npm - securenow - Versions diffs - 7.7.13 → 7.7.15 - Mend

securenow 7.7.13 → 7.7.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/NPM_README.md +98 -140
package/README.md +46 -32
package/SKILL-API.md +495 -491
package/SKILL-CLI.md +9 -9
package/app-config.js +99 -42
package/cli/apps.js +589 -597
package/cli/auth.js +1 -3
package/cli/config.js +37 -9
package/cli/credentials.js +1 -1
package/cli/diagnostics.js +10 -6
package/cli/init.js +1 -0
package/free-trial-banner.js +2 -2
package/mcp/catalog.js +2 -2
package/nextjs-webpack-config.js +41 -18
package/nextjs.d.ts +67 -63
package/nextjs.js +57 -46
package/nuxt-server-plugin.mjs +6 -11
package/nuxt.d.ts +42 -38
package/nuxt.mjs +1 -1
package/package.json +1 -1
package/tracing.d.ts +2 -1
package/tracing.js +31 -47
package/web-vite.mjs +102 -15

package/NPM_README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# SecureNow - Complete OpenTelemetry Observability for Node.js
+# SecureNow - Complete OpenTelemetry Observability for Node.js
 OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt applications. Send distributed traces and logs to any OTLP-compatible observability backend.
@@ -9,7 +9,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - Built-in sensitive data redaction
 - Request body capture for debugging
 - Multi-layer firewall -- auto-blocks IPs from your SecureNow blocklist
-- `securenow init` scaffolds Next.js instrumentation and safe `serverExternalPackages`
+- `securenow init` scaffolds Next.js instrumentation, safe `serverExternalPackages`, and standalone output tracing includes
 - `securenow/firewall-only` entry point for firewall without tracing overhead
 - Local and production configuration via `.securenow/credentials.json`
 - Single `-r securenow/register` flag -- works for both CJS and ESM apps
@@ -77,7 +77,7 @@ npx securenow init --key snk_live_abc123...
 This detects your framework and:
 - **Credentials**: Ensures `.securenow/credentials.json` has secure defaults and explanations
-- **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` when safe, or prints a Codex/Claude-ready merge prompt for existing files
+- **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, or prints a Codex/Claude-ready merge prompt for existing files
 - **Nuxt 3**: Suggests adding `securenow/nuxt` to modules
 - **Express / Node.js**: Shows how to add `-r securenow/register` to your start script
 - **All**: Stores `--key` in `.securenow/credentials.json`; no local `.env` file is needed
@@ -86,7 +86,7 @@ This detects your framework and:
 #### Configure Locally
-Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, collector URL, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 #### Run Your Application
@@ -127,7 +127,7 @@ const app = express();
 You'll see confirmation in the console:
 ```
-[securenow] OTel SDK started -> http://your-otlp-collector:4318/v1/traces
+[securenow] OTel SDK started -> https://ingest.securenow.ai/v1/traces
 [securenow] Firewall: ENABLED
 [securenow] Firewall: synced 142 blocked IPs (138 exact + 4 CIDR ranges)
 ```
@@ -138,7 +138,7 @@ You'll see confirmation in the console:
 The `securenow` CLI gives you full access to the SecureNow platform from the terminal -- no browser required for day-to-day workflows. Zero additional dependencies.
-**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, `SECURENOW_TEST_SPAN` -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
+**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, startup smoke spans -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
 ### Getting Started
@@ -174,7 +174,7 @@ npx securenow init
 npx securenow init --key snk_live_abc123...
 ```
-For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript), adds `serverExternalPackages: ['securenow']` when safe, and prints exact merge instructions for Codex/Claude when existing files need judgment. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
+For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeScript), adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and prints exact merge instructions for Codex/Claude when existing files need judgment. For Nuxt, it suggests adding `securenow/nuxt` to your modules. For Express/Node, it shows the `-r securenow/register` flag.
 ### MCP for Codex and Claude
@@ -374,7 +374,7 @@ npx securenow test-span
 npx securenow test-span "ci.smoke-test"          # custom span name
 ```
-Both commands use the resolved `SECURENOW_INSTANCE` / `OTEL_EXPORTER_OTLP_*` endpoints and honor `OTEL_EXPORTER_OTLP_HEADERS` for API-key auth. Non-zero exit on HTTP errors so CI/cron can detect failures.
+Both commands use the resolved credentials JSON endpoints and headers. Non-zero exit on HTTP errors so CI/cron can detect failures.
 ### Utilities -- Redaction, CIDR, Diagnostics
@@ -434,14 +434,18 @@ Every command supports these flags:
 | `--help` | | Show help for the command |
 | `--app <key>` | | Override the default application key |
-### Environment Variables
+### Legacy CLI Overrides
-| Variable | Description |
+Normal CLI, SDK, and production runtime setup uses `.securenow/credentials.json`.
+Old per-terminal CLI overrides still exist for operator troubleshooting, but
+they are not part of the SDK runtime configuration path.
+| Override | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | JWT token - overrides all file-based credentials |
-| `SECURENOW_API_URL` | Override the API base URL |
-| `SECURENOW_DEBUG` | Show stack traces on errors |
-| `NO_COLOR` | Disable colored output |
+| `SECURENOW_TOKEN` | Legacy CLI auth override for a single terminal session |
+| `SECURENOW_API_URL` | Legacy CLI API base override for testing |
+| `SECURENOW_DEBUG` | CLI stack traces while debugging |
+| `NO_COLOR` | Disable colored CLI output |
 ### Multi-Project Sessions
@@ -460,7 +464,7 @@ npx securenow login
 npx securenow whoami   # Shows auth source: project (.securenow/)
 ```
-For new automation, prefer project-local or runtime credentials files. `SECURENOW_TOKEN` remains a legacy fallback for per-terminal sessions.
+For new automation, use project-local or runtime credentials files.
 ### CI/CD Integration
@@ -566,7 +570,7 @@ npx securenow logs --json --level error | jq '.logs'
 ## Framework-Specific Setup
-> **v5.6.0+:** When `SECURENOW_LOGGING_ENABLED=1`, all `console.log`/`warn`/`error`/`info`/`debug` calls
+> **v5.6.0+:** When `config.logging.enabled` is `true`, all `console.log`/`warn`/`error`/`info`/`debug` calls
 > are **automatically** forwarded as OTLP log records. The separate `require('securenow/console-instrumentation')` is no longer needed (but still available for backward compat).
 ### Express.js
@@ -641,7 +645,7 @@ fastify.listen({ port: 3000 }, (err) => {
 });
 ```
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 ---
@@ -764,7 +768,7 @@ const init = async () => {
 init().catch((err) => { console.error(err); process.exit(1); });
 ```
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 ---
@@ -957,7 +961,7 @@ Use `npx securenow init` for the current Next.js integration; it creates or prin
 #### Option A: `securenow init` (Recommended)
-The init command handles the boring parts: credentials defaults, `instrumentation.ts`, body auto-capture, and `serverExternalPackages` for Next 15+. If existing files are custom, it prints a Codex/Claude-ready prompt instead of guessing.
+The init command handles the boring parts: credentials defaults, `instrumentation.ts`, body auto-capture, `serverExternalPackages`, and standalone output tracing includes for Next 15+. If existing files are custom, it prints a Codex/Claude-ready prompt instead of guessing.
 ```bash
 npx securenow login
@@ -967,15 +971,13 @@ npx securenow init
 **Generated `instrumentation.ts` (or `.js`):**
 ```typescript
-import { createRequire } from 'node:module';
-const require = createRequire(import.meta.url);
 export async function register() {
   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
-  const { registerSecureNow } = require('securenow/nextjs');
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
   registerSecureNow({ captureBody: true });
-  require('securenow/nextjs-auto-capture');
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
@@ -984,6 +986,9 @@ export async function register() {
 ```javascript
 const nextConfig = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 export default nextConfig;
@@ -999,6 +1004,9 @@ If you prefer not to run `init`, manually externalize SecureNow:
 // next.config.js (Next.js 15+)
 module.exports = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
@@ -1009,10 +1017,13 @@ module.exports = {
     instrumentationHook: true,
     serverComponentsExternalPackages: ['securenow'],
   },
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
-**Why is this needed?** Next.js bundles server code with webpack, which can break OpenTelemetry's dynamic `require()` calls and monkey-patching. Externalizing `securenow` keeps the SDK as normal Node.js runtime code.
+**Why is this needed?** Next.js bundles server code with webpack, which can break OpenTelemetry's dynamic `require()` calls and monkey-patching. Externalizing `securenow` keeps the SDK as normal Node.js runtime code. `outputFileTracingIncludes` keeps SecureNow's runtime modules available in standalone/self-hosted output, including the firewall.
 ---
@@ -1054,16 +1065,16 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Framework | Traces | Logs | Body Capture | Firewall | Notes |
 |-----------|--------|------|--------------|----------|-------|
 | Express | Yes | Yes | Yes | Yes | Fully compatible |
-| Fastify | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Fastify | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | Koa | Yes | Yes | Yes | Yes | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | Yes | Use `-r ts-node/register` |
-| Hapi | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Hapi | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | h3 | Yes | Yes | Yes | Yes | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | Yes | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
 | Hono | Yes | Yes | Yes | Yes | Use ESM `-r` preload |
 | Feathers | Yes | Yes | Yes | Yes | Uses Express transport |
-| Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `serverExternalPackages: ['securenow']` |
+| Next.js | Yes | Yes | Yes | Yes | Use `instrumentation.ts` + `serverExternalPackages` + `outputFileTracingIncludes` |
 | Nuxt 3 | Yes | Yes | Yes | Yes | Use `securenow/nuxt` module |
 ---
@@ -1088,7 +1099,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
 On startup, you'll see:
@@ -1135,7 +1146,7 @@ This is useful when:
 - You only need IP blocking, not observability
 - You want to minimize startup time and memory footprint
 - You're adding the firewall to a project that uses a different tracing solution
-- For Next.js, this avoids the need for `serverExternalPackages` entirely
+- For non-Next Node apps, this avoids framework-specific tracing setup entirely
 Firewall-only mode uses the same `.securenow/credentials.json` key written by `login`, `api-key set`, or mounted from a runtime credentials file:
@@ -1148,12 +1159,12 @@ node -r securenow/firewall-only app.js
 The firewall supports four layers -- Layer 1 is always on, the rest are opt-in:
-| Layer | Env Var | Description |
+| Layer | Credentials key | Description |
 |-------|---------|-------------|
 | **Layer 1: HTTP** | *(always on)* | Returns 403 Forbidden with a security alert page. Works with proxy headers. |
-| **Layer 2: TCP** | `SECURENOW_FIREWALL_TCP=1` | `socket.destroy()` -- zero bytes sent back |
-| **Layer 3: iptables** | `SECURENOW_FIREWALL_IPTABLES=1` | Kernel-level DROP (Linux, requires root) |
-| **Layer 4: Cloud WAF** | `SECURENOW_FIREWALL_CLOUD=cloudflare` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
+| **Layer 2: TCP** | `config.firewall.tcp=true` | `socket.destroy()` -- zero bytes sent back |
+| **Layer 3: iptables** | `config.firewall.iptables=true` | Kernel-level DROP (Linux, requires root) |
+| **Layer 4: Cloud WAF** | `config.firewall.cloud="cloudflare"` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
 ### Blocked Page
@@ -1185,8 +1196,8 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | Field | Description | Default |
 |----------|-------------|---------|
-| `app.key` | SecureNow app routing UUID / OTel service name. | chosen during login |
-| `app.instance` | OTLP collector base URL. | `https://freetrial.securenow.ai:4318` |
+| `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
+| `app.name` | Human-readable app label. | selected during login |
 | `apiKey` | Scoped firewall key (`snk_live_...`). | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
@@ -1195,90 +1206,18 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | `config.firewall.enabled` | Local SDK firewall switch; dashboard toggle is per environment. | `true` |
 | `config.otel.*` | Optional custom endpoints, headers, and log level. | empty |
-Legacy env fallback aliases are listed below for existing installs only.
-### Legacy App Identity Fallbacks
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `SECURENOW_APPID` | Fallback for missing credentials `app.key`. Used as the app routing key/service name. | `<uuid>` |
-| `SECURENOW_INSTANCE` | Fallback for missing credentials `app.instance`. Base URL of your OTLP collector endpoint. | `https://freetrial.securenow.ai:4318` |
-### Optional Configuration
-#### Service Naming
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_SERVICE_NAME` | Fallback for missing `app.name`. Standard OpenTelemetry variable. | - |
-| `SECURENOW_NO_UUID` | Legacy fallback for `config.runtime.noUuid`. | `0` |
-| `SECURENOW_STRICT` | Legacy fallback for `config.runtime.strict`. | `0` |
-#### Connection Settings
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_EXPORTER_OTLP_ENDPOINT` | Fallback for `config.otel.endpoint`. | - |
-| `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` | Fallback for `config.otel.tracesEndpoint`. | `{instance}/v1/traces` |
-| `OTEL_EXPORTER_OTLP_LOGS_ENDPOINT` | Fallback for `config.otel.logsEndpoint`. | `{instance}/v1/logs` |
-| `OTEL_EXPORTER_OTLP_HEADERS` | Fallback for `config.otel.headers`. Format: `key1=value1,key2=value2` | - |
-#### Logging
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `0` to disable. | `1` |
-#### Request Body Capture
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_CAPTURE_BODY` | Capture request bodies in traces. Set to `0` to disable. | `1` |
-| `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
-| `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
-| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data metadata. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `0` to disable. | `1` |
+The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads
+all runtime settings from this JSON plus built-in defaults. Production should
+mount a tokenless runtime credentials file at `.securenow/credentials.json`.
+Legacy env fallback is disabled by default and exists only for old deployments
+that explicitly opt in with `SECURENOW_ENABLE_LEGACY_ENV=1`.
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
-#### Instrumentation Control
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated list of instrumentation packages to disable. | - |
-**Example:** `SECURENOW_DISABLE_INSTRUMENTATIONS=fs,dns` disables filesystem and DNS instrumentations.
-#### Firewall
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_API_KEY` | Legacy firewall key override. Prefer `apiKey` in `.securenow/credentials.json`. | from creds file |
-| `SECURENOW_API_URL` | SecureNow API base URL. Auto-detected for co-located deployments (falls back to `http://localhost:4000` on ECONNREFUSED). | `https://api.securenow.ai` |
-| `SECURENOW_FIREWALL_VERSION_INTERVAL` | Seconds between lightweight ETag checks. | `10` |
-| `SECURENOW_FIREWALL_SYNC_INTERVAL` | Safety-net full blocklist refresh interval in seconds. | `3600` |
-| `SECURENOW_FIREWALL_FAIL_MODE` | `open` (allow when unavailable) or `closed` (block all). | `open` |
-| `SECURENOW_FIREWALL_STATUS_CODE` | HTTP status code for blocked requests. | `403` |
-| `SECURENOW_FIREWALL_LOG` | Log blocked requests and sync events to console. Set to `0` to silence. | `1` |
-| `SECURENOW_FIREWALL_TCP` | Enable Layer 2 TCP blocking. | `0` |
-| `SECURENOW_FIREWALL_IPTABLES` | Enable Layer 3 iptables blocking. | `0` |
-| `SECURENOW_FIREWALL_CLOUD` | Cloud WAF provider: `cloudflare`, `aws`, or `gcp`. | - |
-| `SECURENOW_FIREWALL_CLOUD_DRY_RUN` | Log cloud pushes without applying changes. | `0` |
-| `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs. | - |
-Use `npx securenow help firewall` for complete details on all layers.
-#### Debugging
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_LOG_LEVEL` | OpenTelemetry diagnostic override. Options: `debug`, `info`, `warn`, `error`, `none`. Overrides `config.otel.logLevel` for emergency debugging. | `error` |
-| `SECURENOW_TEST_SPAN` | Set to `1` to emit a test span on startup. | `0` |
-#### Environment
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_ENVIRONMENT` / `SECURENOW_DEPLOYMENT_ENVIRONMENT` / `NODE_ENV` | Fallback for `config.runtime.deploymentEnvironment`. | `production` |
+For instrumentation, firewall layers, debugging, trusted proxies, and deployment
+environment, edit the matching `config.*` keys in `.securenow/credentials.json`.
+Use `npx securenow env --json` to inspect the resolved values and
+`npx securenow help firewall` for the firewall command reference.
 ---
@@ -1290,7 +1229,7 @@ SecureNow provides multiple entry points depending on your needs:
 |-------------|-------|-------------------|-------------------|-------|
 | `securenow/register` | `node -r securenow/register app.js` | Yes | Yes | Default -- full tracing + firewall |
 | `securenow/firewall-only` | `node -r securenow/firewall-only app.js` | No | Yes | Firewall only, no OTel overhead |
-| `securenow/nextjs` | `require('securenow/nextjs').registerSecureNow()` | Yes | Yes | Next.js instrumentation hook |
+| `securenow/nextjs` | `await import(/* webpackIgnore: true */ 'securenow/nextjs')` | Yes | Yes | Next.js instrumentation hook |
 | `securenow/nuxt` | `modules: ['securenow/nuxt']` | Yes | Yes | Nuxt 3 module |
 | `securenow/nextjs-webpack-config` | `withSecureNow(config)` | - | - | Next.js config wrapper |
 | `securenow/firewall` | `require('securenow/firewall').init({...})` | No | Yes | Programmatic firewall API |
@@ -1303,13 +1242,15 @@ SecureNow provides multiple entry points depending on your needs:
 ### Automatic Console Logging
-Since **v5.6.0**, when `SECURENOW_LOGGING_ENABLED=1`, all console calls are automatically forwarded as OTLP log records:
+Console log forwarding is enabled by default through
+`config.logging.enabled: true`; all console calls are automatically forwarded as
+OTLP log records:
 ```javascript
 // At the top of your main file
 require('securenow/register');
-// With SECURENOW_LOGGING_ENABLED=1, all console logs are automatically sent
+// With config.logging.enabled=true, all console logs are automatically sent
 console.log('Application started');
 console.info('User action', { userId: 123, action: 'login' });
 console.warn('Deprecation warning');
@@ -1324,10 +1265,7 @@ console.debug('Debug info');
 - `console.error()` -> ERROR
 - `console.debug()` -> DEBUG
-**Environment variable:**
-```bash
-SECURENOW_LOGGING_ENABLED=1
-```
+Logging is controlled by `config.logging.enabled` in `.securenow/credentials.json`.
 ### Direct Logger API
@@ -1370,13 +1308,20 @@ node -r securenow/register app.js
 ## Request Body Capture
-SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `SECURENOW_CAPTURE_BODY=0` only when you need a local opt-out.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `config.capture.body=false` in `.securenow/credentials.json` only when you need a local opt-out.
 ### Body Capture Defaults
-```bash
-export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
-# export SECURENOW_CAPTURE_BODY=0     # optional opt-out
+```json
+{
+  "config": {
+    "capture": {
+      "body": true,
+      "maxBodySize": 10240,
+      "multipart": true
+    }
+  }
+}
 ```
 ### Supported Content Types
@@ -1384,11 +1329,11 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-- `multipart/form-data` (metadata capture is on unless `SECURENOW_CAPTURE_MULTIPART=0`)
+- `multipart/form-data` (metadata capture is on unless `config.capture.multipart=false`)
 ### Multipart Body Capture (v5.8.0+)
-Multipart/form-data metadata capture is enabled by default. Set `SECURENOW_CAPTURE_MULTIPART=0` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
+Multipart/form-data metadata capture is enabled by default. Set `config.capture.multipart=false` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
 **What gets captured:**
 - **Text fields** -- field name and value (up to 1000 chars), with sensitive fields auto-redacted
@@ -1415,8 +1360,14 @@ All request bodies are automatically scanned and sensitive fields are redacted:
 **Add custom fields to redact:**
-```bash
-export SECURENOW_SENSITIVE_FIELDS="custom_secret,internal_token"
+```json
+{
+  "config": {
+    "capture": {
+      "sensitiveFields": ["custom_secret", "internal_token"]
+    }
+  }
+}
 ```
 ### Example
@@ -1556,10 +1507,12 @@ const enabled: boolean = isLoggingEnabled();
 ```typescript
 // instrumentation.ts
 export async function register() {
-  if (process.env.NEXT_RUNTIME === 'nodejs') {
-    const { registerSecureNow } = require('securenow/nextjs');
-    registerSecureNow();
-  }
+  if (process.env.NEXT_RUNTIME !== 'nodejs') return;
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
+  registerSecureNow({ captureBody: true });
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
@@ -1572,6 +1525,8 @@ module.exports = withSecureNow({
 });
 ```
+`withSecureNow()` adds the server external package config and `outputFileTracingIncludes` for standalone/self-hosted builds.
 ### NestJS with TypeScript
 Use `-r securenow/register -r ts-node/register` flags instead of in-code require:
@@ -1796,6 +1751,9 @@ Bodies larger than `config.capture.maxBodySize` are truncated:
 ```javascript
 module.exports = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 ```
@@ -1807,7 +1765,7 @@ For Next.js < 15, add `securenow` to `experimental.serverComponentsExternalPacka
 **Check 3: Check for OTel MODULE_NOT_FOUND errors**
-If you see `MODULE_NOT_FOUND` for `@opentelemetry/*` packages, your `next.config.js` is missing the externalization. Run `npx securenow init`; if your config is custom, use the prompt it prints to merge the edit safely.
+If you see `MODULE_NOT_FOUND` for `@opentelemetry/*`, `./firewall`, or other SecureNow runtime modules, your `next.config.js` is missing the externalization or standalone output include. Run `npx securenow init`; if your config is custom, use the prompt it prints to merge the edit safely.
 **Check 4: Restart dev server**
@@ -1860,10 +1818,10 @@ Do not hardcode configuration in code or deployment dashboards. Use `.securenow/
 ```javascript
 // Bad
-process.env.SECURENOW_APPID = 'hardcoded-value';
+const appKey = 'hardcoded-value';
 // Good: use .securenow/credentials.json
-// { "app": { "key": "my-app", "instance": "https://freetrial.securenow.ai:4318" } }
+// { "app": { "key": "my-app", "instance": "https://ingest.securenow.ai" } }
 ```
 ### 2. Use Structured Logging

package/README.md CHANGED Viewed

@@ -45,7 +45,7 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
   "app": {
     "key": "<uuid>",
     "name": "my-backend",
-    "instance": "https://freetrial.securenow.ai:4318"
+    "instance": "https://ingest.securenow.ai"
   },
   "config": {
     "runtime": { "deploymentEnvironment": "local" },
@@ -60,6 +60,24 @@ The SDK reads this file at boot and sends traces/logs directly to the right app
 ---
+## Monorepo / AI-agent setup
+If you have many apps under one repo, authenticate once from the repo root:
+```bash
+npx securenow login
+```
+Then ask your coding agent to wire each app with this prompt:
+```text
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/credentials.json plus tokenless .securenow/credentials.production.json, gitignore .securenow, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+```
+For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
+---
 ## Framework integration
 ### Node.js / Express / Fastify / NestJS / Koa / Hapi
@@ -82,27 +100,28 @@ NODE_OPTIONS="-r securenow/register" npm start
 npx securenow init
 ```
-Creates `instrumentation.ts` and shows you how to wrap `next.config.js`:
+Creates `instrumentation.ts` and patches `next.config.*` when it can do so safely:
 ```typescript
 // instrumentation.ts
-import { createRequire } from 'node:module';
-const require = createRequire(import.meta.url);
 export async function register() {
   if (process.env.NEXT_RUNTIME !== 'nodejs') return;
-  const { registerSecureNow } = require('securenow/nextjs');
+  const securenowNext = await import(/* webpackIgnore: true */ 'securenow/nextjs');
+  const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
   registerSecureNow({ captureBody: true });
-  require('securenow/nextjs-auto-capture');
+  await import(/* webpackIgnore: true */ 'securenow/nextjs-auto-capture');
 }
 ```
-For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` when it can safely edit the file:
+For Next.js 15+, `init` adds `securenow` to `serverExternalPackages` and includes the SDK in standalone output when it can safely edit the file:
 ```javascript
 const nextConfig = {
   serverExternalPackages: ['securenow'],
+  outputFileTracingIncludes: {
+    '/*': ['./node_modules/securenow/**/*'],
+  },
 };
 export default nextConfig;
@@ -162,7 +181,7 @@ Resolution order:
 4. Global named runtime credentials in the same fixed order
 5. `package.json#name` (label only)
-Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
+SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
 ---
@@ -225,8 +244,8 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | Field | Default | Purpose |
 |---|---|---|
-| `app.key` | selected during login | App routing UUID, sent as OTel `service.name` |
-| `app.instance` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
+| `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
+| `app.name` | selected during login | Human-readable label for CLI and dashboard output |
 | `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
@@ -237,25 +256,20 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
 | `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
-Legacy env fallback aliases:
+The credentials file is versioned with `_securenow.schemaVersion`, so future SDK
+versions can migrate defaults without asking customers to manage env vars. For
+production, generate a tokenless runtime file:
-| Variable | Default | Purpose |
-|---|---|---|
-| `SECURENOW_APPID` | from credentials file | App routing key (UUID), sent as OTel `service.name` |
-| `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
-| `SECURENOW_API_KEY` | from credentials file | Scoped firewall API key (`snk_live_...`) |
-| `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
-| `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
-| `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
-| `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | - | Comma-separated OTel instrumentations to disable. |
-| `SECURENOW_NO_UUID` | `0` | Don't append a UUID to `service.instance.id`. |
-| `SECURENOW_STRICT` | `0` | Exit with code 1 if `SECURENOW_APPID` is missing in a PM2 cluster. |
-| `OTEL_EXPORTER_OTLP_HEADERS` | - | Raw OTLP headers (e.g. `x-api-key=...`). |
-| `OTEL_LOG_LEVEL` | - | `debug`/`info`/`warn`/`error`. |
-New installs should use `.securenow/credentials.json`; environment variables remain legacy fallbacks for existing deployments.
+```bash
+npx securenow credentials runtime --env production
+```
+Mount or copy that JSON as `.securenow/credentials.json` in the deployed app.
+New runtime credentials do not include a per-instance collector URL; the SDK
+uses `https://ingest.securenow.ai` by default and the gateway routes by
+`app.key`.
+Legacy env fallback exists only for old deployments that explicitly opt in with
+`SECURENOW_ENABLE_LEGACY_ENV=1`; new installs should not use it.
 ---
@@ -270,7 +284,7 @@ PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 ### Other
 HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
-> MongoDB instrumentation is opt-in (`SECURENOW_ENABLE_MONGODB_INSTRUMENTATION=1`) because older versions corrupted cursors on `mongodb@6.6+`. Safe again since SDK v6.0.2.
+> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/credentials.json`.
 ---
@@ -412,7 +426,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
-Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env vars are fallback-only for older installs and do not choose the credentials filename.
+Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
 Override the dashboard API with `securenow config set apiUrl <url>`.