securenow 7.6.9 → 7.7.0

package/mcp/catalog.js

@@ -230,8 +230,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/firewall/status',
-    queryFields: ['environment'],
-    inputSchema: objectSchema({ ...environmentInput }),
+    queryFields: ['environment', 'appKey'],
+    inputSchema: objectSchema({
+      appKey: string('Optional application key UUID to scope the status check.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_firewall_enable',
@@ -297,9 +300,10 @@ const TOOLS = [
     method: 'GET',
     endpoint: '/firewall/check/:ip',
     pathParams: ['ip'],
-    queryFields: ['environment'],
+    queryFields: ['environment', 'appKey'],
     inputSchema: objectSchema({
       ip: string('IPv4 address to test.'),
+      appKey: string('Optional application key UUID to test the app/environment toggle and scoped lists.'),
       ...environmentInput,
     }, ['ip']),
   },
@@ -421,6 +425,19 @@ const TOOLS = [
       id: string('Notification id.'),
     }, ['id']),
   },
+  {
+    name: 'securenow_notifications_batch_get',
+    title: 'Get Notifications Batch',
+    description: 'Fetch multiple notification/case records in one request.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'POST',
+    endpoint: '/notifications/batch',
+    bodyFields: ['ids'],
+    inputSchema: objectSchema({
+      ids: arrayOfStrings('Notification ids to fetch, up to 50.'),
+    }, ['ids']),
+  },
   {
     name: 'securenow_human_actions_list',
     title: 'List Human Action Queue',
@@ -496,6 +513,26 @@ const TOOLS = [
       ...confirmSchema,
     }, ['notificationId', 'ip', 'confirm', 'reason']),
   },
+  {
+    name: 'securenow_human_case_action_update',
+    title: 'Update Case-Level Human Action',
+    description: 'Approve, reject, execute, or fail a case-level proposed action such as tune_rule or create_exclusion. Write action; requires confirmation.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/notifications/:notificationId/agent-case/actions/:actionKey',
+    pathParams: ['notificationId', 'actionKey'],
+    bodyFields: ['status', 'result'],
+    reasonInResult: true,
+    inputSchema: objectSchema({
+      notificationId: string('Notification id from the case-action row.'),
+      actionKey: string('Proposed action key from the row, for example tune_rule:...'),
+      status: string('New status: proposed, approved, rejected, executed, or failed.'),
+      result: { type: 'object', additionalProperties: true, description: 'Optional structured result/audit details.' },
+      ...confirmSchema,
+    }, ['notificationId', 'actionKey', 'status', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_ip_lookup',
     title: 'IP Intelligence Lookup',
@@ -567,6 +604,258 @@ const TOOLS = [
       instanceId: string('Optional ClickHouse instance id.'),
     }),
   },
+  {
+    name: 'securenow_automation_rules_list',
+    title: 'List Automation Rules',
+    description: 'List blocklist automation rules with app/environment scope and stats.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/automation-rules',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_automation_rule_get',
+    title: 'Get Automation Rule',
+    description: 'Fetch one automation rule.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_automation_rule_create',
+    title: 'Create Automation Rule',
+    description: 'Create a blocklist automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules',
+    bodyFields: ['name', 'description', 'conditions', 'conditionLogic', 'actions', 'applicationsAll', 'applicationKeys', 'environmentsAll', 'environments'],
+    inputSchema: objectSchema({
+      name: string('Rule name.'),
+      description: string('Optional rule description.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Condition array. Fields include abuseConfidenceScore, riskScore, alertName, alertTag, attackType, path, environment.' },
+      conditionLogic: string('AND or OR.'),
+      actions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Action array, for example [{ "type":"addToBlocklist", "config":{ "reason":"...", "ttlHours":24 }}].' },
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys when not applying to all applications.'),
+      environmentsAll: boolean('Apply to all environments.'),
+      environments: arrayOfStrings('Deployment environments when not applying to all environments.'),
+      ...confirmSchema,
+    }, ['name', 'conditions', 'actions', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_update',
+    title: 'Update Automation Rule',
+    description: 'Update a blocklist automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    bodyFields: ['name', 'description', 'conditions', 'conditionLogic', 'actions', 'status', 'applicationsAll', 'applicationKeys', 'environmentsAll', 'environments'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      name: string('Rule name.'),
+      description: string('Optional rule description.'),
+      status: string('active or disabled.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Condition array.' },
+      conditionLogic: string('AND or OR.'),
+      actions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Action array.' },
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys when not applying to all applications.'),
+      environmentsAll: boolean('Apply to all environments.'),
+      environments: arrayOfStrings('Deployment environments when not applying to all environments.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_dry_run',
+    title: 'Dry-Run Automation Rule',
+    description: 'Preview automation matches without writing blocklist entries.',
+    scope: 'automation:read',
+    readOnly: true,
+    method: 'POST',
+    endpoint: '/automation-rules/:id/dry-run',
+    pathParams: ['id'],
+    bodyFields: ['limit', 'sampleLimit'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      limit: number('Maximum notifications to scan.', { minimum: 1, maximum: 2000 }),
+      sampleLimit: number('Maximum sample matches to return.', { minimum: 1, maximum: 50 }),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_automation_rule_execute',
+    title: 'Execute Automation Rule',
+    description: 'Execute an automation rule and add matching IPs to the blocklist. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    destructive: true,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/automation-rules/:id/execute',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_automation_rule_delete',
+    title: 'Delete Automation Rule',
+    description: 'Delete an automation rule. Write action; requires confirmation.',
+    scope: 'automation:write',
+    readOnly: false,
+    destructive: true,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/automation-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Automation rule id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rules_list',
+    title: 'List Alert Rules',
+    description: 'List alert rules, including system rules and app scope.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_alert_rule_get',
+    title: 'Get Alert Rule',
+    description: 'Fetch one alert rule.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_rule_update',
+    title: 'Update Alert Rule',
+    description: 'Update alert rule scope/status/schedule/throttle or record a review action. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/alert-rules/:id',
+    pathParams: ['id'],
+    bodyFields: ['name', 'description', 'status', 'applicationsAll', 'applications', 'schedule', 'throttle', 'alertChannelIds', 'reviewAction', 'reviewNote', 'reviewNotificationId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      name: string('Rule name for custom rules.'),
+      description: string('Rule description for custom rules.'),
+      status: string('Active, Disabled, or Paused.'),
+      applicationsAll: boolean('Scope rule to all applications.'),
+      applications: arrayOfStrings('Application keys when applicationsAll is false.'),
+      schedule: { type: 'object', additionalProperties: true, description: 'Schedule patch.' },
+      throttle: { type: 'object', additionalProperties: true, description: 'Throttle patch.' },
+      alertChannelIds: arrayOfStrings('Alert channel ids.'),
+      reviewAction: string('Rule review action, e.g. keep_active or saved_new_version.'),
+      reviewNote: string('Review note.'),
+      reviewNotificationId: string('Notification id tied to this review.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_test',
+    title: 'Test Alert Rule',
+    description: 'Start a live or dry-run alert rule test.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/alert-rules/:id/test',
+    pathParams: ['id'],
+    bodyFields: ['applicationKey', 'mode'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      applicationKey: string('Application key to test.'),
+      mode: string('dry_run or live.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_test_result',
+    title: 'Get Alert Rule Test Result',
+    description: 'Poll alert rule test status and results.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id/test/:testId',
+    pathParams: ['id', 'testId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      testId: string('Alert rule test id.'),
+    }, ['id', 'testId']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusions_list',
+    title: 'List Alert Rule Exclusions',
+    description: 'List exclusions embedded on one alert rule.',
+    scope: 'alerts:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/alert-rules/:id/exclusions',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+    }, ['id']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusion_add',
+    title: 'Add Alert Rule Exclusion',
+    description: 'Add a restrictive exclusion to one alert rule. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/alert-rules/:id/exclusions',
+    pathParams: ['id'],
+    bodyFields: ['conditions', 'matchMode', 'reason', 'pathPattern', 'isActive'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      conditions: { type: 'array', items: { type: 'object', additionalProperties: true }, description: 'Restrictive exclusion conditions.' },
+      matchMode: string('all or any.'),
+      reason: string('Exclusion reason.'),
+      pathPattern: string('Optional path pattern.'),
+      isActive: boolean('Whether the exclusion is active.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_alert_rule_exclusion_remove',
+    title: 'Remove Alert Rule Exclusion',
+    description: 'Remove an alert rule exclusion. Write action; requires confirmation.',
+    scope: 'alerts:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/alert-rules/:id/exclusions/:exclusionId',
+    pathParams: ['id', 'exclusionId'],
+    inputSchema: objectSchema({
+      id: string('Alert rule id.'),
+      exclusionId: string('Exclusion id.'),
+      ...confirmSchema,
+    }, ['id', 'exclusionId', 'confirm', 'reason']),
+  },
   {
     name: 'securenow_blocklist_list',
     title: 'List Blocklist',
@@ -575,8 +864,12 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/blocklist',
-    queryFields: ['page', 'limit'],
-    inputSchema: objectSchema({ ...pagingInput }),
+    queryFields: ['page', 'limit', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_blocklist_add',
@@ -587,12 +880,14 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/blocklist',
-    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata'],
+    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       reason: string('Reason for blocking.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       metadata: { type: 'object', additionalProperties: true, description: 'Optional metadata.' },
+      appKey: string('Optional application key to scope this block. Omit for all apps.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -629,8 +924,12 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/allowlist',
-    queryFields: ['page', 'limit'],
-    inputSchema: objectSchema({ ...pagingInput }),
+    queryFields: ['page', 'limit', 'appKey', 'environment'],
+    inputSchema: objectSchema({
+      ...pagingInput,
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_allowlist_add',
@@ -641,7 +940,7 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/allowlist',
-    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys'],
+    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
@@ -649,6 +948,7 @@ const TOOLS = [
       expiresAt: string('Optional expiry time as ISO 8601.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this allowlist entry to.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -675,7 +975,11 @@ const TOOLS = [
     readOnly: true,
     method: 'GET',
     endpoint: '/trusted-ips',
-    inputSchema: objectSchema({}),
+    queryFields: ['appKey', 'environment'],
+    inputSchema: objectSchema({
+      appKey: string('Optional application key scope.'),
+      ...environmentInput,
+    }),
   },
   {
     name: 'securenow_trusted_add',
@@ -686,13 +990,14 @@ const TOOLS = [
     confirm: true,
     method: 'POST',
     endpoint: '/trusted-ips',
-    bodyFields: ['ip', 'label', 'note', 'applicationsAll', 'applicationKeys'],
+    bodyFields: ['ip', 'label', 'note', 'applicationsAll', 'applicationKeys', 'environment'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
       note: string('Optional note.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this trusted IP to.'),
+      ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
   },
@@ -883,10 +1188,11 @@ function promptMessages(name, args = {}) {
             `Fetch page=${page}, limit=${limit} with securenow_human_actions_list, select row ${rowNumber}, then call securenow_notifications_get and securenow_human_action_report for that notificationId and IP.`,
             'Read the AI report, finalDecision, DAG steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
             'Open trace evidence with securenow_traces_show and correlated logs with securenow_logs_for_trace when trace IDs are available.',
-            'Return one of only two outcomes: Block IP or False Positive. If evidence is ambiguous, stop and explain what is missing.',
+            'Return one clear outcome: Block IP, False Positive, Rule Tuning Needed, or Ambiguous. If evidence is ambiguous, stop and explain what is missing.',
             confirmWrites
               ? 'The user requested execution. If evidence supports the decision, call securenow_human_action_block or securenow_human_action_false_positive with confirm:true and a precise reason.'
               : 'Do not execute write tools yet. Prepare the recommended decision and exact tool call the user can approve.',
+            'If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
             'False positives must be narrow: app + alert rule + path + method/status/user-agent/body evidence where possible. Never globally trust an IP by default.',
           ].join('\n'),
         },
@@ -906,12 +1212,12 @@ function promptMessages(name, args = {}) {
             'Work my SecureNow Requires Human queue like a senior security analyst using the MCP tools.',
             `Review up to ${limit} row(s), most urgent first.${args.search ? ` Search filter: ${args.search}.` : ''}`,
             'Start with securenow_human_actions_list. For each row, call securenow_notifications_get and securenow_human_action_report, inspect the AI report/DAG/proofs/trace IDs, and fetch trace/log evidence where useful.',
-            'For each row choose exactly one outcome: Block IP, False Positive, or Skip because evidence is insufficient. Explain skipped rows.',
+            'For each row choose exactly one outcome: Block IP, False Positive, Rule Tuning Needed, or Skip because evidence is insufficient. Explain skipped rows.',
             confirmWrites
               ? 'The user requested execution. For supported decisions, call the correct write tool with confirm:true and a precise reason, then continue.'
               : 'Do not execute write tools yet. Produce a row-by-row action plan and exact MCP write calls for user approval.',
-            'For block decisions, use securenow_human_action_block. For false positives, use securenow_human_action_false_positive with restrictive conditions. Avoid broad/global trust.',
-            'End with counts: handled, proposed block, proposed false positive, skipped, still waiting.',
+            'For block decisions, use securenow_human_action_block. For false positives, use securenow_human_action_false_positive with restrictive conditions. For case-level tune_rule/create_exclusion rows, inspect securenow_notifications_get and then use securenow_human_case_action_update only when the action is safe to approve/reject.',
+            'End with counts: handled, proposed block, proposed false positive, rule tuning needed, skipped, still waiting.',
           ].join('\n'),
         },
       },
@@ -991,6 +1297,12 @@ function buildApiRequest(tool, rawArgs = {}) {
   if (tool.reasonAsNote && !body.note && args.reason) {
     body.note = args.reason;
   }
+  if (tool.reasonInResult && args.reason) {
+    body.result = {
+      ...(body.result && typeof body.result === 'object' ? body.result : {}),
+      reason: args.reason,
+    };
+  }
 
   return {
     method: tool.method,

package/nextjs.js

@@ -27,6 +27,7 @@
 
 const { randomUUID } = require('crypto');
 const appConfig = require('./app-config');
+const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
 
 const env = appConfig.env;
@@ -203,26 +204,11 @@ function registerSecureNow(options = {}) {
           const headers = request.headers || {};
           
           // ======== IP ADDRESS CAPTURE ========
-          // Try different header sources for IP (priority order)
-          const forwardedFor = headers['x-forwarded-for'];
-          const realIp = headers['x-real-ip'];
-          const cfConnectingIp = headers['cf-connecting-ip']; // Cloudflare
-          const clientIp = headers['x-client-ip'];
-          const socketIp = request.socket?.remoteAddress;
-          
-          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
-          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
-          let primaryIp = socketIp || 'unknown';
-          if (isProxied) {
-            if (forwardedFor) {
-              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
-              for (let i = chain.length - 1; i >= 0; i--) {
-                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
-              }
-            } else {
-              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
-            }
-          }
+          const ipDetails = resolveClientIpWithDetails(request);
+          const forwardedFor = ipDetails.forwardedFor;
+          const realIp = ipDetails.realIp;
+          const socketIp = ipDetails.socketIp;
+          const primaryIp = ipDetails.ip || 'unknown';
           
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] || 
@@ -249,9 +235,16 @@ function registerSecureNow(options = {}) {
           const attributes = {
             // IP & Network
             'http.client_ip': primaryIp,
+            'http.client_ip.source': ipDetails.source,
             'http.forwarded_for': forwardedFor || '',
             'http.real_ip': realIp || '',
             'http.socket_ip': socketIp || '',
+            'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+            'http.request.header.x_forwarded_for': forwardedFor || '',
+            'http.request.header.x_real_ip': realIp || '',
+            'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+            'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+            'http.request.header.x_client_ip': ipDetails.clientIp || '',
             
             // Protocol & Host
             'http.scheme': scheme,
@@ -327,7 +320,7 @@ function registerSecureNow(options = {}) {
           if (env('NODE_ENV') === 'development' || env('OTEL_LOG_LEVEL') === 'debug') {
             console.log('[securenow] 📡 Captured IP: %s (from: %s)', 
               primaryIp, 
-              forwardedFor ? 'x-forwarded-for' : realIp ? 'x-real-ip' : socketIp ? 'socket' : 'unknown'
+              ipDetails.source || 'unknown'
             );
           }
 
@@ -520,7 +513,8 @@ function registerSecureNow(options = {}) {
                   const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                   const duration = Date.now() - start;
                   const status = res.statusCode;
-                  const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';
+                  const ipDetails = resolveClientIpWithDetails(req);
+                  const ip = ipDetails.ip || '-';
                   const ua = req.headers['user-agent'] || '-';
                   const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
                   const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
@@ -536,7 +530,12 @@ function registerSecureNow(options = {}) {
                         'http.url': url,
                         'http.status_code': status,
                         'http.duration_ms': duration,
-                        'http.client_ip': String(ip).split(',')[0].trim(),
+                        'http.client_ip': ip,
+                        'http.client_ip.source': ipDetails.source || 'unknown',
+                        'http.socket_ip': ipDetails.socketIp || '',
+                        'http.forwarded_for': ipDetails.forwardedFor || '',
+                        'http.real_ip': ipDetails.realIp || '',
+                        'http.proxy.trusted': String(!!ipDetails.trustedProxy),
                         'http.user_agent': ua,
                       },
                       ...(reqSpanCtx && { context: reqCtx }),

package/nuxt-server-plugin.mjs

@@ -22,6 +22,7 @@ import { randomUUID } from 'node:crypto';
 
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
+const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
 
 // ── Helpers ──
 
@@ -137,17 +138,21 @@ export default defineNitroPlugin(async (nitroApp) => {
     requestHook: (span, request) => {
       try {
         const hdrs = request.headers || {};
-        const fwd = hdrs['x-forwarded-for'];
-        const clientIp =
-          (fwd ? String(fwd).split(',')[0].trim() : null) ||
-          hdrs['x-real-ip'] ||
-          hdrs['cf-connecting-ip'] ||
-          hdrs['x-client-ip'] ||
-          request.socket?.remoteAddress ||
-          'unknown';
+        const ipDetails = resolveClientIpWithDetails(request);
+        const clientIp = ipDetails.ip || 'unknown';
 
         span.setAttributes({
           'http.client_ip': clientIp,
+          'http.client_ip.source': ipDetails.source,
+          'http.socket_ip': ipDetails.socketIp || '',
+          'http.forwarded_for': ipDetails.forwardedFor || '',
+          'http.real_ip': ipDetails.realIp || '',
+          'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+          'http.request.header.x_forwarded_for': ipDetails.forwardedFor || '',
+          'http.request.header.x_real_ip': ipDetails.realIp || '',
+          'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+          'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+          'http.request.header.x_client_ip': ipDetails.clientIp || '',
           'http.user_agent': hdrs['user-agent'] || '',
           'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
           'http.scheme':

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.6.9",
+  "version": "7.7.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",