securenow 7.6.6 → 7.6.8

package/docs/LOGGING-QUICKSTART.md

@@ -1,221 +0,0 @@
-# SecureNow Logging — Quick Start
-
-Get logging sent to your SecureNow dashboard in under 2 minutes.
-
-**Since v7.0.0:** Logging is **on by default**. `console.log` / `warn` / `error` / `info` / `debug` calls are automatically forwarded as OTLP log records. Disable with `SECURENOW_LOGGING_ENABLED=0` if you don't want it.
-
----
-
-## 1. Install + login
-
-```bash
-npm install securenow
-npx securenow login    # pick/create your app in the browser
-```
-
-`login` writes `.securenow/credentials.json` locally. No `.env` setup required.
-
----
-
-## 2. Add to Your App
-
-**Option A: Automatic Console Logging (Easiest)**
-
-Add this line at the top of your main file:
-
-```javascript
-// app.js, index.js, server.js, or main.ts
-require('securenow/register');
-
-// That's it! Now use console normally
-console.log('App started');
-console.error('An error occurred', { userId: 123 });
-```
-
-**Option B: Use NODE_OPTIONS (No code changes)**
-
-```bash
-NODE_OPTIONS="-r securenow/register" node app.js
-```
-
----
-
-## 3. Run Your App
-
-```bash
-node app.js
-# or
-npm start
-```
-
-You should see:
-
-```
-[securenow] OTel SDK started → http://your-otlp-backend:4318/v1/traces
-[securenow] 📋 Logging: ENABLED → http://your-otlp-backend:4318/v1/logs
-```
-
----
-
-## 4. View Logs in SecureNow
-
-1. Open your SecureNow dashboard
-2. Go to **Logs** section
-3. Your logs appear under the app you picked during `securenow login`
-4. All logs come with automatic trace correlation
-
-Or from the CLI:
-
-```bash
-npx securenow logs --minutes 5
-```
-
----
-
-## Framework-Specific Examples
-
-### Express.js
-
-```javascript
-// app.js
-require('securenow/register');
-
-const express = require('express');
-const app = express();
-
-app.get('/', (req, res) => {
-  console.log('Request received');
-  res.send('Hello World');
-});
-
-app.listen(3000);
-```
-
-### Next.js
-
-```typescript
-// instrumentation.ts (in project root)
-import { registerSecureNow } from 'securenow/nextjs';
-export function register() {
-  registerSecureNow();
-}
-```
-
-No `.env.local` needed — credentials come from `.securenow/credentials.json` after `npx securenow login`.
-
-### Fastify
-
-```javascript
-// server.js
-require('securenow/register');
-
-const fastify = require('fastify')();
-
-fastify.get('/', async () => {
-  console.log('Route called');
-  return { hello: 'world' };
-});
-
-fastify.listen({ port: 3000 });
-```
-
-### NestJS
-
-```typescript
-// main.ts
-require('securenow/register');
-
-import { NestFactory } from '@nestjs/core';
-import { AppModule } from './app.module';
-
-async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
-  console.log('App starting');
-  await app.listen(3000);
-}
-
-bootstrap();
-```
-
----
-
-## Troubleshooting
-
-**Logs not appearing?**
-
-1. Check `.securenow/credentials.json` exists (run `npx securenow whoami`).
-2. Confirm `SECURENOW_LOGGING_ENABLED` is not set to `0`.
-3. Run `npx securenow doctor` — it probes the full pipeline and reports the failure mode.
-4. Enable verbose output: `OTEL_LOG_LEVEL=debug`.
-
-**Console logs not forwarding?**
-
-Load `securenow/register` before other app code so logging hooks run first:
-
-```javascript
-// ✅ Correct
-require('securenow/register');  // First
-
-// ❌ Wrong
-require('express');
-require('securenow/register');  // Too late!
-```
-
----
-
-## What Gets Logged?
-
-All standard console methods:
-
-- `console.log()` → INFO
-- `console.info()` → INFO
-- `console.warn()` → WARN
-- `console.error()` → ERROR
-- `console.debug()` → DEBUG
-
-**Structured logging example:**
-
-```javascript
-console.log('User logged in', {
-  userId: 123,
-  email: 'user@example.com',
-  ip: '192.168.1.1'
-});
-```
-
-This creates a log with attributes you can filter/search in SecureNow!
-
----
-
-## Advanced Usage
-
-**Direct Logger API:**
-
-```javascript
-const { getLogger } = require('securenow/tracing');
-const logger = getLogger('my-module', '1.0.0');
-
-logger.emit({
-  severityNumber: 9,
-  severityText: 'INFO',
-  body: 'Custom log message',
-  attributes: {
-    customField: 'value',
-  },
-});
-```
-
----
-
-## Next Steps
-
-- [Complete Logging Guide](./LOGGING-GUIDE.md) - All features and options
-- [SecureNow](https://securenow.ai/)
-- [Documentation](./INDEX.md)
-- [Combine with Tracing](../README.md) - Full observability
-
----
-
-**That's it!** 🎉 Your app is now sending logs to SecureNow.
-
-Need help? Check the [full documentation](./LOGGING-GUIDE.md) or open an issue.

package/docs/MCP-GUIDE.md

@@ -1,58 +0,0 @@
-# SecureNow MCP Guide
-
-SecureNow ships an MCP server for agent clients such as Codex and Claude.
-
-## Local stdio MCP
-
-Use this when the agent is running on the same machine as your project:
-
-```bash
-npx securenow login
-codex mcp add securenow -- npx securenow mcp
-```
-
-You can also run the server directly:
-
-```bash
-npx -p securenow securenow-mcp
-```
-
-The local MCP server reads the same project-local `.securenow/credentials.json`
-as the CLI and SDK. No production deployment is required.
-
-## Environment Scope
-
-MCP tools use the same environment model as the CLI and UI: one app key across
-local, preview, staging, and production, separated by
-`config.runtime.deploymentEnvironment`. Investigation tools default to
-`production`. Pass `environment: "local"`, `"staging"`, `"preview"`, or
-`"all"` only when that scope is intentional.
-
-## Hosted MCP
-
-For hosted clients, expose the secured API endpoint:
-
-```text
-https://api.securenow.ai/mcp
-```
-
-The hosted endpoint must be authenticated with `Authorization: Bearer ...`.
-It accepts SecureNow JWT sessions and `snk_live_...` API keys through the same
-API auth path used by the rest of SecureNow.
-
-## Security Model
-
-- Read tools require the matching `*:read` scope.
-- Write tools require the matching `*:write` scope or `applications:write` for
-  app firewall settings.
-- Write tools also require `confirm: true` and a non-empty `reason`.
-- Full tokens and API keys are never returned by tools or resources.
-- Hosted MCP validates browser origins and rate-limits requests.
-- Tool calls are proxied through existing API routes so tenant isolation and
-  scope enforcement stay centralized.
-
-## Tools
-
-The MCP exposes applications, traces, logs, firewall, IP intelligence,
-forensics, notifications, blocklist, allowlist, trusted IPs, analytics, bundled
-docs resources, and setup prompts.

package/docs/NEXTJS-BODY-CAPTURE-COMPARISON.md

@@ -1,323 +0,0 @@
-# Next.js Body Capture - Choosing the Right Approach
-
-## 🎯 Two Approaches Available
-
-SecureNow offers two ways to capture request bodies in Next.js:
-
-1. **Wrapper Approach** (Recommended ✅)
-2. **Middleware Approach** (Use with caution ⚠️)
-
----
-
-## ✅ Wrapper Approach (RECOMMENDED)
-
-### How It Works
-
-Wrap individual API route handlers to capture bodies **inside the handler**:
-
-```typescript
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-
-export const POST = withSecureNow(async (request: Request) => {
-  const body = await request.json();
-  return Response.json({ success: true });
-});
-```
-
-### ✅ Pros
-
-- **Zero middleware conflicts** - Doesn't interfere with NextAuth or other middleware
-- **Never blocks requests** - Runs after routing is complete
-- **Per-route control** - Wrap only the routes you need
-- **Non-invasive** - Your middleware stays unchanged
-- **Safe** - Runs inside your handler, can't prevent handler execution
-- **Background capture** - Doesn't delay responses
-
-### ❌ Cons
-
-- Requires wrapping each route individually (but only the ones you want!)
-- Slightly more verbose (one extra line per route)
-
-### When to Use
-
-- ✅ You have NextAuth or other middleware
-- ✅ You want zero conflicts
-- ✅ You want fine-grained control
-- ✅ You prioritize reliability
-- ✅ **This is the recommended approach for most users**
-
-### Setup
-
-**Step 1:** Enable in .env.local
-```bash
-SECURENOW_CAPTURE_BODY=1
-```
-
-**Step 2:** Wrap your API routes
-```typescript
-// app/api/login/route.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-
-export const POST = withSecureNow(async (request: Request) => {
-  const body = await request.json();
-  // Your logic...
-  return Response.json({ success: true });
-});
-```
-
-**That's it!** No middleware.ts needed.
-
-📚 **Full guide:** See `NEXTJS-WRAPPER-APPROACH.md`
-
----
-
-## ⚠️ Middleware Approach (Use with Caution)
-
-### How It Works
-
-Export SecureNow's middleware to capture bodies **before your handlers**:
-
-```typescript
-// middleware.ts
-export { middleware } from 'securenow/nextjs-middleware';
-
-export const config = {
-  matcher: '/api/:path*',
-};
-```
-
-### ✅ Pros
-
-- One-time setup (no per-route wrapping)
-- Applies to all routes automatically
-
-### ❌ Cons
-
-- **Can conflict with NextAuth** and other middleware
-- **May block requests** from reaching handlers
-- **All-or-nothing** - applies to all matched routes
-- **Runs before routing** - can interfere with request flow
-- **May cause "Response body disturbed or locked" errors**
-
-### When to Use
-
-- You have no other middleware
-- You want to capture ALL routes
-- You're okay with potential conflicts
-- **Not recommended if you use NextAuth or have complex middleware**
-
-### Known Issues
-
-**Conflicts with NextAuth:**
-```typescript
-// ❌ This can cause conflicts
-export { middleware } from 'securenow/nextjs-middleware';
-
-// If you also use NextAuth, you'll need complex middleware composition
-```
-
-**Solution:** Use the wrapper approach instead!
-
-📚 **Full guide:** See `NEXTJS-BODY-CAPTURE.md` (but consider wrapper approach first)
-
----
-
-## 🔄 Comparison Table
-
-| Feature | Wrapper Approach | Middleware Approach |
-|---------|-----------------|---------------------|
-| **Setup complexity** | Per-route wrapping | One-time setup |
-| **Middleware conflicts** | ✅ None | ⚠️ Possible |
-| **NextAuth compatibility** | ✅ Perfect | ❌ Can conflict |
-| **Request blocking** | ✅ Never | ⚠️ Possible |
-| **Control granularity** | ✅ Per-route | ❌ All-or-nothing |
-| **Error impact** | ✅ Isolated | ⚠️ Can block all routes |
-| **Recommended for** | ✅ Most users | ⚠️ Simple apps only |
-
----
-
-## 🎯 Our Recommendation
-
-### For Most Users (Especially with NextAuth)
-
-**Use the Wrapper Approach:**
-
-```typescript
-// middleware.ts - Your auth logic (no securenow!)
-export async function middleware(request) {
-  // Just your middleware - no securenow imports
-  const token = await getToken({ req: request });
-  if (!token) return NextResponse.redirect('/login');
-  return NextResponse.next();
-}
-
-// app/api/protected/route.ts - Wrap individual routes
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-
-export const POST = withSecureNow(async (request: Request) => {
-  // Your handler - no conflicts!
-  const body = await request.json();
-  return Response.json({ success: true });
-});
-```
-
-**Why?**
-- ✅ Zero conflicts
-- ✅ Your middleware stays clean
-- ✅ Per-route control
-- ✅ Never blocks requests
-
-### For Simple Apps (No Other Middleware)
-
-**You can use Middleware Approach:**
-
-```typescript
-// middleware.ts
-export { middleware } from 'securenow/nextjs-middleware';
-
-export const config = {
-  matcher: '/api/:path*',
-};
-```
-
-**Why?**
-- ✅ One-time setup
-- ✅ Auto-applies to all routes
-- ⚠️ But be aware of potential conflicts if you add other middleware later
-
----
-
-## 📊 Real-World Scenarios
-
-### Scenario 1: NextAuth + SecureNow
-
-**❌ Middleware Approach - Can Cause Issues:**
-```typescript
-// middleware.ts
-import { getToken } from 'next-auth/jwt';
-import { middleware as securenowMiddleware } from 'securenow/nextjs-middleware';
-
-export async function middleware(request) {
-  // Complex composition needed - prone to conflicts
-  await securenowMiddleware(request);
-  const token = await getToken({ req: request });
-  // ...
-}
-```
-
-**✅ Wrapper Approach - Clean & Safe:**
-```typescript
-// middleware.ts - Just NextAuth
-export async function middleware(request) {
-  const token = await getToken({ req: request });
-  if (!token) return NextResponse.redirect('/login');
-  return NextResponse.next();
-}
-
-// app/api/*/route.ts - Add SecureNow per route
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-export const POST = withSecureNow(handler);
-```
-
-### Scenario 2: Rate Limiting + SecureNow
-
-**❌ Middleware Approach:**
-```typescript
-// Multiple middleware = conflicts
-```
-
-**✅ Wrapper Approach:**
-```typescript
-// middleware.ts - Just rate limiting
-export async function middleware(request) {
-  await checkRateLimit(request);
-  return NextResponse.next();
-}
-
-// routes - Add SecureNow
-export const POST = withSecureNow(handler);
-```
-
-### Scenario 3: Simple API (No Other Middleware)
-
-**✅ Either Approach Works:**
-
-**Option A - Wrapper:**
-```typescript
-export const POST = withSecureNow(handler);
-```
-
-**Option B - Middleware:**
-```typescript
-export { middleware } from 'securenow/nextjs-middleware';
-```
-
-Both work fine when you have no other middleware!
-
----
-
-## 🚀 Migration Guide
-
-### From Middleware to Wrapper
-
-**Before:**
-```typescript
-// middleware.ts
-export { middleware } from 'securenow/nextjs-middleware';
-export const config = { matcher: '/api/:path*' };
-```
-
-**After:**
-```typescript
-// middleware.ts - Delete securenow import!
-// (Keep your other middleware like NextAuth)
-
-// app/api/login/route.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-export const POST = withSecureNow(async (request) => {
-  // Your handler
-});
-
-// app/api/register/route.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-export const POST = withSecureNow(async (request) => {
-  // Your handler
-});
-```
-
-**Result:** No more conflicts! 🎉
-
----
-
-## ✅ Summary
-
-### Quick Decision Guide
-
-**Do you have NextAuth or other middleware?**
-- Yes → Use **Wrapper Approach** ✅
-- No → Either works, but wrapper is safer
-
-**Do you want per-route control?**
-- Yes → Use **Wrapper Approach** ✅
-- No → Middleware works
-
-**Do you prioritize zero conflicts?**
-- Yes → Use **Wrapper Approach** ✅
-- Not critical → Middleware works
-
-**Do you experience "Response body disturbed" errors?**
-- Yes → Switch to **Wrapper Approach** ✅
-
-### Bottom Line
-
-**For 90% of users:** Use the **Wrapper Approach** 
-
-It's safer, more flexible, and conflict-free!
-
-📚 **Full documentation:**
-- Wrapper: `NEXTJS-WRAPPER-APPROACH.md`
-- Middleware: `NEXTJS-BODY-CAPTURE.md`
-
-
-
-