securenow 7.6.6 → 7.6.8

package/NPM_README.md

@@ -59,7 +59,7 @@ yarn add securenow
 
 ### 1. Automatic Setup (Recommended)
 
-Run login — it's a browser flow that picks or creates an app and connects the firewall automatically:
+Run login - it is a browser flow that picks or creates an app and connects the firewall automatically:
 
 ```bash
 npx securenow login
@@ -138,7 +138,7 @@ You'll see confirmation in the console:
 
 The `securenow` CLI gives you full access to the SecureNow platform from the terminal -- no browser required for day-to-day workflows. Zero additional dependencies.
 
-**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` → `securenow redact`, `createMatcher` → `securenow cidr match`, `getLogger().emit()` → `securenow log send`, `SECURENOW_TEST_SPAN` → `securenow test-span`, `node -r securenow/firewall-only` → `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
+**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, `SECURENOW_TEST_SPAN` -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
 
 ### Getting Started
 
@@ -326,7 +326,7 @@ npx securenow instances test <id>
 
 ### False-Positive Management
 
-Full FP triage from the terminal — no dashboard required.
+Full FP triage from the terminal - no dashboard required.
 
 ```bash
 # Browse & inspect rules
@@ -380,7 +380,7 @@ SDK helpers surfaced as CLI commands so agents (and humans) can validate behavio
 npx securenow redact '{"user":"alice","password":"s3cret","card":"4242"}'
 npx securenow redact @request.json --fields internal_id,sessionHash
 
-# CIDR — match an IP against a list, or parse a range
+# CIDR - match an IP against a list, or parse a range
 npx securenow cidr match 10.0.0.5 10.0.0.0/8,192.168.1.0/24  # exit 0 = hit, 2 = miss
 npx securenow cidr parse 10.0.0.0/24                         # network, broadcast, mask, size
 
@@ -416,7 +416,7 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
 | `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
 
-**Resolution order:** project `.securenow/credentials.json` → global `~/.securenow/credentials.json`. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Legacy CLI token overrides still work for existing automation.
 
 ### Global Flags
 
@@ -432,7 +432,7 @@ Every command supports these flags:
 
 | Variable | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | JWT token — overrides all file-based credentials |
+| `SECURENOW_TOKEN` | JWT token - overrides all file-based credentials |
 | `SECURENOW_API_URL` | Override the API base URL |
 | `SECURENOW_DEBUG` | Show stack traces on errors |
 | `NO_COLOR` | Disable colored output |
@@ -442,11 +442,11 @@ Every command supports these flags:
 Project-local credentials are the default, so separate projects can use separate SecureNow apps on the same machine:
 
 ```bash
-# In project A — log in as user-a@company.com
+# In project A - log in as user-a@company.com
 cd ~/projects/project-a
 npx securenow login
 
-# In project B — log in as user-b@company.com
+# In project B - log in as user-b@company.com
 cd ~/projects/project-b
 npx securenow login
 
@@ -935,7 +935,7 @@ app.listen(3000, () => console.log('Feathers running on port 3000'));
 
 ### Next.js
 
-See [Next.js Complete Guide](./docs/NEXTJS-SETUP-COMPLETE.md) for the full reference.
+Use `npx securenow init` for the current Next.js integration; it creates or prints the exact merge instructions for `instrumentation.ts` and `next.config.*`.
 
 #### Option A: `securenow init` (Recommended)
 
@@ -1101,7 +1101,7 @@ If you only need IP blocking without OpenTelemetry tracing overhead, use the sta
 # Manual preload flag
 node -r securenow/firewall-only app.js
 
-# Or via the CLI (v6.1.0+) — same effect, clearer intent
+# Or via the CLI (v6.1.0+) - same effect, clearer intent
 securenow run --firewall-only app.js
 ```
 
@@ -1153,7 +1153,7 @@ npx securenow firewall status
 
 Or create one from the dashboard with the `firewall:read` scope.
 
-See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for the full reference.
+Use `npx securenow firewall status`, `npx securenow firewall apps`, and `npx securenow help firewall` for the current firewall reference.
 
 ---
 
@@ -1161,7 +1161,7 @@ See the [Firewall Guide](./docs/FIREWALL-GUIDE.md) for the full reference.
 
 Local development and production use `.securenow/credentials.json`. Run `npx securenow login` and `npx securenow init`; for production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json`.
 
-See [docs/ENVIRONMENT-VARIABLES.md](./docs/ENVIRONMENT-VARIABLES.md) and [docs/ENVIRONMENTS.md](./docs/ENVIRONMENTS.md) for the full credentials and environment reference.
+Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env --json` to inspect resolved settings without exposing secrets.
 
 ### Credentials Fields
 
@@ -1247,7 +1247,7 @@ Legacy env fallback aliases are listed below for existing installs only.
 | `SECURENOW_FIREWALL_CLOUD_DRY_RUN` | Log cloud pushes without applying changes. | `0` |
 | `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs. | - |
 
-See [Firewall Guide](./docs/FIREWALL-GUIDE.md) for complete details on all layers.
+Use `npx securenow help firewall` for complete details on all layers.
 
 #### Debugging
 

package/README.md

@@ -1,12 +1,12 @@
 # SecureNow
 
-Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt — traces, logs, body capture, and IP firewall in one install. **No env vars. No copy-pasting keys.**
+Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt: traces, logs, body capture, and IP firewall in one install. **No env vars. No copy-pasting keys.**
 
 **Official npm package:** [securenow](http://securenow.ai/)
 
 ---
 
-## 🚀 30-second setup
+## 30-second setup
 
 ```bash
 # 1. Install
@@ -17,7 +17,7 @@ npm install securenow
 #    a scoped firewall API key in the same file - no env vars.
 npx securenow login
 
-# 3. Start your app — one flag is all it takes
+# 3. Start your app - one flag is all it takes
 node -r securenow/register src/index.js
 ```
 
@@ -108,7 +108,7 @@ const nextConfig = {
 export default nextConfig;
 ```
 
-If a custom config or existing instrumentation file needs human judgment, `init` prints a Codex/Claude-ready prompt with the exact edits to merge. See [Next.js Complete Guide](./docs/NEXTJS-GUIDE.md).
+If a custom config or existing instrumentation file needs human judgment, `init` prints a Codex/Claude-ready prompt with the exact edits to merge.
 
 ### Nuxt 3
 
@@ -119,18 +119,18 @@ export default defineNuxtConfig({
 });
 ```
 
-See [Nuxt 3 Guide](./docs/NUXT-GUIDE.md).
+Run `npx securenow init` after installing so the credentials file and secure defaults are created before the app starts.
 
 ---
 
 ## What's captured automatically
 
-- ✅ HTTP spans (Express, Fastify, NestJS, Koa, Hapi, Next.js, Nuxt, raw `http`)
-- ✅ Database spans (Postgres, MySQL, MongoDB, Redis)
-- ✅ `console.log/info/warn/error/debug` forwarded as OTLP logs with trace correlation
-- ✅ Request body capture (JSON, GraphQL, form-encoded) with auto-redaction of `password`, `token`, `api_key`, `authorization`, `cookie`, etc.
-- ✅ Multipart upload metadata (field names, file names, sizes, content-types — never file content)
-- ✅ Firewall (500k+ known-bad IPs, refreshed hourly) — activates as soon as you've logged in
+- HTTP spans (Express, Fastify, NestJS, Koa, Hapi, Next.js, Nuxt, raw `http`)
+- Database spans (Postgres, MySQL, MongoDB, Redis)
+- `console.log/info/warn/error/debug` forwarded as OTLP logs with trace correlation
+- Request body capture (JSON, GraphQL, form-encoded) with auto-redaction of `password`, `token`, `api_key`, `authorization`, `cookie`, etc.
+- Multipart upload metadata (field names, file names, sizes, content-types; never file content)
+- Firewall protection from the selected app's SecureNow blocklist and IPDB sync - activates as soon as you've logged in
 
 All of these are **on by default**. Tune them in `.securenow/credentials.json` under the `config` block.
 
@@ -235,7 +235,7 @@ Legacy env fallback aliases:
 
 | Variable | Default | Purpose |
 |---|---|---|
-| `SECURENOW_APPID` | from credentials file | App routing key (UUID) — sent as OTel `service.name` |
+| `SECURENOW_APPID` | from credentials file | App routing key (UUID), sent as OTel `service.name` |
 | `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
 | `SECURENOW_API_KEY` | from credentials file | Scoped firewall API key (`snk_live_...`) |
 | `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
@@ -243,26 +243,26 @@ Legacy env fallback aliases:
 | `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
 | `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
 | `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | — | Comma-separated OTel instrumentations to disable. |
+| `SECURENOW_DISABLE_INSTRUMENTATIONS` | - | Comma-separated OTel instrumentations to disable. |
 | `SECURENOW_NO_UUID` | `0` | Don't append a UUID to `service.instance.id`. |
 | `SECURENOW_STRICT` | `0` | Exit with code 1 if `SECURENOW_APPID` is missing in a PM2 cluster. |
-| `OTEL_EXPORTER_OTLP_HEADERS` | — | Raw OTLP headers (e.g. `x-api-key=...`). |
-| `OTEL_LOG_LEVEL` | — | `debug`/`info`/`warn`/`error`. |
+| `OTEL_EXPORTER_OTLP_HEADERS` | - | Raw OTLP headers (e.g. `x-api-key=...`). |
+| `OTEL_LOG_LEVEL` | - | `debug`/`info`/`warn`/`error`. |
 
-Full list: [docs/ENVIRONMENT-VARIABLES.md](./docs/ENVIRONMENT-VARIABLES.md).
+New installs should use `.securenow/credentials.json`; environment variables remain legacy fallbacks for existing deployments.
 
 ---
 
 ## Supported frameworks
 
 ### Web
-Next.js (App & Pages Router) · Nuxt 3 · Express · Fastify · NestJS · Koa · Hapi
+Next.js (App & Pages Router), Nuxt 3, Express, Fastify, NestJS, Koa, Hapi
 
 ### Databases
-PostgreSQL · MySQL / MySQL2 · MongoDB · Redis
+PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 
 ### Other
-HTTP/HTTPS · GraphQL · gRPC · and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
+HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
 
 > MongoDB instrumentation is opt-in (`SECURENOW_ENABLE_MONGODB_INSTRUMENTATION=1`) because older versions corrupted cursors on `mongodb@6.6+`. Safe again since SDK v6.0.2.
 
@@ -270,23 +270,7 @@ HTTP/HTTPS · GraphQL · gRPC · and many more via [@opentelemetry/auto-instrume
 
 ## Documentation
 
-### Quick Starts
-- [Next.js Quick Start](./docs/NEXTJS-QUICKSTART.md)
-- [Nuxt 3 Guide](./docs/NUXT-GUIDE.md)
-- [All Frameworks](./docs/ALL-FRAMEWORKS-QUICKSTART.md)
-- [Logging Quick Start](./docs/LOGGING-QUICKSTART.md)
-
-### Complete Guides
-- [Firewall](./docs/FIREWALL-GUIDE.md)
-- [API Keys](./docs/API-KEYS-GUIDE.md)
-- [MCP](./docs/MCP-GUIDE.md)
-- [Next.js Complete](./docs/NEXTJS-GUIDE.md)
-- [Nuxt 3 Complete](./docs/NUXT-GUIDE.md)
-- [Logging Complete](./docs/LOGGING-GUIDE.md)
-- [📚 All Docs](./docs/INDEX.md)
-
-### Examples
-- [Code Examples](./examples/)
+The npm package ships the current setup references: this README, `NPM_README.md`, `SKILL-API.md`, `SKILL-CLI.md`, and the MCP resources exposed by `npx securenow mcp`. Older long-form guides are kept in the repository only so customer installs do not receive stale `.env`-first instructions.
 
 ---
 
@@ -424,7 +408,7 @@ Override the dashboard API with `securenow config set apiUrl <url>`.
 ## Support
 
 - **Website:** [securenow.ai](http://securenow.ai/)
-- **Docs:** see `docs/` folder
+- **Docs:** this README, `NPM_README.md`, `SKILL-API.md`, `SKILL-CLI.md`, and `npx securenow help`
 - **Issues:** report bugs and requests on GitHub
 
 ---

package/app-config.js

@@ -256,9 +256,11 @@ function loadGlobalCredentials() {
 
 function loadCredentials() {
   try {
-    const local = readJsonSafe(resolveLocalCredentialsFile());
-    const global = readJsonSafe(path.join(os.homedir(), '.securenow', 'credentials.json'));
-    return withCredentialDefaults(mergeCredentials(global, local));
+    const localFile = resolveLocalCredentialsFile();
+    if (localFile) {
+      return withCredentialDefaults(readJsonSafe(localFile));
+    }
+    return loadGlobalCredentials();
   } catch {
     return loadLocalCredentials() || loadGlobalCredentials() || null;
   }

package/cli/config.js

@@ -91,9 +91,10 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  const global = loadJSON(CREDENTIALS_FILE);
-  const local = fs.existsSync(LOCAL_CREDENTIALS_FILE) ? loadJSON(LOCAL_CREDENTIALS_FILE) : null;
-  return appConfig.withCredentialDefaults(appConfig.mergeCredentials(global, local)) || {};
+  const credentials = fs.existsSync(LOCAL_CREDENTIALS_FILE)
+    ? loadJSON(LOCAL_CREDENTIALS_FILE)
+    : loadJSON(CREDENTIALS_FILE);
+  return appConfig.withCredentialDefaults(credentials) || {};
 }
 
 function saveCredentials(creds, { local = false } = {}) {

package/cli/diagnostics.js

@@ -21,6 +21,7 @@ function resolvedConfig(options = {}) {
     : '(auto-generated)';
   const apiKey = firewall.apiKey || '';
   const firewallEnabled = !!apiKey && firewall.enabled;
+  const firewallLocalEnabled = firewall.enabled;
 
   return {
     serviceName,
@@ -31,6 +32,7 @@ function resolvedConfig(options = {}) {
     logsEndpoint: endpoints.logsUrl,
     headers: endpoints.headers,
     apiKey,
+    firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
     loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
     captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
@@ -263,21 +265,36 @@ async function logSend(args, flags) {
   }
 }
 
-async function probe(endpoint, timeoutMs = 3000) {
+function okHttpStatus(status) {
+  return status >= 200 && status < 300;
+}
+
+async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000 }) {
   try {
     const res = await httpRequest({
-      method: 'POST',
+      method,
       endpoint,
-      headers: { 'Content-Type': 'application/json' },
-      body: '{}',
+      headers,
+      body,
       timeoutMs,
     });
-    return { ok: true, status: res.status };
+    return {
+      ok: okHttpStatus(res.status),
+      status: res.status,
+      ...(okHttpStatus(res.status) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
+    };
   } catch (err) {
     return { ok: false, error: err.message };
   }
 }
 
+function firewallStatusLabel(cfg) {
+  if (cfg.firewallEnabled) return ui.c.green('enabled');
+  if (!cfg.apiKey) return ui.c.dim('disabled (missing firewall API key)');
+  if (!cfg.firewallLocalEnabled) return ui.c.yellow('disabled (config.firewall.enabled=false)');
+  return ui.c.dim('disabled');
+}
+
 function env(_args, flags) {
   const cfg = resolvedConfig();
   const resolved = {
@@ -294,6 +311,7 @@ function env(_args, flags) {
     captureBody: cfg.captureBody,
     captureMultipart: cfg.captureMultipart,
     noUuid: appConfig.resolveNoUuid(),
+    firewallLocalEnabled: cfg.firewallLocalEnabled,
     firewallLayers: cfg.firewallLayers,
   };
 
@@ -311,7 +329,7 @@ function env(_args, flags) {
     ['Logging', cfg.loggingEnabled ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
-    ['Firewall', cfg.firewallEnabled ? ui.c.green('enabled') : ui.c.dim('disabled (no API key)')],
+    ['Firewall', firewallStatusLabel(cfg)],
   ]);
 
   ui.heading('Resolved credentials');
@@ -325,22 +343,43 @@ async function doctor(_args, flags) {
   const cfg = resolvedConfig();
   const checks = [];
 
-  const spin1 = ui.spinner(`Probing traces endpoint ${cfg.tracesEndpoint}`);
-  const traces = await probe(cfg.tracesEndpoint);
-  if (traces.ok) spin1.stop(`Traces endpoint reachable (HTTP ${traces.status})`);
-  else spin1.fail(`Traces endpoint unreachable: ${traces.error}`);
+  const jsonHeaders = { 'Content-Type': 'application/json', ...cfg.headers };
+
+  const spin1 = ui.spinner(`Sending doctor span to ${cfg.tracesEndpoint}`);
+  const traces = await probe({
+    endpoint: cfg.tracesEndpoint,
+    headers: jsonHeaders,
+    body: JSON.stringify(buildTracePayload(cfg, {
+      name: 'securenow.doctor.probe',
+      attributes: { 'test.source': 'securenow-cli-doctor' },
+    })),
+  });
+  if (traces.ok) spin1.stop(`Traces endpoint accepted probe (HTTP ${traces.status})`);
+  else spin1.fail(`Traces endpoint rejected probe: ${traces.error}`);
   checks.push({ name: 'traces', ...traces });
 
-  const spin2 = ui.spinner(`Probing logs endpoint ${cfg.logsEndpoint}`);
-  const logs = await probe(cfg.logsEndpoint);
-  if (logs.ok) spin2.stop(`Logs endpoint reachable (HTTP ${logs.status})`);
-  else spin2.fail(`Logs endpoint unreachable: ${logs.error}`);
+  const spin2 = ui.spinner(`Sending doctor log to ${cfg.logsEndpoint}`);
+  const logs = await probe({
+    endpoint: cfg.logsEndpoint,
+    headers: jsonHeaders,
+    body: JSON.stringify(buildLogPayload(cfg, {
+      message: 'SecureNow doctor probe',
+      level: 'info',
+      attributes: { 'test.source': 'securenow-cli-doctor' },
+    })),
+  });
+  if (logs.ok) spin2.stop(`Logs endpoint accepted probe (HTTP ${logs.status})`);
+  else spin2.fail(`Logs endpoint rejected probe: ${logs.error}`);
   checks.push({ name: 'logs', ...logs });
 
   const token = config.getToken();
   if (cfg.apiKey || token) {
     const spin3 = ui.spinner(`Probing SecureNow API ${cfg.apiUrl}`);
-    const api = await probe(`${cfg.apiUrl.replace(/\/$/, '')}/health`);
+    const api = await probe({
+      method: 'GET',
+      endpoint: `${cfg.apiUrl.replace(/\/$/, '')}/health`,
+      headers: token ? { Authorization: `Bearer ${token}` } : cfg.apiKey ? { Authorization: `Bearer ${cfg.apiKey}` } : {},
+    });
     if (api.ok) spin3.stop(`API reachable (HTTP ${api.status})`);
     else spin3.fail(`API unreachable: ${api.error}`);
     checks.push({ name: 'api', ...api });

package/cli/run.js

@@ -3,8 +3,24 @@
 const { spawn } = require('child_process');
 const path = require('path');
 const fs = require('fs');
-const ui = require('./ui');
-
+const ui = require('./ui');
+
+const NODE_FLAGS_WITH_VALUE = new Set([
+  '-r',
+  '--require',
+  '--import',
+  '--loader',
+  '--experimental-loader',
+  '--env-file',
+  '--conditions',
+  '-C',
+  '--icu-data-dir',
+  '--inspect-port',
+  '--max-old-space-size',
+  '--stack-trace-limit',
+  '--title',
+]);
+
 function isESM(scriptPath) {
   if (scriptPath.endsWith('.mjs')) return true;
   if (scriptPath.endsWith('.cjs')) return false;
@@ -93,18 +109,31 @@ function run(rawArgs) {
       firewallOnly = true;
       continue;
     }
-    if (args[i].startsWith('-')) {
-      nodeFlags.push(args[i]);
-    } else {
-      scriptIdx = i;
-      break;
+    if (args[i] === '--') {
+      scriptIdx = i + 1;
+      break;
+    }
+    if (args[i].startsWith('-')) {
+      const flag = args[i];
+      nodeFlags.push(flag);
+      const flagName = flag.split('=')[0];
+      if (NODE_FLAGS_WITH_VALUE.has(flagName) && !flag.includes('=')) {
+        if (i + 1 >= args.length) {
+          ui.error(`Node flag ${flag} requires a value.`);
+          process.exit(1);
+        }
+        nodeFlags.push(args[++i]);
+      }
+    } else {
+      scriptIdx = i;
+      break;
     }
   }
 
-  if (scriptIdx === -1) {
-    ui.error('No script path found. Provide a .js/.mjs/.ts file to run.');
-    process.exit(1);
-  }
+  if (scriptIdx === -1 || scriptIdx >= args.length) {
+    ui.error('No script path found. Provide a .js/.mjs/.ts file to run.');
+    process.exit(1);
+  }
 
   const scriptPath = args[scriptIdx];
   const appArgs = args.slice(scriptIdx + 1);

package/firewall-only.js

@@ -12,7 +12,7 @@
  * is resolvable.
  */
 
-try { require('dotenv').config(); } catch (_) {}
+try { require('dotenv').config({ quiet: true }); } catch (_) {}
 
 const appConfig = require('./app-config');
 const firewallOptions = appConfig.resolveFirewallOptions();