npm - securenow - Versions diffs - 7.7.1 → 7.7.2 - Mend

securenow 7.7.1 → 7.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/NPM_README.md CHANGED Viewed

@@ -415,9 +415,9 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | `~/.securenow/config.json` | API URL, default app, output format |
 | `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
 | `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
-| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>` |
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
-**Resolution order:** project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy CLI token overrides still work for existing automation.
 ### Global Flags
@@ -465,8 +465,10 @@ npx securenow credentials runtime --env production
 # Store .securenow/credentials.production.json as a deployment secret file,
 # then materialize it as .securenow/credentials.json in the running app.
-# Since v7.7.1, mounting it as .securenow/credentials.production.json
+# Since v7.7.2, mounting it as .securenow/credentials.production.json
 # also works when the canonical credentials.json file is absent.
+# The SDK checks named files in a fixed order and does not use env vars
+# to pick the credentials filename.
 # Use --json for machine-readable output
 npx securenow logs --json --level error | jq '.logs'
@@ -1076,7 +1078,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project `./.securenow/credentials.<environment>.json`, then global `~/.securenow/credentials.json`, then global `~/.securenow/credentials.<environment>.json`. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
 On startup, you'll see:

package/README.md CHANGED Viewed

@@ -152,14 +152,14 @@ npx securenow credentials runtime --env production
 It writes `.securenow/credentials.production.json`, with the same `app`, `apiKey`, `config`, and `_securenow.explanations` shape, but without the CLI OAuth `token`, `email`, or `expiresAt`. Store that JSON in your deployment secret manager and materialize it as `.securenow/credentials.json` at runtime.
-Starting in v7.7.1, the SDK also accepts the generated filename directly. If `.securenow/credentials.json` is missing, it checks `.securenow/credentials.<environment>.json`, so a production app with `NODE_ENV=production` can mount `.securenow/credentials.production.json` directly.
+Starting in v7.7.2, the SDK also accepts generated runtime filenames directly without reading environment variables to choose the file. If `.securenow/credentials.json` is missing, it checks named files in a deterministic order: staging, production, preview, local, test, development, dev, then prod.
 Resolution order:
 1. Project-local `.securenow/credentials.json`
-2. Project-local `.securenow/credentials.<environment>.json`
+2. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
 3. Global `~/.securenow/credentials.json`
-4. Global `~/.securenow/credentials.<environment>.json`
+4. Global named runtime credentials in the same fixed order
 5. `package.json#name` (label only)
 Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
@@ -399,12 +399,12 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | File | Purpose |
 |---|---|
 | `./.securenow/credentials.json` | Project-local or production runtime credentials |
-| `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>` |
+| `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 | `~/.securenow/credentials.json` | Global (with `login --global`) |
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
-Resolution order: project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json` -> package name fallback. Legacy env vars are fallback-only for older installs.
+Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env vars are fallback-only for older installs and do not choose the credentials filename.
 Override the dashboard API with `securenow config set apiUrl <url>`.

package/SKILL-API.md CHANGED Viewed

@@ -273,7 +273,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 ## Firewall — Multi-Layer IP Blocking
-The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> project `./.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`; legacy env vars are fallback-only for existing deployments.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order; legacy env vars are fallback-only for existing deployments and do not choose the credentials filename.
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -457,7 +457,7 @@ securenow redact @request.json --fields internal_id,sessionHash
 ## Credentials Configuration
-Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.1, the SDK also accepts `.securenow/credentials.<environment>.json` when the canonical `credentials.json` file is absent, so `.securenow/credentials.production.json` can be mounted directly. Environment variables are legacy fallbacks only.
+Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Environment variables are legacy fallbacks only.
 ### App Identity

package/SKILL-CLI.md CHANGED Viewed

@@ -39,11 +39,11 @@ securenow whoami            # verify session (shows email, app, auth source)
 **Default-on security (v7.5.1+):** after picking or creating the app, `securenow login` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running login, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
-Credentials resolve in order: project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Legacy env vars are fallback-only for existing deployments.
+Credentials resolve in order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy env vars are fallback-only for existing deployments and do not choose the credentials filename.
 The **firewall API key** should live in the same credentials file as `apiKey`. Legacy `SECURENOW_API_KEY` overrides are honored only when they start with `snk_live_`.
-For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`. Since v7.7.1, mounting the generated `.securenow/credentials.production.json` filename directly also works when `credentials.json` is absent.
+For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`. Since v7.7.2, mounting the generated `.securenow/credentials.production.json` filename directly also works when `credentials.json` is absent.
 **Environment model:** use one SecureNow app key for local, preview, staging, and production. The credentials field `config.runtime.deploymentEnvironment` separates traces/logs/firewall/forensics by environment. CLI security commands default to `production`; pass `--env local`, `--env staging`, or `--env all` only when that scope is intentional.
@@ -81,11 +81,11 @@ Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-proje
 | `~/.securenow/config.json` | `apiUrl`, `appUrl`, `defaultApp`, `output` |
 | `~/.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config` (global, use `login --global`) |
 | `.securenow/credentials.json` | `token`, `email`, `expiresAt`, `apiKey`, `app`, `config`, `_securenow.explanations` (project-local default) |
-| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `securenow credentials runtime --env <environment>` |
+| `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
-**Credential resolution order:** `.securenow/credentials.json` (project) -> `.securenow/credentials.<environment>.json` (project) -> `~/.securenow/credentials.json` (global) -> `~/.securenow/credentials.<environment>.json` (global). Legacy env vars are fallback-only for existing deployments.
+**Credential resolution order:** `.securenow/credentials.json` (project) -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> `~/.securenow/credentials.json` (global) -> global named runtime credentials in the same fixed order. Legacy env vars are fallback-only for existing deployments.
-**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> project `.securenow/credentials.<environment>.json` -> global `~/.securenow/credentials.json` -> global `~/.securenow/credentials.<environment>.json`. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
+**Firewall API key resolution (v7.5.1+):** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Use `securenow login` for default setup or `securenow api-key set` to rotate a key without touching env vars.
 ```bash
 securenow config set apiUrl https://api.securenow.ai

package/app-config.js CHANGED Viewed

@@ -4,9 +4,10 @@
  * Shared SecureNow configuration resolver.
  *
  * Local development and production are driven by ./.securenow/credentials.json.
- * Environment-specific runtime files such as
+ * Named runtime files such as ./.securenow/credentials.staging.json and
  * ./.securenow/credentials.production.json are also accepted when the
- * canonical file is not present.
+ * canonical file is not present. Filename selection is deterministic and does
+ * not read environment variables.
  * Legacy environment variables are only fallback inputs for existing installs;
  * every SDK setting has a file-backed equivalent so customers do not need .env
  * files.
@@ -19,6 +20,16 @@ const os = require('os');
 const FREE_TRIAL_INSTANCE = 'https://freetrial.securenow.ai:4318';
 const DEFAULT_API_URL = 'https://api.securenow.ai';
 const CONFIG_SCHEMA_VERSION = 2;
+const CREDENTIAL_FILE_ENVIRONMENTS = Object.freeze([
+  'staging',
+  'production',
+  'preview',
+  'local',
+  'test',
+  'development',
+  'dev',
+  'prod',
+]);
 const DEFAULT_CONFIG = Object.freeze({
   logging: {
@@ -231,30 +242,10 @@ function uniq(values) {
   return out;
 }
-function credentialEnvironmentNames() {
-  const names = [];
-  const rawValues = [
-    rawEnv('SECURENOW_ENVIRONMENT'),
-    rawEnv('SECURENOW_DEPLOYMENT_ENVIRONMENT'),
-    rawEnv('NODE_ENV'),
-  ];
-  for (const rawValue of rawValues) {
-    const value = pick(rawValue);
-    if (value == null) continue;
-    const text = String(value).trim().toLowerCase();
-    if (/^[a-z0-9_.-]{1,64}$/.test(text)) names.push(text);
-    names.push(normalizeDeploymentEnvironment(text));
-  }
-  names.push('production');
-  return uniq(names);
-}
 function credentialRelativePaths() {
   return uniq([
     path.join('.securenow', 'credentials.json'),
-    ...credentialEnvironmentNames().map((envName) =>
+    ...CREDENTIAL_FILE_ENVIRONMENTS.map((envName) =>
       path.join('.securenow', `credentials.${envName}.json`)
     ),
   ]);
@@ -717,6 +708,7 @@ module.exports = {
   FREE_TRIAL_INSTANCE,
   DEFAULT_API_URL,
   CONFIG_SCHEMA_VERSION,
+  CREDENTIAL_FILE_ENVIRONMENTS,
   DEFAULT_CONFIG,
   CONFIG_EXPLANATIONS,
   ENV_TO_CONFIG_PATH,

package/cli/credentials.js CHANGED Viewed

@@ -83,7 +83,8 @@ async function runtime(_args, flags) {
   ui.success(`Wrote runtime credentials to ${output}`);
   ui.info('Deploy this JSON as .securenow/credentials.json on the server/container.');
-  ui.info('SDK v7.7.1+ can also read this generated filename directly when credentials.json is absent.');
+  ui.info('SDK v7.7.2+ can also read this generated filename directly when credentials.json is absent.');
+  ui.info('Credential filename lookup is fixed-order and does not depend on NODE_ENV.');
   ui.info(`Environment: ${envName}`);
   ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
   ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.1",
+  "version": "7.7.2",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",