfg = resolvedConfig();
+  const cfg = resolvedConfig(flags);
   const spanName = args[0] || 'securenow.cli.test-span';
   const headers = {
     'Content-Type': 'application/json',
-    ...parseHeaders(cfg.headers),
+    ...cfg.headers,
   };
   const payload = buildTracePayload(cfg, {
     name: spanName,
-    attributes: { 'test.source': 'securenow-cli' },
+    attributes: {
+      'test.source': 'securenow-cli',
+      'securenow.environment': cfg.deploymentEnvironment,
+    },
   });
 
   const spin = ui.spinner(`Sending test span to ${cfg.tracesEndpoint}`);
@@ -207,7 +191,7 @@ async function testSpan(args, flags) {
     });
     if (res.status >= 200 && res.status < 300) {
       spin.stop(`Span accepted (HTTP ${res.status})`);
-      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.tracesEndpoint });
+      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.tracesEndpoint, environment: cfg.deploymentEnvironment });
       return;
     }
     spin.fail(`Collector returned HTTP ${res.status}`);
@@ -229,9 +213,9 @@ async function logSend(args, flags) {
     process.exit(1);
   }
 
-  const cfg = resolvedConfig();
+  const cfg = resolvedConfig(flags);
   if (!cfg.loggingEnabled) {
-    ui.warn('Logging is disabled (SECURENOW_LOGGING_ENABLED=0). Sending anyway.');
+    ui.warn('Logging is disabled in SecureNow credentials/config. Sending anyway.');
   }
 
   const level = (flags.level || 'info').toString();
@@ -245,9 +229,16 @@ async function logSend(args, flags) {
 
   const headers = {
     'Content-Type': 'application/json',
-    ...parseHeaders(cfg.headers),
+    ...cfg.headers,
   };
-  const payload = buildLogPayload(cfg, { message, level, attributes });
+  const payload = buildLogPayload(cfg, {
+    message,
+    level,
+    attributes: {
+      ...attributes,
+      'securenow.environment': cfg.deploymentEnvironment,
+    },
+  });
 
   const spin = ui.spinner(`Sending log to ${cfg.logsEndpoint}`);
   try {
@@ -258,7 +249,7 @@ async function logSend(args, flags) {
     });
     if (res.status >= 200 && res.status < 300) {
       spin.stop(`Log accepted (HTTP ${res.status})`);
-      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.logsEndpoint });
+      if (flags.json) ui.json({ ok: true, status: res.status, endpoint: cfg.logsEndpoint, environment: cfg.deploymentEnvironment });
       return;
     }
     spin.fail(`Collector returned HTTP ${res.status}`);
@@ -272,12 +263,8 @@ async function logSend(args, flags) {
   }
 }
 
-// ── doctor / env ──
-
 async function probe(endpoint, timeoutMs = 3000) {
   try {
-    // A HEAD or empty POST is safer than sending real OTLP. Most collectors
-    // return 400/405 for a malformed request — that still proves reachability.
     const res = await httpRequest({
       method: 'POST',
       endpoint,
@@ -293,43 +280,43 @@ async function probe(endpoint, timeoutMs = 3000) {
 
 function env(_args, flags) {
   const cfg = resolvedConfig();
-  const vars = {
-    SECURENOW_APPID: process.env.SECURENOW_APPID || null,
-    OTEL_SERVICE_NAME: process.env.OTEL_SERVICE_NAME || null,
-    SECURENOW_INSTANCE: process.env.SECURENOW_INSTANCE || null,
-    OTEL_EXPORTER_OTLP_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_ENDPOINT || null,
-    OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT || null,
-    OTEL_EXPORTER_OTLP_LOGS_ENDPOINT: process.env.OTEL_EXPORTER_OTLP_LOGS_ENDPOINT || null,
-    OTEL_EXPORTER_OTLP_HEADERS: process.env.OTEL_EXPORTER_OTLP_HEADERS ? '***' : null,
-    SECURENOW_API_KEY: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
-    SECURENOW_API_URL: cfg.apiUrl,
-    SECURENOW_LOGGING_ENABLED: cfg.loggingEnabled ? '1' : '0',
-    SECURENOW_CAPTURE_BODY: cfg.captureBody ? '1' : '0',
-    SECURENOW_NO_UUID: process.env.SECURENOW_NO_UUID || `(auto: ${require('../app-config').resolveNoUuid() ? '1' : '0'})`,
-    SECURENOW_FIREWALL_TCP: process.env.SECURENOW_FIREWALL_TCP || '0',
-    SECURENOW_FIREWALL_IPTABLES: process.env.SECURENOW_FIREWALL_IPTABLES || '0',
-    SECURENOW_FIREWALL_CLOUD: process.env.SECURENOW_FIREWALL_CLOUD || null,
-    NODE_ENV: process.env.NODE_ENV || 'development',
+  const resolved = {
+    appKey: cfg.appKey,
+    serviceName: cfg.serviceName,
+    deploymentEnvironment: cfg.deploymentEnvironment,
+    instance: cfg.instance,
+    tracesEndpoint: cfg.tracesEndpoint,
+    logsEndpoint: cfg.logsEndpoint,
+    otlpHeaders: Object.keys(cfg.headers || {}).length ? '***' : null,
+    firewallApiKey: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
+    apiUrl: cfg.apiUrl,
+    loggingEnabled: cfg.loggingEnabled,
+    captureBody: cfg.captureBody,
+    captureMultipart: cfg.captureMultipart,
+    noUuid: appConfig.resolveNoUuid(),
+    firewallLayers: cfg.firewallLayers,
   };
 
   if (flags.json) {
-    ui.json({ resolved: cfg, env: vars });
+    ui.json({ resolved: redactConfig(cfg), config: resolved });
     return;
   }
 
   ui.heading('Resolved configuration');
   ui.keyValue([
     ['Service name', cfg.serviceName],
+    ['Environment', cfg.deploymentEnvironment],
     ['Traces endpoint', cfg.tracesEndpoint],
     ['Logs endpoint', cfg.logsEndpoint],
     ['Logging', cfg.loggingEnabled ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
+    ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Firewall', cfg.firewallEnabled ? ui.c.green('enabled') : ui.c.dim('disabled (no API key)')],
   ]);
 
-  ui.heading('Environment variables');
+  ui.heading('Resolved credentials');
   ui.keyValue(
-    Object.entries(vars).map(([k, v]) => [k, v == null ? ui.c.dim('(not set)') : String(v)])
+    Object.entries(resolved).map(([k, v]) => [k, v == null ? ui.c.dim('(not set)') : typeof v === 'object' ? JSON.stringify(v) : String(v)])
   );
   console.log('');
 }
@@ -338,21 +325,18 @@ async function doctor(_args, flags) {
   const cfg = resolvedConfig();
   const checks = [];
 
-  // Collector traces
   const spin1 = ui.spinner(`Probing traces endpoint ${cfg.tracesEndpoint}`);
   const traces = await probe(cfg.tracesEndpoint);
   if (traces.ok) spin1.stop(`Traces endpoint reachable (HTTP ${traces.status})`);
   else spin1.fail(`Traces endpoint unreachable: ${traces.error}`);
   checks.push({ name: 'traces', ...traces });
 
-  // Collector logs
   const spin2 = ui.spinner(`Probing logs endpoint ${cfg.logsEndpoint}`);
   const logs = await probe(cfg.logsEndpoint);
   if (logs.ok) spin2.stop(`Logs endpoint reachable (HTTP ${logs.status})`);
   else spin2.fail(`Logs endpoint unreachable: ${logs.error}`);
   checks.push({ name: 'logs', ...logs });
 
-  // SecureNow API (only if API key or logged-in token)
   const token = config.getToken();
   if (cfg.apiKey || token) {
     const spin3 = ui.spinner(`Probing SecureNow API ${cfg.apiUrl}`);
@@ -362,22 +346,21 @@ async function doctor(_args, flags) {
     checks.push({ name: 'api', ...api });
   }
 
-  // Config sanity
   const warnings = [];
-  if (!process.env.SECURENOW_APPID && !process.env.OTEL_SERVICE_NAME) {
-    warnings.push('No SECURENOW_APPID or OTEL_SERVICE_NAME set — a UUID-suffixed name will be generated.');
+  if (!cfg.appKey) {
+    warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
   }
   if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
-    warnings.push('Using the free-trial collector — set SECURENOW_INSTANCE for production.');
+    warnings.push('Using the free-trial collector. For production, set app.instance in .securenow/credentials.json.');
   }
-  if (!cfg.apiKey && cfg.firewallEnabled) {
-    warnings.push('Firewall enabled but SECURENOW_API_KEY missing — blocklist will not sync.');
+  if (!cfg.apiKey) {
+    warnings.push('No snk_live firewall API key is resolvable. Run `npx securenow login` or `npx securenow api-key set`.');
   }
 
   const ok = checks.every((c) => c.ok);
 
   if (flags.json) {
-    ui.json({ ok, resolved: cfg, checks, warnings });
+    ui.json({ ok, resolved: redactConfig(cfg), checks, warnings });
     process.exit(ok ? 0 : 1);
   }
 

package/cli/firewall.js

@@ -1,14 +1,19 @@
 'use strict';
 
-const { api, requireAuth } = require('./client');
-const ui = require('./ui');
+const { api, requireAuth } = require('./client');
+const ui = require('./ui');
+
+function resolveEnvironment(flags) {
+  return flags.env || flags.environment || 'production';
+}
 
 async function status(args, flags) {
   requireAuth();
   const s = ui.spinner('Checking firewall status');
 
   try {
-    const data = await api.get('/firewall/status');
+    const environment = resolveEnvironment(flags);
+    const data = await api.get('/firewall/status', { query: { environment } });
 
     s.stop('Firewall status retrieved');
 
@@ -21,7 +26,8 @@ async function status(args, flags) {
     console.log(`  ${ui.c.bold(ui.c.green('Firewall: ENABLED'))}`);
     console.log('');
     ui.keyValue([
-      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
       ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
       ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
@@ -59,7 +65,8 @@ async function testIp(args, flags) {
   const s = ui.spinner(`Testing IP ${ip}`);
 
   try {
-    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`);
+    const environment = resolveEnvironment(flags);
+    const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query: { environment } });
 
     s.stop(`IP ${ip} checked`);
 
@@ -115,10 +122,11 @@ async function setEnabled(args, flags, enabled) {
     process.exit(1);
   }
 
-  const verb = enabled ? 'Enabling' : 'Disabling';
-  const s = ui.spinner(`${verb} firewall for ${appKey}`);
-  try {
-    const data = await api.patch(`/firewall/app/${encodeURIComponent(appKey)}`, { enabled });
+  const environment = resolveEnvironment(flags);
+  const verb = enabled ? 'Enabling' : 'Disabling';
+  const s = ui.spinner(`${verb} firewall for ${appKey} (${environment})`);
+  try {
+    const data = await api.patch(`/firewall/app/${encodeURIComponent(appKey)}`, { enabled, environment });
     s.stop(`Firewall ${enabled ? 'enabled' : 'disabled'}`);
 
     if (flags.json) { ui.json(data); return; }
@@ -126,7 +134,8 @@ async function setEnabled(args, flags, enabled) {
     const app = data.app || {};
     console.log('');
     console.log(`  ${ui.c.bold(enabled ? ui.c.green('Firewall: ENABLED') : ui.c.yellow('Firewall: DISABLED'))} — ${app.name || appKey}`);
-    console.log(`  ${ui.c.dim('App key:')} ${app.key || appKey}`);
+    console.log(`  ${ui.c.dim('App key:')} ${app.key || appKey}`);
+    console.log(`  ${ui.c.dim('Environment:')} ${app.environment || environment}`);
     console.log('');
     console.log(`  ${ui.c.dim('Running SDK instances pick up the change within ~10s.')}`);
     console.log('');
@@ -157,10 +166,16 @@ async function appsList(args, flags) {
     }
 
     console.log('');
-    for (const a of apps) {
-      const tag = a.firewallEnabled ? ui.c.green('ON ') : ui.c.yellow('OFF');
-      console.log(`  ${tag}  ${ui.c.bold(a.name)}  ${ui.c.dim(a.key)}`);
-    }
+    for (const a of apps) {
+      const tag = a.firewallEnabled ? ui.c.green('ON ') : ui.c.yellow('OFF');
+      console.log(`  ${tag}  ${ui.c.bold(a.name)}  ${ui.c.dim(a.key)}`);
+      if (a.environments) {
+        const envLine = Object.entries(a.environments)
+          .map(([env, state]) => `${env}:${state.firewallEnabled ? 'on' : 'off'}`)
+          .join('  ');
+        if (envLine) console.log(`      ${ui.c.dim(envLine)}`);
+      }
+    }
     console.log('');
     console.log(`  ${ui.c.dim('Toggle:')} securenow firewall enable --app <key>`);
     console.log(`  ${ui.c.dim('       :')} securenow firewall disable --app <key>`);