securenow 7.7.0 → 7.7.2

package/NPM_README.md

@@ -415,8 +415,9 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | `~/.securenow/config.json` | API URL, default app, output format |
 | `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
 | `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 
-**Resolution order:** project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy CLI token overrides still work for existing automation.
 
 ### Global Flags
 
@@ -464,6 +465,10 @@ npx securenow credentials runtime --env production
 
 # Store .securenow/credentials.production.json as a deployment secret file,
 # then materialize it as .securenow/credentials.json in the running app.
+# Since v7.7.2, mounting it as .securenow/credentials.production.json
+# also works when the canonical credentials.json file is absent.
+# The SDK checks named files in a fixed order and does not use env vars
+# to pick the credentials filename.
 
 # Use --json for machine-readable output
 npx securenow logs --json --level error | jq '.logs'
@@ -1073,7 +1078,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
 
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then global `~/.securenow/credentials.json`. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
 
 On startup, you'll see:
 

package/README.md

@@ -152,11 +152,15 @@ npx securenow credentials runtime --env production
 
 It writes `.securenow/credentials.production.json`, with the same `app`, `apiKey`, `config`, and `_securenow.explanations` shape, but without the CLI OAuth `token`, `email`, or `expiresAt`. Store that JSON in your deployment secret manager and materialize it as `.securenow/credentials.json` at runtime.
 
+Starting in v7.7.2, the SDK also accepts generated runtime filenames directly without reading environment variables to choose the file. If `.securenow/credentials.json` is missing, it checks named files in a deterministic order: staging, production, preview, local, test, development, dev, then prod.
+
 Resolution order:
 
 1. Project-local `.securenow/credentials.json`
-2. Global `~/.securenow/credentials.json`
-3. `package.json#name` (label only)
+2. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
+3. Global `~/.securenow/credentials.json`
+4. Global named runtime credentials in the same fixed order
+5. `package.json#name` (label only)
 
 Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
 
@@ -395,11 +399,12 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | File | Purpose |
 |---|---|
 | `./.securenow/credentials.json` | Project-local or production runtime credentials |
-| `./.securenow/credentials.production.json` | Tokenless production file generated by `securenow credentials runtime --env production` |
+| `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 | `~/.securenow/credentials.json` | Global (with `login --global`) |
+| `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Resolution order: project `.securenow/` -> global `~/.securenow/` -> package name fallback. Legacy env vars are fallback-only for older installs.
+Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env vars are fallback-only for older installs and do not choose the credentials filename.
 
 Override the dashboard API with `securenow config set apiUrl <url>`.
 

package/SKILL-API.md

@@ -273,7 +273,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> global `~/.securenow/credentials.json`; legacy env vars are fallback-only for existing deployments.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order; legacy env vars are fallback-only for existing deployments and do not choose the credentials filename.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -457,7 +457,7 @@ securenow redact @request.json --fields internal_id,sessionHash
 
 ## Credentials Configuration
 
-Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Environment variables are legacy fallbacks only.
+Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Environment variables are legacy fallbacks only.
 
 ### App Identity
 

package/SKILL-CLI.md

@@ -39,11 +39,11 @@ securenow whoami            # verify session (shows email, app, auth source)
 
 **Default-on security (v7.5.1+):** after picking or creating the app, `securenow login` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 
-Credentials resolve in order: project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Legacy env vars are fallback-only for existing deployments.
+Credentials resolve in order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy env vars are fallback-only for existing deployments and do not choose the credentials filename.
 
 The **firewall API key** should live in the same credentials file as `apiKey`. Legacy `SECURENOW_API_KEY` overrides are honored only when they start with `snk_live_`.
 
-For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`.
+For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`. Since v7.7.2, mounting the generated `.securenow/credentials.production.json` filename directly also works when `credentials.json` is absent.
 
 **Environment model:** use one SecureNow app key for local, preview, staging, and production. The credentials field `config.runtime.deploymentEnvironment` separates traces/logs/firewall/forensics by environment. CLI security commands default to `production`; pass `--env local`, `--env staging`, or `--env all` only when that scope is intentional.
 
@@ -81,10 +81,11 @@ Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-proje
 | `~/.securenow/config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
 | `~/.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config` (global, use `login --global`) |
 | `.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config`, `_securenow.explanations` (project-local default) |
-
-**Credential resolution order:** `.securenow/credentials.json` (project) -> `~/.securenow/credentials.json` (global). Legacy env vars are fallback-only for existing deployments.
-
-**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> global `~/.securenow/credentials.json`. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
+
+**Credential resolution order:** `.securenow/credentials.json` (project) -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> `~/.securenow/credentials.json` (global) -> global named runtime credentials in the same fixed order. Legacy env vars are fallback-only for existing deployments.
+
+**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
 
 ```bash
 securenow config set apiUrl https://api.securenow.ai

package/app-config.js

@@ -4,6 +4,10 @@
  * Shared SecureNow configuration resolver.
  *
  * Local development and production are driven by ./.securenow/credentials.json.
+ * Named runtime files such as ./.securenow/credentials.staging.json and
+ * ./.securenow/credentials.production.json are also accepted when the
+ * canonical file is not present. Filename selection is deterministic and does
+ * not read environment variables.
  * Legacy environment variables are only fallback inputs for existing installs;
  * every SDK setting has a file-backed equivalent so customers do not need .env
  * files.
@@ -16,6 +20,16 @@ const os = require('os');
 const FREE_TRIAL_INSTANCE = 'https://freetrial.securenow.ai:4318';
 const DEFAULT_API_URL = 'https://api.securenow.ai';
 const CONFIG_SCHEMA_VERSION = 2;
+const CREDENTIAL_FILE_ENVIRONMENTS = Object.freeze([
+  'staging',
+  'production',
+  'preview',
+  'local',
+  'test',
+  'development',
+  'dev',
+  'prod',
+]);
 
 const DEFAULT_CONFIG = Object.freeze({
   logging: {
@@ -157,7 +171,9 @@ function clone(value) {
 
 function readJsonSafe(filepath) {
   try {
-    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+    let content = fs.readFileSync(filepath, 'utf8');
+    if (content.charCodeAt(0) === 0xFEFF) content = content.slice(1);
+    return JSON.parse(content);
   } catch {
     return null;
   }
@@ -191,6 +207,30 @@ function findUpFile(startDir, relativePath) {
   }
 }
 
+function findUpFirstFile(startDir, relativePaths) {
+  if (!startDir) return null;
+  const candidates = Array.isArray(relativePaths) ? relativePaths.filter(Boolean) : [relativePaths].filter(Boolean);
+  if (!candidates.length) return null;
+
+  let dir;
+  try {
+    dir = path.resolve(startDir);
+  } catch {
+    return null;
+  }
+
+  while (true) {
+    for (const relativePath of candidates) {
+      const found = fileIfReadable(path.join(dir, relativePath));
+      if (found) return found;
+    }
+
+    const parent = path.dirname(dir);
+    if (!parent || parent === dir) return null;
+    dir = parent;
+  }
+}
+
 function uniq(values) {
   const seen = new Set();
   const out = [];
@@ -202,6 +242,15 @@ function uniq(values) {
   return out;
 }
 
+function credentialRelativePaths() {
+  return uniq([
+    path.join('.securenow', 'credentials.json'),
+    ...CREDENTIAL_FILE_ENVIRONMENTS.map((envName) =>
+      path.join('.securenow', `credentials.${envName}.json`)
+    ),
+  ]);
+}
+
 function resolveLocalCredentialsFile() {
   const starts = [];
   try {
@@ -212,8 +261,25 @@ function resolveLocalCredentialsFile() {
   if (process.argv && process.argv[1]) starts.push(path.dirname(process.argv[1]));
   if (require.main && require.main.filename) starts.push(path.dirname(require.main.filename));
 
+  const candidates = credentialRelativePaths();
   for (const start of uniq(starts)) {
-    const found = findUpFile(start, path.join('.securenow', 'credentials.json'));
+    const found = findUpFirstFile(start, candidates);
+    if (found) return found;
+  }
+
+  return null;
+}
+
+function resolveGlobalCredentialsFile() {
+  let home;
+  try {
+    home = os.homedir();
+  } catch {
+    return null;
+  }
+
+  for (const relativePath of credentialRelativePaths()) {
+    const found = fileIfReadable(path.join(home, relativePath));
     if (found) return found;
   }
 
@@ -248,7 +314,7 @@ function loadLocalCredentials() {
 
 function loadGlobalCredentials() {
   try {
-    return withCredentialDefaults(readJsonSafe(path.join(os.homedir(), '.securenow', 'credentials.json')));
+    return withCredentialDefaults(readJsonSafe(resolveGlobalCredentialsFile()));
   } catch {
     return null;
   }
@@ -642,6 +708,7 @@ module.exports = {
   FREE_TRIAL_INSTANCE,
   DEFAULT_API_URL,
   CONFIG_SCHEMA_VERSION,
+  CREDENTIAL_FILE_ENVIRONMENTS,
   DEFAULT_CONFIG,
   CONFIG_EXPLANATIONS,
   ENV_TO_CONFIG_PATH,
@@ -668,6 +735,9 @@ module.exports = {
   listEnv,
   parseHeaders,
   headersToString,
+  credentialRelativePaths,
+  resolveLocalCredentialsFile,
+  resolveGlobalCredentialsFile,
   loadCredentials,
   loadLocalCredentials,
   loadGlobalCredentials,

package/cli/config.js

@@ -28,7 +28,9 @@ function ensureDir(dir) {
 
 function loadJSON(filepath) {
   try {
-    return JSON.parse(fs.readFileSync(filepath, 'utf8'));
+    let content = fs.readFileSync(filepath, 'utf8');
+    if (content.charCodeAt(0) === 0xFEFF) content = content.slice(1);
+    return JSON.parse(content);
   } catch {
     return {};
   }
@@ -50,17 +52,16 @@ function credentialsFileForLocal(local) {
 }
 
 function hasLocalCredentials() {
-  return fs.existsSync(LOCAL_CREDENTIALS_FILE);
+  return !!appConfig.resolveLocalCredentialsFile();
 }
 
 function resolveCredentialsFile() {
-  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return LOCAL_CREDENTIALS_FILE;
-  return CREDENTIALS_FILE;
+  return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || CREDENTIALS_FILE;
 }
 
 function getAuthSource() {
   if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
-  if (fs.existsSync(LOCAL_CREDENTIALS_FILE)) return 'project (.securenow/)';
+  if (appConfig.resolveLocalCredentialsFile()) return 'project (.securenow/)';
   return 'global (~/.securenow/)';
 }
 
@@ -91,9 +92,8 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  const credentials = fs.existsSync(LOCAL_CREDENTIALS_FILE)
-    ? loadJSON(LOCAL_CREDENTIALS_FILE)
-    : loadJSON(CREDENTIALS_FILE);
+  const credentialsFile = resolveCredentialsFile();
+  const credentials = loadJSON(credentialsFile);
   return appConfig.withCredentialDefaults(credentials) || {};
 }
 

package/cli/credentials.js

@@ -40,7 +40,7 @@ function buildRuntimeCredentials(options = {}) {
     },
     _securenow: {
       ...(creds._securenow || {}),
-      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json in production. Do not commit it.',
+      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',
     },
@@ -83,6 +83,8 @@ async function runtime(_args, flags) {
 
   ui.success(`Wrote runtime credentials to ${output}`);
   ui.info('Deploy this JSON as .securenow/credentials.json on the server/container.');
+  ui.info('SDK v7.7.2+ can also read this generated filename directly when credentials.json is absent.');
+  ui.info('Credential filename lookup is fixed-order and does not depend on NODE_ENV.');
   ui.info(`Environment: ${envName}`);
   ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
   ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.0",
+  "version": "7.7.2",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",