securenow 7.5.1 → 7.6.1

package/register.js

@@ -6,13 +6,13 @@
 // On older Node versions it falls back to a warning.
 'use strict';
 
-// 1. load .env before anything else
-try {
-  require('dotenv').config();
-  console.log('[securenow] dotenv loaded from', process.env.DOTENV_CONFIG_PATH || '.env');
-} catch (e) {
-  console.warn('[securenow] dotenv not found or failed to load');
-}
+// 1. Load dotenv quietly only for legacy installs. Normal local and production
+// configuration comes from .securenow/credentials.json via app-config.js.
+try {
+  require('dotenv').config();
+} catch (e) {
+  // dotenv is optional.
+}
 
 // 2. Auto-register the ESM loader hook so customers never need --import
 (() => {
@@ -22,7 +22,7 @@ try {
     const pkgPath = path.resolve(process.cwd(), 'package.json');
     if (!fs.existsSync(pkgPath)) return;
 
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8').replace(/^\uFEFF/, ''));
     if (pkg.type !== 'module') return;
 
     // Already registered via --import?

package/resolve-ip.js

@@ -1,14 +1,13 @@
 'use strict';
 
-const os = require('os');
+const os = require('os');
+const appConfig = require('./app-config');
 
 const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
 const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
 
-const trustedProxyCsv = (process.env.SECURENOW_TRUSTED_PROXIES || '').trim();
-const trustedProxySet = trustedProxyCsv
-  ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean))
-  : null;
+const trustedProxies = appConfig.listEnv('SECURENOW_TRUSTED_PROXIES');
+const trustedProxySet = trustedProxies.length ? new Set(trustedProxies) : null;
 
 let _hostIp = null;
 function getHostIp() {

package/tracing.d.ts

@@ -142,7 +142,7 @@ export function getLogger(name?: string, version?: string): Logger | null;
 /**
  * Check if logging is enabled
  * 
- * @returns true if SECURENOW_LOGGING_ENABLED=1, false otherwise
+ * @returns true when logging resolves enabled from .securenow/credentials.json defaults
  * 
  * @example
  * ```typescript
@@ -162,22 +162,24 @@ export function isLoggingEnabled(): boolean;
 export const loggerProvider: LoggerProvider | null;
 
 /**
- * Environment Variables (same as register.js):
- * 
- * Required:
- * - SECURENOW_APPID=your-app-name
- * - SECURENOW_INSTANCE=http://host:4318
- * 
- * Optional:
- * - SECURENOW_LOGGING_ENABLED=1             # Enable logging (default: 1)
- * - SECURENOW_NO_UUID=1
- * - SECURENOW_STRICT=1
- * - SECURENOW_CAPTURE_BODY=1
- * - SECURENOW_MAX_BODY_SIZE=10240
- * - SECURENOW_SENSITIVE_FIELDS=field1,field2
- * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2
- * - OTEL_LOG_LEVEL=info|debug
- * - SECURENOW_TEST_SPAN=1
- * - SECURENOW_TRUSTED_PROXIES=ip1,ip2       # Additional trusted proxy IPs for X-Forwarded-For
- * - OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=...    # Override logs endpoint
+ * Configuration:
+ *
+ * Local development reads .securenow/credentials.json first. Run
+ * `npx securenow login` to write app identity/firewall key and
+ * `npx securenow init` to ensure secure defaults and explanations.
+ *
+ * Production uses the same file shape. Run
+ * `npx securenow credentials runtime --env production`, then mount/copy the
+ * generated JSON to .securenow/credentials.json in the running app.
+ *
+ * Main config fields:
+ * - app.key / app.name / app.instance
+ * - apiKey
+ * - config.runtime.deploymentEnvironment
+ * - config.logging.enabled
+ * - config.capture.body / multipart / maxBodySize / sensitiveFields
+ * - config.otel.endpoint / tracesEndpoint / logsEndpoint / headers
+ * - config.firewall.enabled and layer/provider options
+ *
+ * Legacy env vars are fallback-only for existing installs.
  */

package/tracing.js

@@ -38,17 +38,9 @@ const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventi
 const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
 const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongodb');
 const { v4: uuidv4 } = require('uuid');
+const appConfig = require('./app-config');
 
-const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-const parseHeaders = str => {
-  const out = {}; if (!str) return out;
-  for (const raw of String(str).split(',')) {
-    const s = raw.trim(); if (!s) continue;
-    const i = s.indexOf('='); if (i === -1) continue;
-    out[s.slice(0, i).trim().toLowerCase()] = s.slice(i + 1).trim();
-  }
-  return out;
-};
+const env = appConfig.env;
 
 // Default sensitive fields to redact from request bodies
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -273,35 +265,31 @@ const diagLevel = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
 })();
 
 // -------- endpoints & app resolution --------
-// Resolution order for endpoint/appId/apiKey: env → .securenow/credentials.json → package.json#name → defaults.
-const appConfig = require('./app-config');
+// Resolution order for endpoint/appId/apiKey: .securenow/credentials.json -> legacy env fallback -> package.json#name -> defaults.
 const resolvedApp = appConfig.resolveAll();
+const resolvedEndpoints = appConfig.resolveEndpoints();
 
-const endpointBase = resolvedApp.instance.replace(/\/$/, '');
-const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
+const endpointBase = resolvedEndpoints.endpointBase;
+const tracesUrl = resolvedEndpoints.tracesUrl;
+const logsUrl = resolvedEndpoints.logsUrl;
 
-// If the credentials file provided an app key and no OTLP headers are set,
-// surface it as x-api-key so the collector can route telemetry to the right app bucket.
-if (resolvedApp.appKey && !env('OTEL_EXPORTER_OTLP_HEADERS') && !env('SECURENOW_API_KEY')) {
-  process.env.SECURENOW_API_KEY = resolvedApp.appKey;
-  process.env.OTEL_EXPORTER_OTLP_HEADERS = `x-api-key=${resolvedApp.appKey}`;
-}
-const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+// resolveEndpoints() also adds x-api-key from the credentials app key when
+// explicit OTLP headers did not provide one.
+const headers = resolvedEndpoints.headers;
 
 // -------- naming rules --------
 const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 // Auto-disables the per-worker suffix when we resolved a routing UUID from
 // credentials — the dashboard does exact-match IN on service.name, so any
-// suffix breaks routing. Env SECURENOW_NO_UUID=0|1 still overrides.
+// suffix breaks routing. config.runtime.noUuid can override.
 const noUuid   = appConfig.resolveNoUuid();
 const strict   = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
 const inPm2Cluster = !!(process.env.NODE_APP_INSTANCE || process.env.pm_id);
 
 // Fail fast in cluster if base is missing (no more "free" names)
 if (!baseName && inPm2Cluster && strict) {
-  console.error('[securenow] FATAL: SECURENOW_APPID/OTEL_SERVICE_NAME missing in cluster (pid=%d). Exiting due to SECURENOW_STRICT=1.', process.pid);
+  console.error('[securenow] FATAL: app identity missing in cluster (pid=%d). Exiting due to config.runtime.strict=true.', process.pid);
   // small delay so the log flushes
   setTimeout(() => process.exit(1), 10);
 }
@@ -336,7 +324,7 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 }
 
 // -------- Body Capture Configuration --------
-// Opt-out defaults: set =0 or =false to disable.
+// Opt-out defaults: set config.capture.body=false to disable.
 const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
 const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
@@ -481,7 +469,7 @@ const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLE
 const sharedResource = new Resource({
   [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
   [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
-  [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || 'production',
+  [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: appConfig.resolveDeploymentEnvironment(),
   [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
 });
 
@@ -591,7 +579,7 @@ const sdk = new NodeSDK({
     if (loggingEnabled) {
       console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
     } else {
-      console.log('[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)');
+      console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
     }
     if (captureBody) {
       console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
@@ -614,21 +602,25 @@ const sdk = new NodeSDK({
     // Firewall — auto-activates only when a real snk_live_ key is resolvable.
     // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
     // only an app-routing UUID (or nothing at all) — no 401 polling loops.
-    const firewallApiKey = appConfig.resolveApiKey();
-    const firewallAppKey = appConfig.resolveAppKey();
-    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    const firewallOptions = appConfig.resolveFirewallOptions();
+    if (firewallOptions.apiKey && firewallOptions.enabled) {
       require('./firewall').init({
-        apiKey: firewallApiKey,
-        appKey: firewallAppKey || null,
-        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-        log: env('SECURENOW_FIREWALL_LOG') !== '0',
-        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
       });
     }
   } catch (e) {
@@ -659,7 +651,7 @@ module.exports = {
   loggerProvider,
   getLogger: (name = 'default', version = '1.0.0') => {
     if (!loggerProvider) {
-      console.warn('[securenow] Logging is disabled (SECURENOW_LOGGING_ENABLED=0). Remove the override to enable.');
+      console.warn('[securenow] Logging is disabled (config.logging.enabled=false). Enable it in .securenow/credentials.json to use getLogger().');
       return null;
     }
     return loggerProvider.getLogger(name, version);