securenow 7.5.0 → 7.6.0

package/cli/monitor.js

@@ -1,12 +1,23 @@
 'use strict';
 
-const { api, requireAuth } = require('./client');
-const config = require('./config');
-const ui = require('./ui');
-
-function resolveApp(flags) {
-  return flags.app || config.getDefaultApp();
-}
+const { api, requireAuth } = require('./client');
+const config = require('./config');
+const ui = require('./ui');
+const appConfig = require('../app-config');
+
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags) {
+  return flags.env || flags.environment || null;
+}
+
+function addEnvironment(query, flags) {
+  const environment = resolveEnvironment(flags);
+  if (environment) query.environment = environment;
+  return query;
+}
 
 // ── Traces ──
 
@@ -20,10 +31,11 @@ async function tracesList(args, flags) {
 
   const s = ui.spinner('Fetching traces');
   try {
-    const query = {
-      appKeys: appKey,
-      limit: flags.limit || 20,
-    };
+    const query = {
+      appKeys: appKey,
+      limit: flags.limit || 20,
+    };
+    addEnvironment(query, flags);
     if (flags.start) query.from = flags.start;
     if (flags.end) query.to = flags.end;
 
@@ -35,7 +47,8 @@ async function tracesList(args, flags) {
 
     console.log('');
     const rows = traces.map(t => [
-      ui.c.dim(ui.truncate(t.traceID || t.traceId || t._id, 16)),
+      ui.c.dim(ui.truncate(t.traceID || t.traceId || t._id, 16)),
+      t.environment || 'production',
       t.operationName || t.name || t.serviceName || '—',
       ui.httpStatusColor(t.statusCode || t.httpStatusCode || t.responseStatusCode || '—'),
       ui.durationColor(t.durationNano ? t.durationNano / 1e6 : t.duration),
@@ -44,7 +57,7 @@ async function tracesList(args, flags) {
       ui.timeAgo(t.timestamp),
     ]);
 
-    ui.table(['Trace ID', 'Operation', 'Status', 'Duration', 'Method', 'URL', 'Time'], rows);
+    ui.table(['Trace ID', 'Env', 'Operation', 'Status', 'Duration', 'Method', 'URL', 'Time'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch traces');
@@ -62,9 +75,10 @@ async function tracesShow(args, flags) {
 
   const s = ui.spinner('Fetching trace details');
   try {
-    const appKey = resolveApp(flags);
-    const traceQuery = appKey ? { appKeys: appKey } : {};
-    const data = await api.get(`/traces/${traceId}`, { query: traceQuery });
+    const appKey = resolveApp(flags);
+    const traceQuery = appKey ? { appKeys: appKey } : {};
+    addEnvironment(traceQuery, flags);
+    const data = await api.get(`/traces/${traceId}`, { query: traceQuery });
     s.stop('Trace loaded');
 
     if (flags.json) { ui.json(data); return; }
@@ -103,9 +117,29 @@ async function tracesAnalyze(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner('Analyzing trace with AI');
-  try {
-    let result = await api.post('/traces/analyze', { traceId });
+  const s = ui.spinner('Analyzing trace with AI');
+  try {
+    const environment = resolveEnvironment(flags);
+    const appKey = resolveApp(flags);
+    if (!appKey) {
+      s.fail('Missing app key');
+      ui.error('Use --app <key> or set a default with `securenow config set defaultApp <key>`');
+      process.exit(1);
+    }
+
+    const query = { appKeys: appKey };
+    if (environment) query.environment = environment;
+    const [traceData, logsData] = await Promise.all([
+      api.get(`/traces/${traceId}`, { query }),
+      api.get(`/logs/trace/${traceId}`, { query }).catch(() => ({ logs: [] })),
+    ]);
+
+    const body = {
+      traceData: traceData.spans || traceData.traceData || [],
+      logs: logsData.logs || [],
+    };
+    if (environment) body.environment = environment;
+    let result = await api.post('/traces/analyze', body);
 
     if (result.analysisId && result.status === 'running') {
       const analysisId = result.analysisId;
@@ -223,10 +257,11 @@ async function logsList(args, flags) {
       limit: flags.limit || 200,
       from: flags.start || new Date(now - minutes * 60 * 1000).toISOString(),
       to: flags.end || new Date(now).toISOString(),
-    };
-    if (severity) query.severity = severity;
-
-    const data = await api.get('/logs', { query });
+    };
+    if (severity) query.severity = severity;
+    addEnvironment(query, flags);
+
+    const data = await api.get('/logs', { query });
     const logs = data.logs || [];
     s.stop(`Found ${logs.length} log${logs.length !== 1 ? 's' : ''}`);
 
@@ -244,7 +279,8 @@ async function logsList(args, flags) {
       const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
       const body = log.body || log.message || log.severityText || '';
 
-      console.log(`  ${time} ${levelColor(level.padEnd(7))} ${body}`);
+      const env = log.environment ? ` ${ui.c.dim(`[${log.environment}]`)}` : '';
+      console.log(`  ${time} ${levelColor(level.padEnd(7))}${env} ${body}`);
 
       if (log.traceId && flags.verbose) {
         console.log(`  ${ui.c.dim(`  trace=${log.traceId} span=${log.spanId || ''}`)}`);
@@ -265,9 +301,13 @@ async function logsTrace(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner('Fetching logs for trace');
-  try {
-    const data = await api.get(`/logs/trace/${traceId}`);
+  const s = ui.spinner('Fetching logs for trace');
+  try {
+    const query = {};
+    const appKey = resolveApp(flags);
+    if (appKey) query.appKeys = appKey;
+    addEnvironment(query, flags);
+    const data = await api.get(`/logs/trace/${traceId}`, { query });
     const logs = data.logs || [];
     s.stop(`Found ${logs.length} log${logs.length !== 1 ? 's' : ''}`);
 
@@ -283,7 +323,8 @@ async function logsTrace(args, flags) {
 
       const parsedTime = ui.parseTimestamp(log.timestamp);
       const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
-      console.log(`  ${time} ${levelColor(level.padEnd(7))} ${log.body || log.message || ''}`);
+      const env = log.environment ? ` ${ui.c.dim(`[${log.environment}]`)}` : '';
+      console.log(`  ${time} ${levelColor(level.padEnd(7))}${env} ${log.body || log.message || ''}`);
     }
     console.log('');
   } catch (err) {
@@ -400,22 +441,45 @@ async function status(args, flags) {
       ui.table(['Name', 'Key', 'Hosts'], rows);
     }
 
-    const appKey = resolveApp(flags);
-    if (appKey) {
+    const appKey = resolveApp(flags);
+    const requestedEnv = resolveEnvironment(flags) || appConfig.resolveDeploymentEnvironment() || 'production';
+    const showAllEnvs = requestedEnv === 'all' || requestedEnv === '*';
+    {
       try {
-        const protectionData = await api.get('/applications/protection-status');
-        const statuses = protectionData.statuses;
-        if (statuses && Object.keys(statuses).length > 0) {
-          ui.subheading('Protection Status');
-          console.log('');
-          const rows = Object.entries(statuses).map(([id, s]) => [
-            ui.c.dim(ui.truncate(id, 12)),
-            s.protected ? ui.c.green('● protected') : ui.c.red('○ unprotected'),
-            String(s.traceCount || 0),
-            s.lastTrace ? ui.timeAgo(s.lastTrace) : ui.c.dim('—'),
-          ]);
-          ui.table(['App ID', 'Status', 'Traces (15m)', 'Last Trace'], rows);
-        }
+        const protectionData = await api.get('/applications/protection-status');
+        const statuses = protectionData.statuses;
+        if (statuses && Object.keys(statuses).length > 0) {
+          const appById = new Map(apps.map((app) => [String(app._id || app.id), app]));
+          const envRows = [];
+
+          for (const [id, status] of Object.entries(statuses)) {
+            const app = appById.get(String(id));
+            if (appKey && app && app.key !== appKey) continue;
+
+            const environments = status.environments || { production: status.production || status };
+            const entries = showAllEnvs
+              ? Object.entries(environments)
+              : [[requestedEnv, environments[requestedEnv] || status.production || status]];
+
+            for (const [envName, envStatus] of entries) {
+              envRows.push([
+                app?.name || ui.c.dim(ui.truncate(id, 12)),
+                envName,
+                envStatus.firewallEnabled ? ui.c.green('on') : ui.c.dim('off'),
+                envStatus.protected ? ui.c.green('live') : ui.c.dim('idle'),
+                String(envStatus.traceCount || 0),
+                envStatus.lastTrace ? ui.timeAgo(envStatus.lastTrace) : ui.c.dim('-'),
+              ]);
+            }
+          }
+
+          if (envRows.length) {
+            ui.subheading(`Protection Status (${showAllEnvs ? 'all envs' : requestedEnv})`);
+            console.log('');
+            ui.table(['App', 'Env', 'Firewall', 'Traces', 'Count (15m)', 'Last Trace'], envRows);
+          }
+
+        }
       } catch {}
     }
 

package/cli/security.js

@@ -4,9 +4,13 @@ const { api, requireAuth } = require('./client');
 const config = require('./config');
 const ui = require('./ui');
 
-function resolveApp(flags) {
-  return flags.app || config.getDefaultApp();
-}
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags, fallback = null) {
+  return flags.env || flags.environment || fallback;
+}
 
 // ── Alert Rules ──
 
@@ -523,7 +527,7 @@ async function forensicsQuery(args, flags) {
 
   const s = ui.spinner('Submitting forensic query');
   try {
-    const body = { query };
+    const body = { query, environment: resolveEnvironment(flags, 'production') };
     const resolved = await resolveAppId(flags);
     if (resolved) {
       body.applicationId = resolved.id;
@@ -650,7 +654,10 @@ async function forensicsChat(args, flags) {
   console.log(ui.c.dim(`  App: ${resolved.key} (${resolved.id})`));
   console.log(ui.c.dim('  Type your question, or "exit" to quit.\n'));
 
-  let conversationId = null;
+  const environment = resolveEnvironment(flags, 'production');
+  console.log(ui.c.dim(`  Env: ${environment}`));
+
+  let conversationId = null;
 
   const readline = require('readline');
   const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
@@ -670,7 +677,7 @@ async function forensicsChat(args, flags) {
 
       const s = ui.spinner('Thinking');
       try {
-        const body = { message, applicationKey: resolved.key };
+        const body = { message, applicationKey: resolved.key, environment };
         if (conversationId) body.conversationId = conversationId;
 
         const chatRes = await api.post('/forensics/chat', body);
@@ -680,7 +687,7 @@ async function forensicsChat(args, flags) {
           let result;
           for (let i = 0; i < 150; i++) {
             await new Promise(r => setTimeout(r, 2000));
-            result = await api.get(`/forensics/chat/status/${conversationId}`);
+            result = await api.get(`/forensics/chat/status/${conversationId}`, { query: { environment } });
             if (result.status === 'complete' || result.status === 'failed' || result.status === 'awaiting_confirmation') break;
             const progress = result._progress;
             if (progress?.action) s.update(progress.action);
@@ -698,11 +705,11 @@ async function forensicsChat(args, flags) {
             const proceed = await ui.confirm('Proceed with this query?');
             if (proceed) {
               const cs = ui.spinner('Executing query');
-              await api.post(`/forensics/chat/confirm/${conversationId}`);
+              await api.post(`/forensics/chat/confirm/${conversationId}`, { environment });
               let confirmResult;
               for (let i = 0; i < 90; i++) {
                 await new Promise(r => setTimeout(r, 2000));
-                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`);
+                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`, { query: { environment } });
                 if (confirmResult.status !== 'processing') break;
               }
               cs.stop('Done');
@@ -836,9 +843,14 @@ async function ipTraces(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner(`Fetching traces for ${ip}`);
-  try {
-    const data = await api.get(`/ip/${ip}/traces`);
+  const s = ui.spinner(`Fetching traces for ${ip}`);
+  try {
+    const query = {};
+    const appKey = resolveApp(flags);
+    if (appKey) query.appKeys = appKey;
+    const environment = resolveEnvironment(flags, null);
+    if (environment) query.environment = environment;
+    const data = await api.get(`/ip/${ip}/traces`, { query });
     const traces = data.traces || [];
     s.stop(`Found ${traces.length} trace${traces.length !== 1 ? 's' : ''}`);
 

package/cli/ui.js

@@ -111,13 +111,21 @@ function keyValue(pairs) {
   }
 }
 
-function heading(text) {
-  console.log(`\n${c.bold(c.cyan(text))}`);
-}
-
-function subheading(text) {
-  console.log(`\n  ${c.bold(text)}`);
-}
+function heading(text) {
+  console.log(`\n${c.bold(c.cyan(text))}`);
+}
+
+function header(text) {
+  heading(text);
+}
+
+function bold(text) {
+  return c.bold(text);
+}
+
+function subheading(text) {
+  console.log(`\n  ${c.bold(text)}`);
+}
 
 function success(msg) {
   console.log(`${c.green('✓')} ${msg}`);
@@ -361,11 +369,13 @@ function durationColor(ms) {
 module.exports = {
   c,
   NO_COLOR,
-  stripAnsi,
-  table,
-  keyValue,
-  heading,
-  subheading,
+  stripAnsi,
+  table,
+  keyValue,
+  heading,
+  header,
+  bold,
+  subheading,
   success,
   error,
   warn,

package/cli/utils.js

@@ -4,6 +4,7 @@ const fs = require('fs');
 const ui = require('./ui');
 const cidrLib = require('../cidr');
 const { redactSensitiveData, DEFAULT_SENSITIVE_FIELDS } = require('../nextjs-middleware');
+const appConfig = require('../app-config');
 
 // ── redact ──
 
@@ -38,7 +39,7 @@ function redact(args, flags) {
   const extra = flags.fields
     ? String(flags.fields).split(',').map((s) => s.trim()).filter(Boolean)
     : [];
-  const envExtra = (process.env.SECURENOW_SENSITIVE_FIELDS || '')
+  const envExtra = (appConfig.env('SECURENOW_SENSITIVE_FIELDS') || '')
     .split(',').map((s) => s.trim()).filter(Boolean);
   const fields = [...DEFAULT_SENSITIVE_FIELDS, ...envExtra, ...extra];
 

package/cli.js

@@ -39,11 +39,13 @@ function parseArgs(argv) {
 // ── Command Registry ──
 
 const COMMANDS = {
-  init: {
-    desc: 'Set up SecureNow in the current project (instrumentation, config, env)',
-    usage: 'securenow init [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
-    flags: {
-      key: 'API key to write to .env',
+  init: {
+    desc: 'Set up SecureNow in the current project (instrumentation + .securenow credentials)',
+    usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
+    flags: {
+      env: 'Deployment environment to write into .securenow/credentials.json (default: local)',
+      environment: 'Alias for --env',
+      key: 'Firewall API key to write to .securenow/credentials.json',
       'api-key': 'Alias for --key',
       typescript: 'Force TypeScript',
       javascript: 'Force JavaScript',
@@ -73,7 +75,7 @@ const COMMANDS = {
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
   },
-  'api-key': {
+  'api-key': {
     desc: 'Manage the firewall API key stored in .securenow/credentials.json',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
@@ -95,8 +97,27 @@ const COMMANDS = {
         run: () => require('./cli/apiKey').show(),
       },
     },
-    defaultSub: 'show',
-  },
+    defaultSub: 'show',
+  },
+  credentials: {
+    desc: 'Create production/runtime SecureNow credentials files',
+    usage: 'securenow credentials <subcommand> [options]',
+    sub: {
+      runtime: {
+        desc: 'Write tokenless runtime credentials for production file-based deploys',
+        usage: 'securenow credentials runtime [--env production] [--out .securenow/credentials.production.json] [--stdout]',
+        flags: {
+          env: 'Deployment environment for this runtime file (default: production)',
+          environment: 'Alias for --env',
+          out: 'Output path (default: .securenow/credentials.<env>.json)',
+          output: 'Alias for --out',
+          stdout: 'Print JSON to stdout instead of writing a file',
+        },
+        run: (a, f) => require('./cli/credentials').runtime(a, f),
+      },
+    },
+    defaultSub: 'runtime',
+  },
   apps: {
     desc: 'Manage applications',
     usage: 'securenow apps <subcommand> [options]',
@@ -115,9 +136,9 @@ const COMMANDS = {
     desc: 'View and analyze traces',
     usage: 'securenow traces <subcommand> [options]',
     sub: {
-      list: { desc: 'List recent traces', flags: { app: 'App key', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
-      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
-      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
+      list: { desc: 'List recent traces', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
+      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
+      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
     },
     defaultSub: 'list',
   },
@@ -125,8 +146,8 @@ const COMMANDS = {
     desc: 'View application logs',
     usage: 'securenow logs [options]',
     sub: {
-      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
-      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
+      list: { desc: 'List recent logs', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
+      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
     },
     defaultSub: 'list',
   },
@@ -182,11 +203,11 @@ const COMMANDS = {
     usage: 'securenow firewall <subcommand> [options]',
     flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
-      status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
+      status: { desc: 'Show firewall status, layers, and blocklist info', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').status(a, f) },
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
-      enable: { desc: 'Turn the firewall ON for an app', usage: 'securenow firewall enable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
-      disable: { desc: 'Turn the firewall OFF for an app', usage: 'securenow firewall disable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
+      enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
+      disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',
   },
@@ -227,7 +248,7 @@ const COMMANDS = {
     usage: 'securenow ip <ip-address>',
     sub: {
       lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
-      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip>', run: (a, f) => require('./cli/security').ipTraces(a, f) },
+      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip> [--env production]', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').ipTraces(a, f) },
     },
     defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
   },
@@ -235,8 +256,8 @@ const COMMANDS = {
     desc: 'Run forensic queries (natural language → SQL)',
     usage: 'securenow forensics <query> [--app <key>]',
     sub: {
-      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
-      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key>', flags: { app: 'App key to chat with' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
+      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
+      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key> [--env production]', flags: { app: 'App key to chat with', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
       library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
     },
     defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
@@ -255,11 +276,16 @@ const COMMANDS = {
     usage: 'securenow analytics [--app <key>]',
     run: (a, f) => require('./cli/security').analytics(a, f),
   },
-  status: {
-    desc: 'Dashboard overview',
-    usage: 'securenow status [--app <key>]',
-    run: (a, f) => require('./cli/monitor').status(a, f),
-  },
+  status: {
+    desc: 'Dashboard overview',
+    usage: 'securenow status [--app <key>] [--env local|production|all]',
+    flags: {
+      app: 'App key to highlight',
+      env: 'Environment to display in protection summary (default: credentials file, use all for every env)',
+      environment: 'Alias for --env',
+    },
+    run: (a, f) => require('./cli/monitor').status(a, f),
+  },
   config: {
     desc: 'Manage CLI configuration',
     usage: 'securenow config <set|get> [key] [value]',
@@ -343,30 +369,36 @@ const COMMANDS = {
   log: {
     desc: 'Emit logs via OTLP (for scripts, cron, debugging)',
     usage: 'securenow log send <message> [--level info|warn|error] [--attrs k=v,k=v]',
-    sub: {
-      send: {
-        desc: 'Send a single log record to the OTLP collector',
-        flags: {
-          level: 'Severity (trace|debug|info|warn|error|fatal)',
-          attrs: 'Comma-separated key=value attributes',
-        },
+    sub: {
+      send: {
+        desc: 'Send a single log record to the OTLP collector',
+        flags: {
+          env: 'Deployment environment for this log (defaults to credentials file)',
+          environment: 'Alias for --env',
+          level: 'Severity (trace|debug|info|warn|error|fatal)',
+          attrs: 'Comma-separated key=value attributes',
+        },
         run: (a, f) => require('./cli/diagnostics').logSend(a, f),
       },
     },
     defaultSub: 'send',
   },
-  'test-span': {
-    desc: 'Emit a test span to verify collector connectivity',
-    usage: 'securenow test-span [<span-name>]',
-    run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
-  },
+  'test-span': {
+    desc: 'Emit a test span to verify collector connectivity',
+    usage: 'securenow test-span [<span-name>] [--env local|production]',
+    flags: {
+      env: 'Deployment environment for this span (defaults to credentials file)',
+      environment: 'Alias for --env',
+    },
+    run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
+  },
   doctor: {
     desc: 'Diagnose SecureNow configuration and collector connectivity',
     usage: 'securenow doctor [--json]',
     run: (a, f) => require('./cli/diagnostics').doctor(a, f),
   },
   env: {
-    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
+    desc: 'Show resolved SecureNow configuration (service name, endpoints, credentials)',
     usage: 'securenow env [--json]',
     run: (a, f) => require('./cli/diagnostics').env(a, f),
   },
@@ -434,7 +466,7 @@ function showHelp(commandName) {
 
   const groups = {
     'Run': ['run'],
-    'Authentication': ['login', 'logout', 'whoami'],
+    'Authentication': ['login', 'logout', 'whoami', 'credentials'],
     'Applications': ['apps', 'init', 'status'],
     'Observe': ['traces', 'logs', 'analytics'],
     'Detect & Respond': ['notifications', 'alerts', 'fp'],

package/console-instrumentation.js

@@ -7,7 +7,7 @@
  * to automatically send logs to OpenTelemetry / any OTLP-compatible backend.
  * 
  * Usage:
- *   1. Enable logging: SECURENOW_LOGGING_ENABLED=1
+ *   1. Run `npx securenow login` / `npx securenow init` so credentials defaults exist
  *   2. Import this file AFTER securenow is initialized
  *   3. Use console.log/info/warn/error as normal
  *