npm - securenow - Versions diffs - 7.6.6 → 7.6.8 - Mend

securenow 7.6.6 → 7.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/NPM_README.md +13 -13
package/README.md +21 -37
package/app-config.js +5 -3
package/cli/config.js +4 -3
package/cli/diagnostics.js +54 -15
package/cli/run.js +40 -11
package/firewall-only.js +1 -1
package/firewall.js +88 -57
package/mcp/catalog.js +1 -1
package/nextjs-webpack-config.js +3 -15
package/nextjs.js +21 -23
package/nuxt-server-plugin.mjs +20 -10
package/package.json +33 -34
package/register.js +1 -1
package/tracing.js +17 -7
package/web-vite.mjs +23 -13
package/CONSUMING-APPS-GUIDE.md +0 -463
package/docs/ALL-FRAMEWORKS-QUICKSTART.md +0 -1388
package/docs/API-KEYS-GUIDE.md +0 -278
package/docs/ARCHITECTURE.md +0 -408
package/docs/AUTO-BODY-CAPTURE.md +0 -412
package/docs/AUTO-SETUP-SUMMARY.md +0 -331
package/docs/AUTO-SETUP.md +0 -419
package/docs/AUTOMATIC-IP-CAPTURE.md +0 -359
package/docs/BODY-CAPTURE-FIX.md +0 -261
package/docs/BODY-CAPTURE-QUICKSTART.md +0 -147
package/docs/CHANGELOG-NEXTJS.md +0 -235
package/docs/COMPLETION-REPORT.md +0 -408
package/docs/CUSTOMER-GUIDE.md +0 -364
package/docs/EASIEST-SETUP.md +0 -342
package/docs/ENVIRONMENT-VARIABLES.md +0 -166
package/docs/ENVIRONMENTS.md +0 -60
package/docs/EXPRESS-BODY-CAPTURE.md +0 -1028
package/docs/EXPRESS-SETUP-GUIDE.md +0 -722
package/docs/FINAL-SOLUTION.md +0 -335
package/docs/FIREWALL-GUIDE.md +0 -440
package/docs/IMPLEMENTATION-SUMMARY.md +0 -410
package/docs/INDEX.md +0 -222
package/docs/LOGGING-GUIDE.md +0 -704
package/docs/LOGGING-QUICKSTART.md +0 -221
package/docs/MCP-GUIDE.md +0 -58
package/docs/NEXTJS-BODY-CAPTURE-COMPARISON.md +0 -323
package/docs/NEXTJS-BODY-CAPTURE.md +0 -368
package/docs/NEXTJS-GUIDE.md +0 -392
package/docs/NEXTJS-QUICKSTART.md +0 -83
package/docs/NEXTJS-SETUP-COMPLETE.md +0 -795
package/docs/NEXTJS-WEBPACK-WARNINGS.md +0 -267
package/docs/NEXTJS-WRAPPER-APPROACH.md +0 -414
package/docs/NUXT-GUIDE.md +0 -173
package/docs/QUICKSTART-BODY-CAPTURE.md +0 -293
package/docs/REDACTION-EXAMPLES.md +0 -484
package/docs/REQUEST-BODY-CAPTURE.md +0 -587
package/docs/SOLUTION-SUMMARY.md +0 -312
package/docs/VERCEL-OTEL-MIGRATION.md +0 -255
package/examples/README.md +0 -265
package/examples/express-with-logging.js +0 -137
package/examples/instrumentation-with-auto-capture.ts +0 -41
package/examples/next.config.js +0 -37
package/examples/nextjs-api-route-with-body-capture.ts +0 -54
package/examples/nextjs-env-example.txt +0 -32
package/examples/nextjs-instrumentation.js +0 -36
package/examples/nextjs-instrumentation.ts +0 -36
package/examples/nextjs-middleware.js +0 -37
package/examples/nextjs-middleware.ts +0 -37
package/examples/nextjs-with-logging-example.md +0 -301
package/examples/nextjs-with-options.ts +0 -36
package/examples/test-nextjs-setup.js +0 -70
package/postinstall.js +0 -296

package/docs/NUXT-GUIDE.md DELETED Viewed

@@ -1,173 +0,0 @@
-# SecureNow — Nuxt 3 Setup Guide
-## Quick Start (1 minute)
-### 1. Install + login
-```bash
-npm install securenow
-npx securenow login    # pick/create your app in the browser
-```
-`login` writes `.securenow/credentials.json` locally. No `.env` needed for local dev.
-### 2. Add the module to `nuxt.config.ts`
-```ts
-export default defineNuxtConfig({
-  modules: ['securenow/nuxt'],
-});
-```
-### 3. Start your app
-```bash
-nuxt dev
-```
-You should see in the console:
-```
-[securenow] Nuxt module loaded — server plugin registered
-[securenow] 🚀 Nuxt OTel SDK started → https://freetrial.securenow.ai:4318/v1/traces
-```
-That's it — all server-side requests are now traced, logs forwarded, and bodies captured. The app you picked during `login` is where they land.
-### 4. (Optional) Override for CI / Docker / prod
-`.securenow/credentials.json` is for local dev. For environments where you can't run `npx securenow login`, set env vars:
-```env
-SECURENOW_APPID=<app-key-uuid>
-SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
-```
-Env vars always take precedence.
----
-## Configuration
-### Module options in `nuxt.config.ts`
-```ts
-export default defineNuxtConfig({
-  modules: ['securenow/nuxt'],
-  securenow: {
-    serviceName: 'my-nuxt-app',     // overrides SECURENOW_APPID
-    endpoint: 'http://host:4318',   // overrides SECURENOW_INSTANCE
-    noUuid: true,                   // single service.name (no UUID suffix)
-    captureBody: true,              // capture POST/PUT/PATCH bodies
-    logging: true,                  // forward console.* as OTLP logs
-  },
-});
-```
-### Environment variables
-All standard SecureNow env vars are supported:
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_APPID` | Service name | `nuxt-app-<uuid>` |
-| `SECURENOW_INSTANCE` | OTLP base URL | `https://freetrial.securenow.ai:4318` |
-| `SECURENOW_NO_UUID` | Don't append UUID to service name | `false` |
-| `SECURENOW_LOGGING_ENABLED` | Forward console logs as OTLP | `false` |
-| `SECURENOW_CAPTURE_BODY` | Capture request bodies | `false` |
-| `SECURENOW_MAX_BODY_SIZE` | Max body size to capture (bytes) | `10240` |
-| `SECURENOW_SENSITIVE_FIELDS` | Extra fields to redact (CSV) | _(built-in list)_ |
-| `OTEL_EXPORTER_OTLP_ENDPOINT` | Alternative OTLP base URL | — |
-| `OTEL_EXPORTER_OTLP_HEADERS` | OTLP headers (k=v,k2=v2) | — |
----
-## What gets traced
-### Automatic (out of the box)
-- All Nitro server handler requests (API routes, SSR pages, middleware)
-- HTTP method, path, status code, duration
-- Client IP address (with proxy-aware resolution)
-- User-Agent, Referer, Origin, Host
-- Security header presence (auth, cookies, CSRF)
-- Request IDs and correlation headers
-### With `captureBody: true`
-- POST/PUT/PATCH request bodies (JSON, form-urlencoded, GraphQL)
-- Sensitive fields auto-redacted (passwords, tokens, etc.)
-- Bodies larger than `SECURENOW_MAX_BODY_SIZE` are skipped
-### With `logging: true`
-- All `console.log/info/warn/error/debug` calls forwarded as OTLP log records
-- Logs correlated with active trace spans
----
-## Comparison with Next.js integration
-| Feature | Nuxt (`securenow/nuxt`) | Next.js (`securenow/nextjs`) |
-|---------|-------------------------|------------------------------|
-| Setup | Add to `modules` array | Create `instrumentation.ts` |
-| Config | `nuxt.config.ts` | `.env.local` + `next.config.js` |
-| Server tracing | Nitro hooks | HTTP instrumentation |
-| Edge runtime | Not supported | Skipped gracefully |
-| Vercel support | Via env vars | `@vercel/otel` integration |
-| Body capture | HTTP instrumentation | Middleware + `Request.clone()` |
-| Logging | Console patching | Console patching |
----
-## Deployment
-### Node.js server (PM2, Docker, etc.)
-Works out of the box with `nuxt build && node .output/server/index.mjs`.
-### Vercel / Netlify / Cloudflare
-Set env vars in the platform dashboard:
-```
-SECURENOW_APPID=my-nuxt-app
-SECURENOW_INSTANCE=https://your-otlp-backend:4318
-```
-> Note: On edge runtimes (Cloudflare Workers, Vercel Edge), some Node.js-specific
-> instrumentations may not be available. Server-handler tracing via Nitro hooks
-> still works.
----
-## Troubleshooting
-### No traces appearing
-1. Check that `SECURENOW_APPID` and `SECURENOW_INSTANCE` are set
-2. Look for `[securenow] 🚀 Nuxt OTel SDK started` in the console
-3. Verify the OTLP endpoint is reachable from your server
-### Module not loading
-Make sure you're using Nuxt 3 (`nuxt: ">=3.0.0"`) and the module is listed
-in the `modules` array (not `buildModules`).
-### OpenTelemetry packages bundled by Nitro
-The module automatically externalizes OTel packages. If you see bundling errors,
-manually add to `nuxt.config.ts`:
-```ts
-export default defineNuxtConfig({
-  nitro: {
-    externals: {
-      external: ['securenow', '@opentelemetry/api', '@opentelemetry/sdk-node'],
-    },
-  },
-});
-```
-# Current setup note
-Use `.securenow/credentials.json` for local and production. Run `npx securenow login`, `npx securenow init`, and for production generate `npx securenow credentials runtime --env production`; mount/copy that file as `.securenow/credentials.json`. Env-var examples in this older guide are legacy fallback snippets.

package/docs/QUICKSTART-BODY-CAPTURE.md DELETED Viewed

@@ -1,293 +0,0 @@
-# 🚀 Quick Start: Body Capture in Next.js
-## ✅ Recommended: Wrapper Approach (No Conflicts!)
-This approach **never interferes** with your middleware or routing.
-### Step 1: Enable in .env.local
-```bash
-SECURENOW_APPID=my-app
-SECURENOW_INSTANCE=http://otel-collector:4318
-SECURENOW_CAPTURE_BODY=1
-```
-### Step 2: Wrap Your API Routes
-```typescript
-// app/api/login/route.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-export const POST = withSecureNow(async (request: Request) => {
-  const body = await request.json();
-  // Your logic here...
-  return Response.json({ success: true });
-});
-```
-### Step 3: Keep Your Middleware Clean
-```typescript
-// middleware.ts - NO securenow imports!
-import { getToken } from 'next-auth/jwt';
-export async function middleware(request) {
-  // Just your auth logic - securenow doesn't interfere!
-  const token = await getToken({ req: request });
-  if (!token) {
-    return NextResponse.redirect('/login');
-  }
-  return NextResponse.next();
-}
-```
-**That's it!** 🎉
----
-## What Gets Captured
-### ✅ Automatically Captured & Redacted
-```typescript
-// Request:
-{
-  "username": "john",
-  "password": "secret123",
-  "email": "john@example.com"
-}
-// In your traces (sensitive fields redacted):
-{
-  "username": "john",
-  "password": "[REDACTED]",
-  "email": "john@example.com"
-}
-```
-### 🔒 Auto-Redacted Fields (20+)
-```
-password, passwd, pwd, secret, token, api_key, access_token,
-auth, credentials, card, cardnumber, cvv, cvc, ssn, pin, etc.
-```
-### 📝 Supported Content Types
-- ✅ JSON (`application/json`)
-- ✅ GraphQL (`application/graphql`)
-- ✅ Form data (`application/x-www-form-urlencoded`)
-- ℹ️ Multipart (marked as `[MULTIPART - NOT CAPTURED]`)
----
-## ✨ Benefits
-### Zero Conflicts
-- ✅ Works perfectly with NextAuth
-- ✅ Works with any middleware
-- ✅ Never blocks requests
-- ✅ Runs inside your handler (not before)
-### Safe & Secure
-- ✅ Automatic sensitive data redaction
-- ✅ Size limits (configurable)
-- ✅ Non-blocking (background capture)
-- ✅ Fails silently (never breaks your app)
-### Flexible
-- ✅ Per-route control (wrap only what you need)
-- ✅ Easy to add/remove
-- ✅ Works with App Router & Pages Router
----
-## 📊 Example: Full API Route
-```typescript
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-import { db } from '@/lib/db';
-export const POST = withSecureNow(async (request: Request) => {
-  try {
-    // Parse body (securenow captures this automatically)
-    const { email, password } = await request.json();
-    // Your business logic
-    const user = await db.user.create({
-      data: { email, passwordHash: hash(password) }
-    });
-    return Response.json({
-      success: true,
-      userId: user.id
-    });
-  } catch (error) {
-    return Response.json({
-      success: false,
-      error: error.message
-    }, { status: 400 });
-  }
-});
-// Optional: Other methods without capture
-export async function GET() {
-  const users = await db.user.findMany();
-  return Response.json({ users });
-}
-```
-**Trace will show:**
-- ✅ HTTP method, path, status
-- ✅ Request body: `{"email":"john@example.com","password":"[REDACTED]"}`
-- ✅ Response time
-- ✅ IP address, user agent
-- ✅ All without blocking or interfering!
----
-## ⚙️ Configuration
-### Environment Variables
-```bash
-# Required
-SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://your-otlp-backend:4318
-# Body capture
-SECURENOW_CAPTURE_BODY=1                    # Enable body capture
-SECURENOW_MAX_BODY_SIZE=10240              # Max size in bytes (10KB default)
-SECURENOW_SENSITIVE_FIELDS=email,phone     # Additional fields to redact
-# Optional
-OTEL_LOG_LEVEL=info                        # Logging level
-```
-### Custom Sensitive Fields
-Add your own fields to redact:
-```bash
-SECURENOW_SENSITIVE_FIELDS=credit_card_number,ssn,bank_account
-```
-Now these will also show as `[REDACTED]` in traces!
----
-## 🎓 More Examples
-### Selective Wrapping
-```typescript
-// Capture body for login
-export const POST = withSecureNow(async (request: Request) => {
-  const body = await request.json();
-  return Response.json({ success: true });
-});
-// No capture for public endpoint
-export async function GET() {
-  return Response.json({ status: 'ok' });
-}
-```
-### With Dynamic Routes
-```typescript
-// app/api/users/[id]/route.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-export const PUT = withSecureNow(async (
-  request: Request,
-  { params }: { params: { id: string } }
-) => {
-  const body = await request.json();
-  const userId = params.id;
-  await updateUser(userId, body);
-  return Response.json({ updated: true });
-});
-```
-### Pages Router
-```typescript
-// pages/api/login.ts
-import { withSecureNow } from 'securenow/nextjs-wrapper';
-async function handler(req, res) {
-  if (req.method === 'POST') {
-    const { email, password } = req.body;
-    // Your logic...
-    res.json({ success: true });
-  } else {
-    res.status(405).end();
-  }
-}
-export default withSecureNow(handler);
-```
----
-## 🐛 Troubleshooting
-### Q: I'm getting "Response body disturbed or locked" errors
-**A:** Don't use the middleware approach! Use the wrapper approach shown above. The wrapper runs inside your handler and never locks the request.
-### Q: Bodies aren't being captured
-**Check:**
-1. Is `SECURENOW_CAPTURE_BODY=1` set in `.env.local`?
-2. Did you wrap the route with `withSecureNow()`?
-3. Is the request POST/PUT/PATCH?
-4. Is content-type `application/json` or similar?
-### Q: Can I use this with NextAuth?
-**A:** Yes! That's exactly what it's designed for. Your middleware stays clean:
-```typescript
-// middleware.ts - Just NextAuth, no securenow!
-export async function middleware(request) {
-  const token = await getToken({ req: request });
-  // ...
-}
-// API routes - Add securenow wrapper
-export const POST = withSecureNow(handler);
-```
----
-## ✅ Summary
-**Setup (2 steps):**
-1. Set `SECURENOW_CAPTURE_BODY=1` in `.env.local`
-2. Wrap routes: `withSecureNow(handler)`
-**Result:**
-- ✅ Request bodies captured
-- ✅ Sensitive fields redacted
-- ✅ Zero middleware conflicts
-- ✅ Non-blocking & safe
-- ✅ Works with NextAuth
-**That's it!** 🎊
-📚 **More info:**
-- `NEXTJS-WRAPPER-APPROACH.md` - Full guide
-- `NEXTJS-BODY-CAPTURE-COMPARISON.md` - Comparison with middleware approach
-# Current setup note
-Use `.securenow/credentials.json` for local and production. Body capture defaults live under `config.capture.*`; run `npx securenow init` to create secure defaults. Env-var examples in this older guide are legacy fallback snippets.