securenow 7.5.1 → 7.6.0

package/cli/init.js

@@ -1,244 +1,246 @@
-'use strict';
-
+'use strict';
+
 const fs = require('fs');
 const path = require('path');
 const ui = require('./ui');
 const config = require('./config');
 
-const DEFAULT_ENV = {
-  SECURENOW_LOGGING_ENABLED: '1',
-  SECURENOW_CAPTURE_BODY: '1',
-  SECURENOW_CAPTURE_MULTIPART: '1',
-  SECURENOW_FIREWALL_ENABLED: '1',
-};
-
-const INSTRUMENTATION_JS = `import { createRequire } from 'node:module';
+const INSTRUMENTATION = `import { createRequire } from 'node:module';
 
 const require = createRequire(import.meta.url);
 
 export async function register() {
   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
 
-  process.env.SECURENOW_LOGGING_ENABLED ??= '1';
-  process.env.SECURENOW_CAPTURE_BODY ??= '1';
-  process.env.SECURENOW_CAPTURE_MULTIPART ??= '1';
-  process.env.SECURENOW_FIREWALL_ENABLED ??= '1';
-
   const { registerSecureNow } = require('securenow/nextjs');
   registerSecureNow({ captureBody: true });
   require('securenow/nextjs-auto-capture');
 }
 `;
 
-const INSTRUMENTATION_TS = `import { createRequire } from 'node:module';
+function detectProject(dir) {
+  const pkgPath = path.join(dir, 'package.json');
+  if (!fs.existsSync(pkgPath)) return { framework: 'unknown' };
 
-const require = createRequire(import.meta.url);
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8').replace(/^\uFEFF/, ''));
+  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
 
-export async function register() {
-  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+  if (allDeps.next) return { framework: 'nextjs', pkg, pkgPath, nextVersion: allDeps.next };
+  if (allDeps.nuxt) return { framework: 'nuxt', pkg, pkgPath };
+  if (allDeps.express) return { framework: 'express', pkg, pkgPath };
+  if (allDeps.fastify) return { framework: 'fastify', pkg, pkgPath };
+  if (allDeps.koa) return { framework: 'koa', pkg, pkgPath };
+  if (allDeps.hapi || allDeps['@hapi/hapi']) return { framework: 'hapi', pkg, pkgPath };
+  return { framework: 'node', pkg, pkgPath };
+}
 
-  process.env.SECURENOW_LOGGING_ENABLED ??= '1';
-  process.env.SECURENOW_CAPTURE_BODY ??= '1';
-  process.env.SECURENOW_CAPTURE_MULTIPART ??= '1';
-  process.env.SECURENOW_FIREWALL_ENABLED ??= '1';
+function findInstrumentationFile(dir) {
+  for (const name of ['instrumentation.ts', 'instrumentation.js', 'src/instrumentation.ts', 'src/instrumentation.js']) {
+    const p = path.join(dir, name);
+    if (fs.existsSync(p)) return p;
+  }
+  return null;
+}
 
-  const { registerSecureNow } = require('securenow/nextjs');
-  registerSecureNow({ captureBody: true });
-  require('securenow/nextjs-auto-capture');
+function findNextConfig(dir) {
+  for (const name of ['next.config.js', 'next.config.mjs', 'next.config.ts']) {
+    const p = path.join(dir, name);
+    if (fs.existsSync(p)) return p;
+  }
+  return null;
 }
-`;
-
-function detectProject(dir) {
-  const pkgPath = path.join(dir, 'package.json');
-  if (!fs.existsSync(pkgPath)) return { framework: 'unknown' };
-
-  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
-
-  if (allDeps.next) return { framework: 'nextjs', pkg, pkgPath, nextVersion: allDeps.next };
-  if (allDeps.nuxt) return { framework: 'nuxt', pkg, pkgPath };
-  if (allDeps.express) return { framework: 'express', pkg, pkgPath };
-  if (allDeps.fastify) return { framework: 'fastify', pkg, pkgPath };
-  if (allDeps.koa) return { framework: 'koa', pkg, pkgPath };
-  if (allDeps.hapi || allDeps['@hapi/hapi']) return { framework: 'hapi', pkg, pkgPath };
-  return { framework: 'node', pkg, pkgPath };
-}
-
-function findInstrumentationFile(dir) {
-  for (const name of ['instrumentation.ts', 'instrumentation.js', 'src/instrumentation.ts', 'src/instrumentation.js']) {
-    const p = path.join(dir, name);
-    if (fs.existsSync(p)) return p;
-  }
-  return null;
-}
-
-function findNextConfig(dir) {
-  for (const name of ['next.config.js', 'next.config.mjs', 'next.config.ts']) {
-    const p = path.join(dir, name);
-    if (fs.existsSync(p)) return p;
-  }
-  return null;
-}
-
-function hasTypeScript(dir) {
-  return fs.existsSync(path.join(dir, 'tsconfig.json'));
-}
-
-async function init(_args, flags) {
-  const dir = process.cwd();
-  const project = detectProject(dir);
-
-  ui.header('SecureNow Project Setup');
-
-  if (project.framework === 'unknown') {
-    ui.error('No package.json found. Run this command in your project root.');
-    process.exit(1);
-  }
-
-  ui.info(`Detected framework: ${ui.bold(project.framework)}`);
-
-  if (project.framework === 'nextjs') {
-    await initNextJs(dir, project, flags);
-  } else if (project.framework === 'nuxt') {
-    initNuxt(dir, project);
-  } else {
-    initNode(dir, project);
-  }
-
-  initEnv(dir, flags);
-
-  console.log('');
-  ui.success('Setup complete! Run your app to verify.');
-}
-
-async function initNextJs(dir, project, flags) {
-  const useTs = hasTypeScript(dir);
-  const ext = useTs ? 'ts' : 'js';
-
-  const existing = findInstrumentationFile(dir);
-  if (existing) {
-    ui.info(`instrumentation file already exists: ${path.relative(dir, existing)}`);
-  } else {
-    const filePath = path.join(dir, `instrumentation.${ext}`);
-    const content = useTs ? INSTRUMENTATION_TS : INSTRUMENTATION_JS;
-    fs.writeFileSync(filePath, content, 'utf8');
-    ui.success(`Created instrumentation.${ext}`);
-  }
-
-  const configPath = findNextConfig(dir);
-  if (configPath) {
-    const content = fs.readFileSync(configPath, 'utf8');
-    if (content.includes('withSecureNow')) {
-      ui.info('next.config already uses withSecureNow — skipping');
-    } else if (content.includes('serverExternalPackages') && content.includes('securenow')) {
-      ui.info('next.config already externalizes securenow — skipping');
-    } else if (content.includes('serverComponentsExternalPackages') && content.includes('securenow')) {
-      ui.info('next.config already externalizes securenow — skipping');
-    } else {
-      ui.warn(`Update your ${path.basename(configPath)} to use withSecureNow():`);
-      console.log('');
-      console.log(`  const { withSecureNow } = require('securenow/nextjs-webpack-config');`);
-      console.log(`  module.exports = withSecureNow({ /* your config */ });`);
-      console.log('');
-    }
-  } else {
-    const newConfigPath = path.join(dir, 'next.config.js');
-    fs.writeFileSync(newConfigPath, `const { withSecureNow } = require('securenow/nextjs-webpack-config');\n\nmodule.exports = withSecureNow({\n  reactStrictMode: true,\n});\n`, 'utf8');
-    ui.success('Created next.config.js with withSecureNow()');
-  }
-}
-
-function initNuxt(dir, project) {
-  const configPath = path.join(dir, 'nuxt.config.ts');
-  if (fs.existsSync(configPath)) {
-    const content = fs.readFileSync(configPath, 'utf8');
-    if (content.includes('securenow/nuxt')) {
-      ui.info('nuxt.config already references securenow/nuxt — skipping');
-    } else {
-      ui.warn('Add securenow/nuxt to your nuxt.config modules:');
-      console.log('');
-      console.log("  modules: ['securenow/nuxt'],");
-      console.log('');
-    }
-  } else {
-    ui.warn('Add securenow/nuxt to your nuxt.config modules array.');
-  }
-}
-
-function initNode(dir, project) {
-  const pkg = project.pkg;
-  const scripts = pkg.scripts || {};
-
-  const startScript = scripts.start || '';
-  if (startScript.includes('securenow/register')) {
-    ui.info('start script already uses securenow/register — skipping');
-    return;
-  }
-
-  if (startScript) {
-    ui.warn('Update your start script to include the securenow preload:');
-    console.log('');
-    if (startScript.includes('node ')) {
-      const updated = startScript.replace('node ', 'node -r securenow/register ');
-      console.log(`  "start": "${updated}"`);
-    } else {
-      console.log(`  "start": "node -r securenow/register ${startScript.replace(/^node\s+/, '')}"`);
-    }
-    console.log('');
-  } else {
-    ui.warn('Add a start script with the securenow preload:');
-    console.log('');
-    console.log('  "start": "node -r securenow/register src/index.js"');
-    console.log('');
-  }
-}
-
-function initEnv(dir, flags) {
-  const envFiles = ['.env', '.env.local'];
-  let envPath = null;
-
-  for (const f of envFiles) {
-    const p = path.join(dir, f);
-    if (fs.existsSync(p)) {
-      envPath = p;
-      break;
-    }
+
+function hasTypeScript(dir) {
+  return fs.existsSync(path.join(dir, 'tsconfig.json'));
+}
+
+function nextMajor(project) {
+  const raw = String(project.nextVersion || '').replace(/^[^\d]*/, '');
+  const major = parseInt(raw, 10);
+  return Number.isFinite(major) ? major : 15;
+}
+
+async function init(_args, flags) {
+  const dir = process.cwd();
+  const project = detectProject(dir);
+
+  ui.header('SecureNow Project Setup');
+
+  if (project.framework === 'unknown') {
+    ui.error('No package.json found. Run this command in your project root.');
+    process.exit(1);
   }
 
-  if (!envPath) envPath = path.join(dir, '.env.local');
+  ui.info(`Detected framework: ${ui.bold(project.framework)}`);
+  initCredentials(flags);
 
-  const existing = fs.existsSync(envPath) ? fs.readFileSync(envPath, 'utf8') : '';
-  const additions = [];
-  for (const [key, value] of Object.entries(DEFAULT_ENV)) {
-    if (!hasEnvKey(existing, key)) additions.push(`${key}=${value}`);
+  if (project.framework === 'nextjs') {
+    await initNextJs(dir, project, flags);
+  } else if (project.framework === 'nuxt') {
+    initNuxt(dir);
+  } else {
+    initNode(project);
   }
 
+  console.log('');
+  ui.success('Setup complete.');
+  ui.info('Run `npx securenow login` if this project is not linked to an app yet.');
+  ui.info('Then verify with `npx securenow test-span` and `npx securenow status`.');
+}
+
+function initCredentials(flags) {
+  config.ensureCredentialDefaults({ local: true });
+  config.ensureLocalGitignore();
+  const creds = config.loadCredentials();
+  creds.config = creds.config || {};
+  creds.config.runtime = creds.config.runtime || {};
+  creds.config.runtime.deploymentEnvironment = flags.env || flags.environment || 'local';
+  config.saveCredentials(creds, { local: true });
+
   const explicitApiKey = flags.key || flags['api-key'] || '';
-  const hasApiKey = hasEnvKey(existing, 'SECURENOW_API_KEY');
-  if (explicitApiKey && !hasApiKey) additions.push(`SECURENOW_API_KEY=${explicitApiKey}`);
+  if (explicitApiKey) {
+    if (!String(explicitApiKey).startsWith('snk_live_')) {
+      ui.error('--key must start with snk_live_');
+      process.exit(1);
+    }
+    config.setApiKey(explicitApiKey, { local: true });
+    ui.success('Stored firewall API key in .securenow/credentials.json');
+  }
+
+  ui.success('Ensured .securenow/credentials.json has secure defaults and explanations');
+}
+
+async function initNextJs(dir, project, flags) {
+  const useTs = flags.javascript ? false : flags.typescript ? true : hasTypeScript(dir);
+  const ext = useTs ? 'ts' : 'js';
 
-  if (additions.length > 0) {
-    const sep = existing && !existing.endsWith('\n') ? '\n' : '';
-    fs.appendFileSync(envPath, `${sep}${additions.join('\n')}\n`, 'utf8');
-    ui.success(`Updated ${path.basename(envPath)} with SecureNow defaults`);
+  const existing = findInstrumentationFile(dir);
+  if (existing) {
+    ui.info(`instrumentation file already exists: ${path.relative(dir, existing)}`);
+    printAgentPrompt('instrumentation', path.basename(existing), nextMajor(project));
   } else {
-    ui.info(`${path.basename(envPath)} already contains SecureNow defaults`);
+    const filePath = path.join(dir, `instrumentation.${ext}`);
+    fs.writeFileSync(filePath, INSTRUMENTATION, 'utf8');
+    ui.success(`Created instrumentation.${ext}`);
   }
 
-  if (hasApiKey || explicitApiKey) {
-    ui.info(`SECURENOW_API_KEY is set in ${path.basename(envPath)}`);
-  } else if (config.getApiKey()) {
-    ui.info('Using firewall API key from project .securenow/credentials.json');
+  const configPath = findNextConfig(dir);
+  if (configPath) {
+    const patched = patchNextConfig(configPath, nextMajor(project));
+    if (patched === 'already') {
+      ui.info(`${path.basename(configPath)} already externalizes securenow`);
+    } else if (patched === 'patched') {
+      ui.success(`Updated ${path.basename(configPath)} with SecureNow server externalization`);
+    } else {
+      ui.warn(`Could not safely edit ${path.basename(configPath)} automatically.`);
+      printAgentPrompt('next-config', path.basename(configPath), nextMajor(project));
+    }
+  } else {
+    const newConfigPath = path.join(dir, 'next.config.mjs');
+    fs.writeFileSync(newConfigPath, `/** @type {import('next').NextConfig} */
+const nextConfig = {
+  serverExternalPackages: ['securenow'],
+};
+
+export default nextConfig;
+`, 'utf8');
+    ui.success('Created next.config.mjs');
+  }
+}
+
+function patchNextConfig(configPath, major) {
+  const content = fs.readFileSync(configPath, 'utf8');
+  const serverExternalWithSecureNow = /serverExternalPackages\s*:\s*\[[\s\S]*?['"]securenow['"][\s\S]*?\]/m.test(content);
+  const serverComponentsWithSecureNow = /serverComponentsExternalPackages\s*:\s*\[[\s\S]*?['"]securenow['"][\s\S]*?\]/m.test(content);
+  if (serverExternalWithSecureNow || serverComponentsWithSecureNow || content.includes('withSecureNow(')) {
+    return 'already';
+  }
+
+  if (major < 15) return 'manual';
+
+  const existingServerExternal = content.match(/serverExternalPackages\s*:\s*\[([\s\S]*?)\]/m);
+  if (existingServerExternal) {
+    const current = existingServerExternal[1].trim().replace(/,\s*$/, '');
+    const replacement = `serverExternalPackages: [${current ? `${current}, ` : ''}'securenow']`;
+    fs.writeFileSync(configPath, content.replace(existingServerExternal[0], replacement), 'utf8');
+    return 'patched';
+  }
+
+  const insert = `  serverExternalPackages: ['securenow'],\n`;
+  const patterns = [
+    /(const\s+nextConfig\s*=\s*{\s*\r?\n)/,
+    /(export\s+default\s+{\s*\r?\n)/,
+    /(module\.exports\s*=\s*{\s*\r?\n)/,
+  ];
+
+  for (const pattern of patterns) {
+    if (pattern.test(content)) {
+      fs.writeFileSync(configPath, content.replace(pattern, `$1${insert}`), 'utf8');
+      return 'patched';
+    }
+  }
+
+  return 'manual';
+}
+
+function printAgentPrompt(kind, filename, major) {
+  console.log('');
+  ui.heading('Codex/Claude prompt');
+  console.log([
+    'Set up SecureNow in this existing Next.js project without using .env files.',
+    'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
+    kind === 'instrumentation'
+      ? `Merge this into ${filename}: in register(), return unless process.env.NEXT_RUNTIME === "nodejs"; use createRequire(import.meta.url); require("securenow/nextjs").registerSecureNow({ captureBody: true }); then require("securenow/nextjs-auto-capture"). Preserve all existing instrumentation.`
+      : null,
+    kind === 'next-config' && major >= 15
+      ? `Update ${filename} while preserving existing config: add securenow to serverExternalPackages, e.g. serverExternalPackages: [...(existing || []), "securenow"].`
+      : null,
+    kind === 'next-config' && major < 15
+      ? `Update ${filename} while preserving existing config: enable experimental.instrumentationHook and add securenow to experimental.serverComponentsExternalPackages.`
+      : null,
+    'Verify with: npx securenow env, npx securenow test-span, npx securenow status, and the project build command.',
+  ].filter(Boolean).join('\n'));
+  console.log('');
+}
+
+function initNuxt(dir) {
+  const configPath = path.join(dir, 'nuxt.config.ts');
+  if (fs.existsSync(configPath)) {
+    const content = fs.readFileSync(configPath, 'utf8');
+    if (content.includes('securenow/nuxt')) {
+      ui.info('nuxt.config already references securenow/nuxt');
+    } else {
+      ui.warn('Add securenow/nuxt to your nuxt.config modules array.');
+    }
   } else {
-    ui.warn(`Add your API key to ${path.basename(envPath)}:`);
+    ui.warn('Add securenow/nuxt to your nuxt.config modules array.');
+  }
+}
+
+function initNode(project) {
+  const scripts = project.pkg.scripts || {};
+  const startScript = scripts.start || '';
+  if (startScript.includes('securenow/register')) {
+    ui.info('start script already uses securenow/register');
+    return;
+  }
+
+  if (startScript) {
+    ui.warn('Update your start script to include the securenow preload:');
     console.log('');
-    console.log('  SECURENOW_API_KEY=snk_live_...');
+    if (startScript.includes('node ')) {
+      const updated = startScript.replace('node ', 'node -r securenow/register ');
+      console.log(`  "start": "${updated}"`);
+    } else {
+      console.log(`  "start": "node -r securenow/register ${startScript.replace(/^node\s+/, '')}"`);
+    }
+    console.log('');
+  } else {
+    ui.warn('Add a start script with the securenow preload:');
+    console.log('');
+    console.log('  "start": "node -r securenow/register src/index.js"');
     console.log('');
   }
 }
 
-function hasEnvKey(content, key) {
-  return new RegExp(`^\\s*${key}\\s*=`, 'm').test(content || '');
-}
-
-module.exports = { init };
+module.exports = { init };

package/cli/monitor.js

@@ -1,12 +1,23 @@
 'use strict';
 
-const { api, requireAuth } = require('./client');
-const config = require('./config');
-const ui = require('./ui');
-
-function resolveApp(flags) {
-  return flags.app || config.getDefaultApp();
-}
+const { api, requireAuth } = require('./client');
+const config = require('./config');
+const ui = require('./ui');
+const appConfig = require('../app-config');
+
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags) {
+  return flags.env || flags.environment || null;
+}
+
+function addEnvironment(query, flags) {
+  const environment = resolveEnvironment(flags);
+  if (environment) query.environment = environment;
+  return query;
+}
 
 // ── Traces ──
 
@@ -20,10 +31,11 @@ async function tracesList(args, flags) {
 
   const s = ui.spinner('Fetching traces');
   try {
-    const query = {
-      appKeys: appKey,
-      limit: flags.limit || 20,
-    };
+    const query = {
+      appKeys: appKey,
+      limit: flags.limit || 20,
+    };
+    addEnvironment(query, flags);
     if (flags.start) query.from = flags.start;
     if (flags.end) query.to = flags.end;
 
@@ -35,7 +47,8 @@ async function tracesList(args, flags) {
 
     console.log('');
     const rows = traces.map(t => [
-      ui.c.dim(ui.truncate(t.traceID || t.traceId || t._id, 16)),
+      ui.c.dim(ui.truncate(t.traceID || t.traceId || t._id, 16)),
+      t.environment || 'production',
       t.operationName || t.name || t.serviceName || '—',
       ui.httpStatusColor(t.statusCode || t.httpStatusCode || t.responseStatusCode || '—'),
       ui.durationColor(t.durationNano ? t.durationNano / 1e6 : t.duration),
@@ -44,7 +57,7 @@ async function tracesList(args, flags) {
       ui.timeAgo(t.timestamp),
     ]);
 
-    ui.table(['Trace ID', 'Operation', 'Status', 'Duration', 'Method', 'URL', 'Time'], rows);
+    ui.table(['Trace ID', 'Env', 'Operation', 'Status', 'Duration', 'Method', 'URL', 'Time'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch traces');
@@ -62,9 +75,10 @@ async function tracesShow(args, flags) {
 
   const s = ui.spinner('Fetching trace details');
   try {
-    const appKey = resolveApp(flags);
-    const traceQuery = appKey ? { appKeys: appKey } : {};
-    const data = await api.get(`/traces/${traceId}`, { query: traceQuery });
+    const appKey = resolveApp(flags);
+    const traceQuery = appKey ? { appKeys: appKey } : {};
+    addEnvironment(traceQuery, flags);
+    const data = await api.get(`/traces/${traceId}`, { query: traceQuery });
     s.stop('Trace loaded');
 
     if (flags.json) { ui.json(data); return; }
@@ -103,9 +117,29 @@ async function tracesAnalyze(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner('Analyzing trace with AI');
-  try {
-    let result = await api.post('/traces/analyze', { traceId });
+  const s = ui.spinner('Analyzing trace with AI');
+  try {
+    const environment = resolveEnvironment(flags);
+    const appKey = resolveApp(flags);
+    if (!appKey) {
+      s.fail('Missing app key');
+      ui.error('Use --app <key> or set a default with `securenow config set defaultApp <key>`');
+      process.exit(1);
+    }
+
+    const query = { appKeys: appKey };
+    if (environment) query.environment = environment;
+    const [traceData, logsData] = await Promise.all([
+      api.get(`/traces/${traceId}`, { query }),
+      api.get(`/logs/trace/${traceId}`, { query }).catch(() => ({ logs: [] })),
+    ]);
+
+    const body = {
+      traceData: traceData.spans || traceData.traceData || [],
+      logs: logsData.logs || [],
+    };
+    if (environment) body.environment = environment;
+    let result = await api.post('/traces/analyze', body);
 
     if (result.analysisId && result.status === 'running') {
       const analysisId = result.analysisId;
@@ -223,10 +257,11 @@ async function logsList(args, flags) {
       limit: flags.limit || 200,
       from: flags.start || new Date(now - minutes * 60 * 1000).toISOString(),
       to: flags.end || new Date(now).toISOString(),
-    };
-    if (severity) query.severity = severity;
-
-    const data = await api.get('/logs', { query });
+    };
+    if (severity) query.severity = severity;
+    addEnvironment(query, flags);
+
+    const data = await api.get('/logs', { query });
     const logs = data.logs || [];
     s.stop(`Found ${logs.length} log${logs.length !== 1 ? 's' : ''}`);
 
@@ -244,7 +279,8 @@ async function logsList(args, flags) {
       const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
       const body = log.body || log.message || log.severityText || '';
 
-      console.log(`  ${time} ${levelColor(level.padEnd(7))} ${body}`);
+      const env = log.environment ? ` ${ui.c.dim(`[${log.environment}]`)}` : '';
+      console.log(`  ${time} ${levelColor(level.padEnd(7))}${env} ${body}`);
 
       if (log.traceId && flags.verbose) {
         console.log(`  ${ui.c.dim(`  trace=${log.traceId} span=${log.spanId || ''}`)}`);
@@ -265,9 +301,13 @@ async function logsTrace(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner('Fetching logs for trace');
-  try {
-    const data = await api.get(`/logs/trace/${traceId}`);
+  const s = ui.spinner('Fetching logs for trace');
+  try {
+    const query = {};
+    const appKey = resolveApp(flags);
+    if (appKey) query.appKeys = appKey;
+    addEnvironment(query, flags);
+    const data = await api.get(`/logs/trace/${traceId}`, { query });
     const logs = data.logs || [];
     s.stop(`Found ${logs.length} log${logs.length !== 1 ? 's' : ''}`);
 
@@ -283,7 +323,8 @@ async function logsTrace(args, flags) {
 
       const parsedTime = ui.parseTimestamp(log.timestamp);
       const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
-      console.log(`  ${time} ${levelColor(level.padEnd(7))} ${log.body || log.message || ''}`);
+      const env = log.environment ? ` ${ui.c.dim(`[${log.environment}]`)}` : '';
+      console.log(`  ${time} ${levelColor(level.padEnd(7))}${env} ${log.body || log.message || ''}`);
     }
     console.log('');
   } catch (err) {
@@ -400,22 +441,45 @@ async function status(args, flags) {
       ui.table(['Name', 'Key', 'Hosts'], rows);
     }
 
-    const appKey = resolveApp(flags);
-    if (appKey) {
+    const appKey = resolveApp(flags);
+    const requestedEnv = resolveEnvironment(flags) || appConfig.resolveDeploymentEnvironment() || 'production';
+    const showAllEnvs = requestedEnv === 'all' || requestedEnv === '*';
+    {
       try {
-        const protectionData = await api.get('/applications/protection-status');
-        const statuses = protectionData.statuses;
-        if (statuses && Object.keys(statuses).length > 0) {
-          ui.subheading('Protection Status');
-          console.log('');
-          const rows = Object.entries(statuses).map(([id, s]) => [
-            ui.c.dim(ui.truncate(id, 12)),
-            s.protected ? ui.c.green('● protected') : ui.c.red('○ unprotected'),
-            String(s.traceCount || 0),
-            s.lastTrace ? ui.timeAgo(s.lastTrace) : ui.c.dim('—'),
-          ]);
-          ui.table(['App ID', 'Status', 'Traces (15m)', 'Last Trace'], rows);
-        }
+        const protectionData = await api.get('/applications/protection-status');
+        const statuses = protectionData.statuses;
+        if (statuses && Object.keys(statuses).length > 0) {
+          const appById = new Map(apps.map((app) => [String(app._id || app.id), app]));
+          const envRows = [];
+
+          for (const [id, status] of Object.entries(statuses)) {
+            const app = appById.get(String(id));
+            if (appKey && app && app.key !== appKey) continue;
+
+            const environments = status.environments || { production: status.production || status };
+            const entries = showAllEnvs
+              ? Object.entries(environments)
+              : [[requestedEnv, environments[requestedEnv] || status.production || status]];
+
+            for (const [envName, envStatus] of entries) {
+              envRows.push([
+                app?.name || ui.c.dim(ui.truncate(id, 12)),
+                envName,
+                envStatus.firewallEnabled ? ui.c.green('on') : ui.c.dim('off'),
+                envStatus.protected ? ui.c.green('live') : ui.c.dim('idle'),
+                String(envStatus.traceCount || 0),
+                envStatus.lastTrace ? ui.timeAgo(envStatus.lastTrace) : ui.c.dim('-'),
+              ]);
+            }
+          }
+
+          if (envRows.length) {
+            ui.subheading(`Protection Status (${showAllEnvs ? 'all envs' : requestedEnv})`);
+            console.log('');
+            ui.table(['App', 'Env', 'Firewall', 'Traces', 'Count (15m)', 'Last Trace'], envRows);
+          }
+
+        }
       } catch {}
     }