securenow 7.5.1 → 7.6.0

package/cli/security.js

@@ -4,9 +4,13 @@ const { api, requireAuth } = require('./client');
 const config = require('./config');
 const ui = require('./ui');
 
-function resolveApp(flags) {
-  return flags.app || config.getDefaultApp();
-}
+function resolveApp(flags) {
+  return flags.app || config.getDefaultApp();
+}
+
+function resolveEnvironment(flags, fallback = null) {
+  return flags.env || flags.environment || fallback;
+}
 
 // ── Alert Rules ──
 
@@ -523,7 +527,7 @@ async function forensicsQuery(args, flags) {
 
   const s = ui.spinner('Submitting forensic query');
   try {
-    const body = { query };
+    const body = { query, environment: resolveEnvironment(flags, 'production') };
     const resolved = await resolveAppId(flags);
     if (resolved) {
       body.applicationId = resolved.id;
@@ -650,7 +654,10 @@ async function forensicsChat(args, flags) {
   console.log(ui.c.dim(`  App: ${resolved.key} (${resolved.id})`));
   console.log(ui.c.dim('  Type your question, or "exit" to quit.\n'));
 
-  let conversationId = null;
+  const environment = resolveEnvironment(flags, 'production');
+  console.log(ui.c.dim(`  Env: ${environment}`));
+
+  let conversationId = null;
 
   const readline = require('readline');
   const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
@@ -670,7 +677,7 @@ async function forensicsChat(args, flags) {
 
       const s = ui.spinner('Thinking');
       try {
-        const body = { message, applicationKey: resolved.key };
+        const body = { message, applicationKey: resolved.key, environment };
         if (conversationId) body.conversationId = conversationId;
 
         const chatRes = await api.post('/forensics/chat', body);
@@ -680,7 +687,7 @@ async function forensicsChat(args, flags) {
           let result;
           for (let i = 0; i < 150; i++) {
             await new Promise(r => setTimeout(r, 2000));
-            result = await api.get(`/forensics/chat/status/${conversationId}`);
+            result = await api.get(`/forensics/chat/status/${conversationId}`, { query: { environment } });
             if (result.status === 'complete' || result.status === 'failed' || result.status === 'awaiting_confirmation') break;
             const progress = result._progress;
             if (progress?.action) s.update(progress.action);
@@ -698,11 +705,11 @@ async function forensicsChat(args, flags) {
             const proceed = await ui.confirm('Proceed with this query?');
             if (proceed) {
               const cs = ui.spinner('Executing query');
-              await api.post(`/forensics/chat/confirm/${conversationId}`);
+              await api.post(`/forensics/chat/confirm/${conversationId}`, { environment });
               let confirmResult;
               for (let i = 0; i < 90; i++) {
                 await new Promise(r => setTimeout(r, 2000));
-                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`);
+                confirmResult = await api.get(`/forensics/chat/status/${conversationId}`, { query: { environment } });
                 if (confirmResult.status !== 'processing') break;
               }
               cs.stop('Done');
@@ -836,9 +843,14 @@ async function ipTraces(args, flags) {
     process.exit(1);
   }
 
-  const s = ui.spinner(`Fetching traces for ${ip}`);
-  try {
-    const data = await api.get(`/ip/${ip}/traces`);
+  const s = ui.spinner(`Fetching traces for ${ip}`);
+  try {
+    const query = {};
+    const appKey = resolveApp(flags);
+    if (appKey) query.appKeys = appKey;
+    const environment = resolveEnvironment(flags, null);
+    if (environment) query.environment = environment;
+    const data = await api.get(`/ip/${ip}/traces`, { query });
     const traces = data.traces || [];
     s.stop(`Found ${traces.length} trace${traces.length !== 1 ? 's' : ''}`);
 

package/cli/utils.js

@@ -4,6 +4,7 @@ const fs = require('fs');
 const ui = require('./ui');
 const cidrLib = require('../cidr');
 const { redactSensitiveData, DEFAULT_SENSITIVE_FIELDS } = require('../nextjs-middleware');
+const appConfig = require('../app-config');
 
 // ── redact ──
 
@@ -38,7 +39,7 @@ function redact(args, flags) {
   const extra = flags.fields
     ? String(flags.fields).split(',').map((s) => s.trim()).filter(Boolean)
     : [];
-  const envExtra = (process.env.SECURENOW_SENSITIVE_FIELDS || '')
+  const envExtra = (appConfig.env('SECURENOW_SENSITIVE_FIELDS') || '')
     .split(',').map((s) => s.trim()).filter(Boolean);
   const fields = [...DEFAULT_SENSITIVE_FIELDS, ...envExtra, ...extra];
 

package/cli.js

@@ -39,11 +39,13 @@ function parseArgs(argv) {
 // ── Command Registry ──
 
 const COMMANDS = {
-  init: {
-    desc: 'Set up SecureNow in the current project (instrumentation, config, env)',
-    usage: 'securenow init [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
-    flags: {
-      key: 'API key to write to .env',
+  init: {
+    desc: 'Set up SecureNow in the current project (instrumentation + .securenow credentials)',
+    usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
+    flags: {
+      env: 'Deployment environment to write into .securenow/credentials.json (default: local)',
+      environment: 'Alias for --env',
+      key: 'Firewall API key to write to .securenow/credentials.json',
       'api-key': 'Alias for --key',
       typescript: 'Force TypeScript',
       javascript: 'Force JavaScript',
@@ -73,7 +75,7 @@ const COMMANDS = {
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
   },
-  'api-key': {
+  'api-key': {
     desc: 'Manage the firewall API key stored in .securenow/credentials.json',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
@@ -95,8 +97,27 @@ const COMMANDS = {
         run: () => require('./cli/apiKey').show(),
       },
     },
-    defaultSub: 'show',
-  },
+    defaultSub: 'show',
+  },
+  credentials: {
+    desc: 'Create production/runtime SecureNow credentials files',
+    usage: 'securenow credentials <subcommand> [options]',
+    sub: {
+      runtime: {
+        desc: 'Write tokenless runtime credentials for production file-based deploys',
+        usage: 'securenow credentials runtime [--env production] [--out .securenow/credentials.production.json] [--stdout]',
+        flags: {
+          env: 'Deployment environment for this runtime file (default: production)',
+          environment: 'Alias for --env',
+          out: 'Output path (default: .securenow/credentials.<env>.json)',
+          output: 'Alias for --out',
+          stdout: 'Print JSON to stdout instead of writing a file',
+        },
+        run: (a, f) => require('./cli/credentials').runtime(a, f),
+      },
+    },
+    defaultSub: 'runtime',
+  },
   apps: {
     desc: 'Manage applications',
     usage: 'securenow apps <subcommand> [options]',
@@ -115,9 +136,9 @@ const COMMANDS = {
     desc: 'View and analyze traces',
     usage: 'securenow traces <subcommand> [options]',
     sub: {
-      list: { desc: 'List recent traces', flags: { app: 'App key', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
-      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
-      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
+      list: { desc: 'List recent traces', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results', start: 'Start time', end: 'End time' }, run: (a, f) => require('./cli/monitor').tracesList(a, f) },
+      show: { desc: 'Show trace details', usage: 'securenow traces show <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesShow(a, f) },
+      analyze: { desc: 'AI-analyze a trace', usage: 'securenow traces analyze <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').tracesAnalyze(a, f) },
     },
     defaultSub: 'list',
   },
@@ -125,8 +146,8 @@ const COMMANDS = {
     desc: 'View application logs',
     usage: 'securenow logs [options]',
     sub: {
-      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
-      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
+      list: { desc: 'List recent logs', flags: { app: 'App key', env: 'Environment (production, staging, preview, local, or all)', environment: 'Alias for --env', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
+      trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
     },
     defaultSub: 'list',
   },
@@ -182,11 +203,11 @@ const COMMANDS = {
     usage: 'securenow firewall <subcommand> [options]',
     flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
-      status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
+      status: { desc: 'Show firewall status, layers, and blocklist info', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').status(a, f) },
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
-      enable: { desc: 'Turn the firewall ON for an app', usage: 'securenow firewall enable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
-      disable: { desc: 'Turn the firewall OFF for an app', usage: 'securenow firewall disable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
+      enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
+      disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',
   },
@@ -227,7 +248,7 @@ const COMMANDS = {
     usage: 'securenow ip <ip-address>',
     sub: {
       lookup: { desc: 'Look up IP intelligence', run: (a, f) => require('./cli/security').ipLookup(a, f) },
-      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip>', run: (a, f) => require('./cli/security').ipTraces(a, f) },
+      traces: { desc: 'Show traces for an IP', usage: 'securenow ip traces <ip> [--env production]', flags: { app: 'App key', env: 'Environment', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').ipTraces(a, f) },
     },
     defaultAction: (a, f) => require('./cli/security').ipLookup(a, f),
   },
@@ -235,8 +256,8 @@ const COMMANDS = {
     desc: 'Run forensic queries (natural language → SQL)',
     usage: 'securenow forensics <query> [--app <key>]',
     sub: {
-      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
-      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key>', flags: { app: 'App key to chat with' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
+      query: { desc: 'Run a forensic query', flags: { app: 'App key to scope query', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsQuery(a, f) },
+      chat: { desc: 'Interactive forensics chat (scoped to an app)', usage: 'securenow forensics chat --app <key> [--env production]', flags: { app: 'App key to chat with', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/security').forensicsChat(a, f) },
       library: { desc: 'View saved queries', run: (a, f) => require('./cli/security').forensicsLibrary(a, f) },
     },
     defaultAction: (a, f) => require('./cli/security').forensicsQuery(a, f),
@@ -255,11 +276,16 @@ const COMMANDS = {
     usage: 'securenow analytics [--app <key>]',
     run: (a, f) => require('./cli/security').analytics(a, f),
   },
-  status: {
-    desc: 'Dashboard overview',
-    usage: 'securenow status [--app <key>]',
-    run: (a, f) => require('./cli/monitor').status(a, f),
-  },
+  status: {
+    desc: 'Dashboard overview',
+    usage: 'securenow status [--app <key>] [--env local|production|all]',
+    flags: {
+      app: 'App key to highlight',
+      env: 'Environment to display in protection summary (default: credentials file, use all for every env)',
+      environment: 'Alias for --env',
+    },
+    run: (a, f) => require('./cli/monitor').status(a, f),
+  },
   config: {
     desc: 'Manage CLI configuration',
     usage: 'securenow config <set|get> [key] [value]',
@@ -343,30 +369,36 @@ const COMMANDS = {
   log: {
     desc: 'Emit logs via OTLP (for scripts, cron, debugging)',
     usage: 'securenow log send <message> [--level info|warn|error] [--attrs k=v,k=v]',
-    sub: {
-      send: {
-        desc: 'Send a single log record to the OTLP collector',
-        flags: {
-          level: 'Severity (trace|debug|info|warn|error|fatal)',
-          attrs: 'Comma-separated key=value attributes',
-        },
+    sub: {
+      send: {
+        desc: 'Send a single log record to the OTLP collector',
+        flags: {
+          env: 'Deployment environment for this log (defaults to credentials file)',
+          environment: 'Alias for --env',
+          level: 'Severity (trace|debug|info|warn|error|fatal)',
+          attrs: 'Comma-separated key=value attributes',
+        },
         run: (a, f) => require('./cli/diagnostics').logSend(a, f),
       },
     },
     defaultSub: 'send',
   },
-  'test-span': {
-    desc: 'Emit a test span to verify collector connectivity',
-    usage: 'securenow test-span [<span-name>]',
-    run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
-  },
+  'test-span': {
+    desc: 'Emit a test span to verify collector connectivity',
+    usage: 'securenow test-span [<span-name>] [--env local|production]',
+    flags: {
+      env: 'Deployment environment for this span (defaults to credentials file)',
+      environment: 'Alias for --env',
+    },
+    run: (a, f) => require('./cli/diagnostics').testSpan(a, f),
+  },
   doctor: {
     desc: 'Diagnose SecureNow configuration and collector connectivity',
     usage: 'securenow doctor [--json]',
     run: (a, f) => require('./cli/diagnostics').doctor(a, f),
   },
   env: {
-    desc: 'Show resolved SecureNow configuration (service name, endpoints, env vars)',
+    desc: 'Show resolved SecureNow configuration (service name, endpoints, credentials)',
     usage: 'securenow env [--json]',
     run: (a, f) => require('./cli/diagnostics').env(a, f),
   },
@@ -434,7 +466,7 @@ function showHelp(commandName) {
 
   const groups = {
     'Run': ['run'],
-    'Authentication': ['login', 'logout', 'whoami'],
+    'Authentication': ['login', 'logout', 'whoami', 'credentials'],
     'Applications': ['apps', 'init', 'status'],
     'Observe': ['traces', 'logs', 'analytics'],
     'Detect & Respond': ['notifications', 'alerts', 'fp'],

package/console-instrumentation.js

@@ -7,7 +7,7 @@
  * to automatically send logs to OpenTelemetry / any OTLP-compatible backend.
  * 
  * Usage:
- *   1. Enable logging: SECURENOW_LOGGING_ENABLED=1
+ *   1. Run `npx securenow login` / `npx securenow init` so credentials defaults exist
  *   2. Import this file AFTER securenow is initialized
  *   3. Use console.log/info/warn/error as normal
  *