securenow 7.7.13 → 7.7.14

package/NPM_README.md

@@ -9,7 +9,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - Built-in sensitive data redaction
 - Request body capture for debugging
 - Multi-layer firewall -- auto-blocks IPs from your SecureNow blocklist
-- `securenow init` scaffolds Next.js instrumentation and safe `serverExternalPackages`
+- `securenow init` scaffolds Next.js instrumentation, safe `serverExternalPackages`, and standalone output tracing includes
 - `securenow/firewall-only` entry point for firewall without tracing overhead
 - Local and production configuration via `.securenow/credentials.json`
 - Single `-r securenow/register` flag -- works for both CJS and ESM apps
@@ -77,7 +77,7 @@ npx securenow init --key snk_live_abc123...
 
 This detects your framework and:
 - **Credentials**: Ensures `.securenow/credentials.json` has secure defaults and explanations
-- **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` when safe, or prints a Codex/Claude-ready merge prompt for existing files
+- **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, or prints a Codex/Claude-ready merge prompt for existing files
 - **Nuxt 3**: Suggests adding `securenow/nuxt` to modules
 - **Express / Node.js**: Shows how to add `-r securenow/register` to your start script
 - **All**: Stores `--key` in `.securenow/credentials.json`; no local `.env` file is needed
@@ -174,7 +174,7 @@ npx securenow init
 npx securenow init --key snk_live_abc123...
 ```
 
-For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript), adds `serverExternalPackages: ['securenow']` when safe, and prints exact merge instructions for Codex/Claude when existing files need judgment. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
+For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript), adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and prints exact merge instructions for Codex/Claude when existing files need judgment. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
 
 ### MCP for Codex and Claude
 
@@ -957,7 +957,7 @@ Use `npx securenow init` for the current Next.js integration; it creates or prin
 
 #### Option A: `securenow init` (Recommended)
 
-The init command handles the boring parts: credentials defaults, `instrumentation.ts`, body auto-capture, and `serverExternalPackages` for Next 15+. If existing files are custom, it prints a Codex/Claude-ready prompt instead of guessing.
+The init command handles the boring parts: credentials defaults, `instrumentation.ts`, body auto-capture, `serverExternalPackages`, and standalone output tracing includes for Next 15+. If existing files are custom, it prints a Codex/Claude-ready prompt instead of guessing.
 
 ```bash
 npx securenow login
@@ -967,15 +967,13 @@ npx securenow init
 **Generated `instrumentation.ts` (or `.js`):**
 
 ```typescript
-import { createRequire } from 'node:module';
-
-const require = createRequire(import.meta.url);
-
 export async function register() {
   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
-  const { registerSecureNow } = require('securenow/nextjs');
+
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
   registerSecureNow({ captureBody: true });
-  require('securenow/nextjs-auto-capture');
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
 
@@ -984,6 +982,9 @@ export async function register() {
 ```javascript
 const nextConfig = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 
 export default nextConfig;
@@ -999,6 +1000,9 @@ If you prefer not to run `init`, manually externalize SecureNow:
 // next.config.js (Next.js 15+)
 module.exports = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
 
@@ -1009,10 +1013,13 @@ module.exports = {
     instrumentationHook: true,
     serverComponentsExternalPackages: ['securenow'],
   },
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
 
-**Why is this needed?** Next.js bundles server code with webpack, which can break OpenTelemetry's dynamic `require()` calls and monkey-patching. Externalizing `securenow` keeps the SDK as normal Node.js runtime code.
+**Why is this needed?** Next.js bundles server code with webpack, which can break OpenTelemetry's dynamic `require()` calls and monkey-patching. Externalizing `securenow` keeps the SDK as normal Node.js runtime code. `outputFileTracingIncludes` keeps SecureNow's runtime modules available in standalone/self-hosted output, including the firewall.
 
 ---
 
@@ -1063,7 +1070,7 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
 | Hono | Yes | Yes | Yes | Yes | Use ESM `-r` preload |
 | Feathers | Yes | Yes | Yes | Yes | Uses Express transport |
-| Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `serverExternalPackages: ['securenow']` |
+| Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `serverExternalPackages` + `outputFileTracingIncludes` |
 | Nuxt 3 | Yes | Yes | Yes | Yes | Use `securenow/nuxt` module |
 
 ---
@@ -1135,7 +1142,7 @@ This is useful when:
 - You only need IP blocking, not observability
 - You want to minimize startup time and memory footprint
 - You're adding the firewall to a project that uses a different tracing solution
-- For Next.js, this avoids the need for `serverExternalPackages` entirely
+- For non-Next Node apps, this avoids framework-specific tracing setup entirely
 
 Firewall-only mode uses the same `.securenow/credentials.json` key written by `login`, `api-key set`, or mounted from a runtime credentials file:
 
@@ -1290,7 +1297,7 @@ SecureNow provides multiple entry points depending on your needs:
 |-------------|-------|-------------------|-------------------|-------|
 | `securenow/register` | `node -r securenow/register app.js` | Yes | Yes | Default -- full tracing + firewall |
 | `securenow/firewall-only` | `node -r securenow/firewall-only app.js` | No | Yes | Firewall only, no OTel overhead |
-| `securenow/nextjs` | `require('securenow/nextjs').registerSecureNow()` | Yes | Yes | Next.js instrumentation hook |
+| `securenow/nextjs` | `await import(/* webpackIgnore: true */ 'securenow/nextjs')` | Yes | Yes | Next.js instrumentation hook |
 | `securenow/nuxt` | `modules: ['securenow/nuxt']` | Yes | Yes | Nuxt 3 module |
 | `securenow/nextjs-webpack-config` | `withSecureNow(config)` | - | - | Next.js config wrapper |
 | `securenow/firewall` | `require('securenow/firewall').init({...})` | No | Yes | Programmatic firewall API |
@@ -1556,10 +1563,12 @@ const enabled: boolean = isLoggingEnabled();
 ```typescript
 // instrumentation.ts
 export async function register() {
-  if (process.env.NEXT_RUNTIME === 'nodejs') {
-    const { registerSecureNow } = require('securenow/nextjs');
-    registerSecureNow();
-  }
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
+  registerSecureNow({ captureBody: true });
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
 
@@ -1572,6 +1581,8 @@ module.exports = withSecureNow({
 });
 ```
 
+`withSecureNow()` adds the server external package config and `outputFileTracingIncludes` for standalone/self-hosted builds.
+
 ### NestJS with TypeScript
 
 Use `-r securenow/register -r ts-node/register` flags instead of in-code require:
@@ -1796,6 +1807,9 @@ Bodies larger than `config.capture.maxBodySize` are truncated:
 ```javascript
 module.exports = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
 
@@ -1807,7 +1821,7 @@ For Next.js < 15, add `securenow` to `experimental.serverComponentsExternalPacka
 
 **Check 3: Check for OTel MODULE_NOT_FOUND errors**
 
-If you see `MODULE_NOT_FOUND` for `@opentelemetry/*` packages, your `next.config.js` is missing the externalization. Run `npx securenow init`; if your config is custom, use the prompt it prints to merge the edit safely.
+If you see `MODULE_NOT_FOUND` for `@opentelemetry/*`, `./firewall`, or other SecureNow runtime modules, your `next.config.js` is missing the externalization or standalone output include. Run `npx securenow init`; if your config is custom, use the prompt it prints to merge the edit safely.
 
 **Check 4: Restart dev server**
 

package/README.md

@@ -60,6 +60,24 @@ The SDK reads this file at boot and sends traces/logs directly to the right app
 
 ---
 
+## Monorepo / AI-agent setup
+
+If you have many apps under one repo, authenticate once from the repo root:
+
+```bash
+npx securenow login
+```
+
+Then ask your coding agent to wire each app with this prompt:
+
+```text
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/credentials.json plus tokenless .securenow/credentials.production.json, gitignore .securenow, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+```
+
+For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
+
+---
+
 ## Framework integration
 
 ### Node.js / Express / Fastify / NestJS / Koa / Hapi
@@ -82,27 +100,28 @@ NODE_OPTIONS="-r securenow/register" npm start
 npx securenow init
 ```
 
-Creates `instrumentation.ts` and shows you how to wrap `next.config.js`:
+Creates `instrumentation.ts` and patches `next.config.*` when it can do so safely:
 
 ```typescript
 // instrumentation.ts
-import { createRequire } from 'node:module';
-
-const require = createRequire(import.meta.url);
-
 export async function register() {
   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
-  const { registerSecureNow } = require('securenow/nextjs');
+
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
   registerSecureNow({ captureBody: true });
-  require('securenow/nextjs-auto-capture');
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
 
-For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` when it can safely edit the file:
+For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` and includes the SDK in standalone output when it can safely edit the file:
 
 ```javascript
 const nextConfig = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 
 export default nextConfig;

package/SKILL-API.md

@@ -160,12 +160,15 @@ Run `npx securenow init` first. It creates the straightforward integration below
 ```javascript
 const nextConfig = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 
 export default nextConfig;
 ```
 
-For Next.js < 15, add `securenow` to `experimental.serverComponentsExternalPackages` instead.
+For Next.js < 15, add `securenow` to `experimental.serverComponentsExternalPackages` instead and keep the same `outputFileTracingIncludes` block for standalone/self-hosted output.
 
 **2. `instrumentation.ts`** (or `.js`, can be in `src/`):
 
@@ -254,7 +257,7 @@ npx securenow login
 npx securenow init
 ```
 
-Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` when safe, and reuses the app, instance, firewall key, and secure defaults in `.securenow/credentials.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
+Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and reuses the app, instance, firewall key, and secure defaults in `.securenow/credentials.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
 
 ---
 

package/SKILL-CLI.md

@@ -173,7 +173,7 @@ securenow init [--env local] [--key <API_KEY>]
 
 Auto-detects framework (Next.js, Nuxt, Express, Fastify, Koa, Hapi, Node) from `package.json`. Then:
 - **Credentials**: ensures `.securenow/credentials.json` exists, has secure defaults/explanations, and `.securenow/` is gitignored
-- **Next.js**: creates `instrumentation.ts/js` with `securenow/nextjs` + `securenow/nextjs-auto-capture`, and adds `serverExternalPackages: ['securenow']` when the config can be patched safely
+- **Next.js**: creates `instrumentation.ts/js` with `securenow/nextjs` + `securenow/nextjs-auto-capture`, and adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when the config can be patched safely
 - **Existing Next.js files**: prints a Codex/Claude-ready merge prompt when instrumentation or config already exists or is too custom to safely patch
 - **Nuxt**: tells you to add `securenow/nuxt` to modules
 - **Node/Express/etc.**: suggests adding `-r securenow/register` to start script

package/nextjs-webpack-config.js

@@ -1,14 +1,17 @@
 'use strict';
 
 /**
- * Next.js configuration helpers for SecureNow
+ * Next.js configuration helpers for SecureNow
  *
  * Usage (recommended — zero-list approach):
  *
- *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
- *   module.exports = withSecureNow({
- *     // your existing next.config options
- *   });
+ *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
+ *   module.exports = withSecureNow({
+ *     // your existing next.config options
+ *   });
+ *
+ * This externalizes SecureNow for server bundles and includes the package in
+ * standalone output so runtime modules such as the firewall are available.
  *
  * Legacy webpack-only helper (still exported for backwards compat):
  *
@@ -19,6 +22,8 @@
 const EXTERNAL_PACKAGES = [
   'securenow',
 ];
+const OUTPUT_TRACE_INCLUDE_KEY = '/*';
+const SECURENOW_OUTPUT_TRACE_INCLUDE = './node_modules/securenow/**/*';
 
 function detectNextMajor() {
   try {
@@ -30,8 +35,9 @@ function detectNextMajor() {
 }
 
 /**
- * Wrap a Next.js config object to auto-externalize SecureNow + OTel
- * packages and enable the instrumentation hook.
+ * Wrap a Next.js config object to auto-externalize SecureNow,
+ * include runtime files in standalone output, and enable the
+ * instrumentation hook.
  *
  *   module.exports = withSecureNow({ reactStrictMode: true });
  */
@@ -48,16 +54,18 @@ function withSecureNow(userConfig) {
       ...(cfg.serverExternalPackages || []),
       ...EXTERNAL_PACKAGES,
     ]);
-  } else {
-    cfg.experimental = { ...(cfg.experimental || {}) };
-    cfg.experimental.instrumentationHook = true;
+  } else {
+    cfg.experimental = { ...(cfg.experimental || {}) };
+    cfg.experimental.instrumentationHook = true;
     cfg.experimental.serverComponentsExternalPackages = dedup([
       ...(cfg.experimental.serverComponentsExternalPackages || []),
       ...EXTERNAL_PACKAGES,
-    ]);
-  }
-
-  const origWebpack = cfg.webpack;
+    ]);
+  }
+
+  cfg.outputFileTracingIncludes = mergeOutputFileTracingIncludes(cfg.outputFileTracingIncludes);
+
+  const origWebpack = cfg.webpack;
   cfg.webpack = (config, options) => {
     const c = origWebpack ? origWebpack(config, options) : config;
     return getSecureNowWebpackConfig(c, options);
@@ -66,9 +74,24 @@ function withSecureNow(userConfig) {
   return cfg;
 }
 
-function dedup(arr) {
-  return [...new Set(arr)];
-}
+function dedup(arr) {
+  return [...new Set(arr)];
+}
+
+function mergeOutputFileTracingIncludes(existing) {
+  const includes = { ...(existing || {}) };
+  const current = includes[OUTPUT_TRACE_INCLUDE_KEY];
+
+  if (Array.isArray(current)) {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = dedup([...current, SECURENOW_OUTPUT_TRACE_INCLUDE]);
+  } else if (typeof current === 'string') {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = dedup([current, SECURENOW_OUTPUT_TRACE_INCLUDE]);
+  } else if (!current) {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = [SECURENOW_OUTPUT_TRACE_INCLUDE];
+  }
+
+  return includes;
+}
 
 /**
  * Legacy: suppress OTel webpack warnings and add externals.
@@ -97,4 +120,4 @@ function getSecureNowWebpackConfig(config, options) {
   return config;
 }
 
-module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };
+module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };

package/nextjs.js

@@ -5,19 +5,24 @@
  * 
  * Usage in Next.js app:
  * 
- * 1. Add securenow to serverExternalPackages in next.config.js:
+ * 1. Add securenow to serverExternalPackages and standalone output tracing
+ *    includes in next.config.js:
  * 
  *    const nextConfig = {
  *      serverExternalPackages: ["securenow"],
+ *      outputFileTracingIncludes: {
+ *        "/*": ["<securenow package glob>"],
+ *      },
  *    };
  * 
  * 2. Create instrumentation.ts (or .js) in your project root:
  * 
  *    export async function register() {
  *      if (process.env.NEXT_RUNTIME !== "nodejs") return;
- *      const securenowNext = await import("securenow/nextjs");
- *      securenowNext.registerSecureNow({ captureBody: true });
- *      await import("securenow/nextjs-auto-capture");
+ *      const securenowNext = await import(/* webpackIgnore: true *\/ "securenow/nextjs");
+ *      const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
+ *      registerSecureNow({ captureBody: true });
+ *      await import(/* webpackIgnore: true *\/ "securenow/nextjs-auto-capture");
  *    }
  * 
  * 3. Run `npx securenow login` and `npx securenow init`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.13",
+  "version": "7.7.14",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",