securenow 7.7.10 → 7.7.11

package/NPM_README.md

@@ -157,7 +157,8 @@ npx securenow login --global
 # Check who you're logged in as (shows auth source)
 npx securenow whoami
 
-# Already have a firewall key? Store it without re-running login:
+# Need or already have a firewall key? Create or store it without re-running login:
+npx securenow api-key create --name "CLI firewall"
 npx securenow api-key set snk_live_abc123...   # --global for ~/.securenow/
 npx securenow api-key show                     # masked key + source
 npx securenow api-key clear                    # remove just the key
@@ -491,7 +492,8 @@ npx securenow logs --json --level error | jq '.logs'
 | | `apps info <id>` | Application details |
 | | `apps delete <id>` | Delete application |
 | | `apps default <key>` | Set default app |
-| **API Key** | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/credentials.json` |
+| **API Key** | `api-key create [--name "CLI firewall"] [--global]` | Mint and save a firewall key with your logged-in session |
+| | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/credentials.json` |
 | | `api-key show` | Show masked key + source |
 | | `api-key clear [--global]` | Remove stored key (leaves session/app) |
 | **Observe** | `traces` | List traces |

package/README.md

@@ -175,6 +175,7 @@ npx securenow login --global        # save to ~/.securenow/ instead
 npx securenow login --token <TOKEN> # headless (CI)
 npx securenow init --env local      # scaffold framework files + local env scope
 npx securenow credentials runtime --env production # write tokenless production credentials file
+npx securenow api-key create --name "CLI firewall" # mint + store firewall key
 npx securenow api-key set snk_live_... # store firewall key in .securenow/credentials.json
 
 # Apps
@@ -301,6 +302,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `securenow logout` | Clear project-local credentials |
 | `securenow logout --global` | Clear ~/.securenow/ instead |
 | `securenow whoami` | Show current session (email, app, expiry) |
+| `securenow api-key create [--name "CLI firewall"]` | Mint and store a firewall key using your session token |
 | `securenow api-key set <snk_live_...>` | Store firewall key in `.securenow/credentials.json` (`--global` for `~/.securenow/`) |
 | `securenow api-key show` | Print masked key + source file |
 | `securenow api-key clear` | Remove stored key (`--global` for `~/.securenow/`) |

package/SKILL-CLI.md

@@ -153,16 +153,17 @@ securenow apps scan [--yes]                  # scan all app domains for new subd
 
 Manage the firewall API key stored in the credentials file. Since v7.5.1 the login flow writes `snk_live_...` keys to `.securenow/credentials.json` by default, so no env var is required for local dev.
 
-```bash
-securenow api-key set snk_live_xxxxxxxxxx    # save to project ./.securenow/ (default)
-securenow api-key set snk_live_xxx --global  # save to ~/.securenow/ instead
+```bash
+securenow api-key create --name "CLI firewall" # mint + save a firewall key with your logged-in session
+securenow api-key set snk_live_xxxxxxxxxx    # save to project ./.securenow/ (default)
+securenow api-key set snk_live_xxx --global  # save to ~/.securenow/ instead
 securenow api-key show                       # print the masked current key + its source
 securenow api-key clear                      # remove just the API key (keeps session/app)
 securenow api-key clear --global             # same, but from the global file
 securenow credentials runtime --env production # write .securenow/credentials.production.json for production secret-file deploys
 ```
 
-The key must start with `snk_live_`. `securenow login` with firewall enabled writes the key automatically; use `api-key set` when you already have a key from the dashboard, or to rotate it later.
+The key must start with `snk_live_`. `securenow login` with firewall enabled writes the key automatically; use `api-key create` when you have an account session but no runtime key yet, or `api-key set` when you already have a key from the dashboard.
 
 ### Init — Project Setup
 

package/cli/apiKey.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const { api, requireAuth } = require('./client');
 const config = require('./config');
 const ui = require('./ui');
 
@@ -8,6 +9,47 @@ function maskKey(key) {
   return `${key.slice(0, 12)}••••••${key.slice(-4)}`;
 }
 
+async function create(args, flags) {
+  requireAuth();
+
+  const name = flags.name || args.join(' ').trim() || 'CLI firewall';
+  const preset = flags.preset || 'firewall';
+  const local = flags.global ? false : true;
+
+  const s = ui.spinner(`Creating ${preset} API key`);
+  try {
+    const result = await api.post('/api-keys', { name, preset });
+    const key = result && result.key;
+    if (!key || !key.startsWith('snk_live_')) {
+      throw new Error('API did not return a valid firewall key');
+    }
+
+    config.setApiKey(key, { local });
+    if (local) config.ensureLocalGitignore();
+    s.stop('API key created and saved');
+
+    if (flags.json) {
+      ui.json({
+        id: result.apiKey?._id || result.apiKey?.id || null,
+        name: result.apiKey?.name || name,
+        preset,
+        key: maskKey(key),
+        savedTo: local ? 'project .securenow/credentials.json' : '~/.securenow/credentials.json',
+      });
+      return;
+    }
+
+    ui.success(`API key saved (${maskKey(key)})`);
+    ui.info(local
+      ? 'Stored in project .securenow/credentials.json (local)'
+      : 'Stored in ~/.securenow/credentials.json (global)');
+    ui.info('The plaintext key is not printed. The SDK will read it from the credentials file.');
+  } catch (err) {
+    s.fail('Failed to create API key');
+    throw err;
+  }
+}
+
 async function set(args, flags) {
   const key = args[0];
   if (!key) {
@@ -52,4 +94,4 @@ async function show() {
   ui.info(`Source: ${config.getAuthSource()}`);
 }
 
-module.exports = { set, clear, show };
+module.exports = { create, set, clear, show };

package/cli/config.js

@@ -47,6 +47,12 @@ function saveJSON(filepath, data) {
   }
 }
 
+function credentialsForWrite(targetFile) {
+  const inherited = loadCredentials() || {};
+  const existing = loadJSON(targetFile);
+  return appConfig.mergeCredentials(inherited, existing) || {};
+}
+
 function credentialsFileForLocal(local) {
   return local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
 }
@@ -113,7 +119,7 @@ function withOnboardingFirewallEnabled(creds) {
 function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = credentialsFileForLocal(useLocal);
-  const existing = loadJSON(targetFile);
+  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
   const payload = enableFirewall
     ? withOnboardingFirewallEnabled(existing || {})
     : appConfig.withCredentialDefaults(existing || {}) || {};
@@ -168,7 +174,7 @@ function getApp() {
 function setApiKey(apiKey, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = credentialsFileForLocal(useLocal);
-  const existing = loadJSON(targetFile);
+  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
   saveJSON(targetFile, withOnboardingFirewallEnabled({ ...existing, apiKey }));
 }
 
@@ -189,7 +195,7 @@ function getApiKey() {
 function setApp(app, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = credentialsFileForLocal(useLocal);
-  const existing = loadJSON(targetFile);
+  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
   saveJSON(targetFile, appConfig.withCredentialDefaults({
     ...existing,
     app: {

package/cli.js

@@ -77,11 +77,21 @@ const COMMANDS = {
   },
   'api-key': {
     desc: 'Manage the firewall API key stored in .securenow/credentials.json',
-    usage: 'securenow api-key <subcommand> [options]',
-    sub: {
-      set: {
-        desc: 'Save an API key (snk_live_...) to the credentials file',
-        usage: 'securenow api-key set <snk_live_...> [--global]',
+    usage: 'securenow api-key <subcommand> [options]',
+    sub: {
+      create: {
+        desc: 'Create a firewall API key with your session token and save it',
+        usage: 'securenow api-key create [name] [--name <name>] [--preset firewall] [--global]',
+        flags: {
+          name: 'Human-readable key name',
+          preset: 'API key preset to create (default: firewall)',
+          global: 'Save to ~/.securenow/ instead of project-local',
+        },
+        run: (a, f) => require('./cli/apiKey').create(a, f),
+      },
+      set: {
+        desc: 'Save an API key (snk_live_...) to the credentials file',
+        usage: 'securenow api-key set <snk_live_...> [--global]',
         flags: { global: 'Save to ~/.securenow/ instead of project-local' },
         run: (a, f) => require('./cli/apiKey').set(a, f),
       },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.10",
+  "version": "7.7.11",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",