securenow 7.7.13 → 7.7.15

package/cli/auth.js

@@ -75,7 +75,6 @@ async function loginWithBrowser() {
         const returnedState = url.searchParams.get('state');
         const appKey = url.searchParams.get('app_key');
         const appName = url.searchParams.get('app_name');
-        const appInstance = url.searchParams.get('app_instance');
         const apiKey = url.searchParams.get('api_key');
 
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
@@ -96,11 +95,10 @@ async function loginWithBrowser() {
 
         if (token) {
           pendingToken = token;
-          if (appKey || appName || appInstance) {
+          if (appKey || appName) {
             pendingApp = {
               key: appKey || null,
               name: appName || null,
-              instance: appInstance || null,
             };
           }
           if (apiKey && apiKey.startsWith('snk_live_')) {

package/cli/config.js

@@ -153,11 +153,10 @@ function getToken() {
 function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
   const targetFile = credentialsFileForLocal(local);
   const payload = { ...loadJSON(targetFile), token, email, expiresAt };
-  if (app && (app.key || app.name || app.instance)) {
+  if (app && (app.key || app.name)) {
     payload.app = {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     };
   }
   saveJSON(
@@ -201,23 +200,52 @@ function setApp(app, { local } = {}) {
     app: {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     },
   }) || {});
 }
 
 function ensureLocalGitignore() {
   const gitignorePath = path.join(process.cwd(), '.gitignore');
-  const entry = '.securenow/';
+  const legacyEntry = '.securenow/';
+  const entries = [
+    '.securenow/credentials.json',
+    '.securenow/credentials.*.json',
+    '!.securenow/credentials.example.json',
+    '!.securenow/credentials.*.example.json',
+  ];
   try {
+    let content = '';
     if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, 'utf8');
-      if (!content.split('\n').some(line => line.trim() === entry)) {
-        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      content = fs.readFileSync(gitignorePath, 'utf8');
+    }
+
+    const lines = content ? content.split(/\r?\n/) : [];
+    let replacedLegacyEntry = false;
+    const nextLines = [];
+
+    for (const line of lines) {
+      if (line.trim() === legacyEntry) {
+        if (!replacedLegacyEntry) {
+          nextLines.push(...entries);
+          replacedLegacyEntry = true;
+        }
+        continue;
       }
-    } else {
-      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+      nextLines.push(line);
+    }
+
+    const hasLine = (entry) => nextLines.some(line => line.trim() === entry);
+    const missing = entries.filter(entry => !hasLine(entry));
+    if (!replacedLegacyEntry && missing.length === 0) return;
+
+    let nextContent = nextLines.join('\n').replace(/\s*$/, '');
+
+    if (missing.length > 0) {
+      const block = ['# SecureNow local credential files', '# Keep .securenow/ itself trackable for repo-owned docs/templates.', ...missing].join('\n');
+      nextContent = nextContent ? `${nextContent}\n\n${block}` : block;
     }
+
+    fs.writeFileSync(gitignorePath, `${nextContent}\n`);
   } catch {}
 }
 

package/cli/credentials.js

@@ -25,7 +25,6 @@ function buildRuntimeCredentials(options = {}) {
     app: {
       key: creds.app?.key || null,
       name: creds.app?.name || null,
-      instance: creds.app?.instance || appConfig.FREE_TRIAL_INSTANCE,
     },
     config: {
       ...(creds.config || {}),
@@ -41,6 +40,7 @@ function buildRuntimeCredentials(options = {}) {
     _securenow: {
       ...(creds._securenow || {}),
       note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
+      routing: 'Telemetry is sent to the default SecureNow ingestion gateway. The gateway routes by app.key, so runtime credentials do not expose per-instance collector URLs.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',
     },

package/cli/diagnostics.js

@@ -36,10 +36,10 @@ function resolvedConfig(options = {}) {
     apiKey,
     firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
-    loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
-    captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
-    captureMultipart: appConfig.boolEnv('SECURENOW_CAPTURE_MULTIPART', true),
-    otelLogLevel: (process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : appConfig.env('OTEL_LOG_LEVEL')) || 'error',
+    loggingEnabled: appConfig.boolConfig('logging.enabled', true),
+    captureBody: appConfig.boolConfig('capture.body', true),
+    captureMultipart: appConfig.boolConfig('capture.multipart', true),
+    otelLogLevel: appConfig.configValue('otel.logLevel', 'error') || 'error',
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
@@ -467,8 +467,12 @@ async function doctor(_args, flags) {
   if (!cfg.appKey) {
     warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
   }
-  if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
-    warnings.push('Using the free-trial collector. For production, set app.instance in .securenow/credentials.json.');
+  if (cfg.instance === 'https://ingest.securenow.ai') {
+    warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
+  } else if (cfg.instance === 'https://api.securenow.ai/api/otlp') {
+    warnings.push('Using the legacy SecureNow telemetry gateway path. Regenerate credentials so telemetry uses https://ingest.securenow.ai.');
+  } else if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
+    warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
     warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');

package/cli/init.js

@@ -234,6 +234,7 @@ function printAgentPrompt(kind, filename, major, project) {
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
     'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
+    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/free-trial-banner.js

@@ -7,10 +7,10 @@
  * Opt-out: set config.runtime.hideBanner=true in .securenow/credentials.json
  */
 
-const FREETRIAL_HOST = 'freetrial.securenow.ai';
+const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
 
 function isFreeTrial(endpointBase) {
-  return !!endpointBase && endpointBase.includes(FREETRIAL_HOST);
+  return !!endpointBase && FREE_TRIAL_HOSTS.some((host) => endpointBase.includes(host));
 }
 
 /* istanbul ignore next — runs in browser, not Node */

package/mcp/catalog.js

@@ -17,7 +17,7 @@ Primary goals:
 
 Safety rules:
 - Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
-- Do not commit secrets. Ensure .securenow/ is in .gitignore.
+- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -42,7 +42,7 @@ Runbook:
    - Confirm .securenow/credentials.json exists.
    - Confirm it has SecureNow's default config/explanations block.
    - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
-   - Confirm .securenow/ is ignored by git.
+   - Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
 6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.

package/nextjs-webpack-config.js

@@ -1,14 +1,17 @@
 'use strict';
 
 /**
- * Next.js configuration helpers for SecureNow
+ * Next.js configuration helpers for SecureNow
  *
  * Usage (recommended — zero-list approach):
  *
- *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
- *   module.exports = withSecureNow({
- *     // your existing next.config options
- *   });
+ *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
+ *   module.exports = withSecureNow({
+ *     // your existing next.config options
+ *   });
+ *
+ * This externalizes SecureNow for server bundles and includes the package in
+ * standalone output so runtime modules such as the firewall are available.
  *
  * Legacy webpack-only helper (still exported for backwards compat):
  *
@@ -19,6 +22,8 @@
 const EXTERNAL_PACKAGES = [
   'securenow',
 ];
+const OUTPUT_TRACE_INCLUDE_KEY = '/*';
+const SECURENOW_OUTPUT_TRACE_INCLUDE = './node_modules/securenow/**/*';
 
 function detectNextMajor() {
   try {
@@ -30,8 +35,9 @@ function detectNextMajor() {
 }
 
 /**
- * Wrap a Next.js config object to auto-externalize SecureNow + OTel
- * packages and enable the instrumentation hook.
+ * Wrap a Next.js config object to auto-externalize SecureNow,
+ * include runtime files in standalone output, and enable the
+ * instrumentation hook.
  *
  *   module.exports = withSecureNow({ reactStrictMode: true });
  */
@@ -48,16 +54,18 @@ function withSecureNow(userConfig) {
       ...(cfg.serverExternalPackages || []),
       ...EXTERNAL_PACKAGES,
     ]);
-  } else {
-    cfg.experimental = { ...(cfg.experimental || {}) };
-    cfg.experimental.instrumentationHook = true;
+  } else {
+    cfg.experimental = { ...(cfg.experimental || {}) };
+    cfg.experimental.instrumentationHook = true;
     cfg.experimental.serverComponentsExternalPackages = dedup([
       ...(cfg.experimental.serverComponentsExternalPackages || []),
       ...EXTERNAL_PACKAGES,
-    ]);
-  }
-
-  const origWebpack = cfg.webpack;
+    ]);
+  }
+
+  cfg.outputFileTracingIncludes = mergeOutputFileTracingIncludes(cfg.outputFileTracingIncludes);
+
+  const origWebpack = cfg.webpack;
   cfg.webpack = (config, options) => {
     const c = origWebpack ? origWebpack(config, options) : config;
     return getSecureNowWebpackConfig(c, options);
@@ -66,9 +74,24 @@ function withSecureNow(userConfig) {
   return cfg;
 }
 
-function dedup(arr) {
-  return [...new Set(arr)];
-}
+function dedup(arr) {
+  return [...new Set(arr)];
+}
+
+function mergeOutputFileTracingIncludes(existing) {
+  const includes = { ...(existing || {}) };
+  const current = includes[OUTPUT_TRACE_INCLUDE_KEY];
+
+  if (Array.isArray(current)) {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = dedup([...current, SECURENOW_OUTPUT_TRACE_INCLUDE]);
+  } else if (typeof current === 'string') {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = dedup([current, SECURENOW_OUTPUT_TRACE_INCLUDE]);
+  } else if (!current) {
+    includes[OUTPUT_TRACE_INCLUDE_KEY] = [SECURENOW_OUTPUT_TRACE_INCLUDE];
+  }
+
+  return includes;
+}
 
 /**
  * Legacy: suppress OTel webpack warnings and add externals.
@@ -97,4 +120,4 @@ function getSecureNowWebpackConfig(config, options) {
   return config;
 }
 
-module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };
+module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };

package/nextjs.d.ts

@@ -1,8 +1,8 @@
-/**
- * SecureNow Next.js Integration TypeScript Declarations
- */
-
-export interface RegisterOptions {
+/**
+ * SecureNow Next.js Integration TypeScript Declarations
+ */
+
+export interface RegisterOptions {
   /**
    * Service name for OpenTelemetry traces
    * @default .securenow/credentials.json app.key/app.name
@@ -11,7 +11,11 @@ export interface RegisterOptions {
 
   /**
    * OTLP endpoint for traces
-   * @default .securenow/credentials.json app.instance, or https://freetrial.securenow.ai:4318
+   * @default https://ingest.securenow.ai
+   *
+   * Advanced OTLP endpoint override. Normal SecureNow apps should leave this
+   * unset so the ingest gateway can route by app.key to the dashboard-selected
+   * instance.
    */
   endpoint?: string;
 
@@ -20,26 +24,26 @@ export interface RegisterOptions {
    * @default .securenow/credentials.json config.runtime.deploymentEnvironment
    */
   environment?: string;
-
-  /**
-   * Don't append UUID to service name
-   * @default false
-   */
-  noUuid?: boolean;
-
+
+  /**
+   * Don't append UUID to service name
+   * @default false
+   */
+  noUuid?: boolean;
+
    /**
    * Enable request body capture
    * @default true from .securenow/credentials.json secure defaults
    */
   captureBody?: boolean;
 }
-
-/**
- * Register SecureNow OpenTelemetry instrumentation for Next.js
- * 
- * @param options - Optional configuration options
- * 
- * @example
+
+/**
+ * Register SecureNow OpenTelemetry instrumentation for Next.js
+ * 
+ * @param options - Optional configuration options
+ * 
+ * @example
  * ```typescript
  * // instrumentation.ts
  * import { createRequire } from 'node:module';
@@ -53,46 +57,46 @@ export interface RegisterOptions {
  *   require('securenow/nextjs-auto-capture');
  * }
  * ```
- * 
- * @example
- * ```typescript
- * // With custom options
- * import { registerSecureNow } from 'securenow/nextjs';
- * 
- * export function register() {
- *   registerSecureNow({
- *     serviceName: 'my-nextjs-app',
- *     endpoint: 'http://your-otlp-backend.example.com:4318',
- *     noUuid: true,
- *   });
- * }
- * ```
- */
-export function registerSecureNow(options?: RegisterOptions): void;
-
-/**
- * Default sensitive fields that are automatically redacted from traces
- */
-export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
-
-/**
- * Redact sensitive fields from an object
- * @param obj - Object to redact
- * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
- * @returns Redacted copy of the object
- */
-export function redactSensitiveData<T = any>(
-  obj: T,
-  sensitiveFields?: string[]
-): T;
-
-/**
- * Redact sensitive data from GraphQL query strings
- * @param query - GraphQL query string
- * @param sensitiveFields - Array of field names to redact
- * @returns Redacted query string
- */
-export function redactGraphQLQuery(
-  query: string,
-  sensitiveFields?: string[]
-): string;
+ * 
+ * @example
+ * ```typescript
+ * // With custom options
+ * import { registerSecureNow } from 'securenow/nextjs';
+ * 
+ * export function register() {
+ *   registerSecureNow({
+ *     serviceName: 'my-nextjs-app',
+ *     endpoint: 'http://your-otlp-backend.example.com:4318',
+ *     noUuid: true,
+ *   });
+ * }
+ * ```
+ */
+export function registerSecureNow(options?: RegisterOptions): void;
+
+/**
+ * Default sensitive fields that are automatically redacted from traces
+ */
+export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
+
+/**
+ * Redact sensitive fields from an object
+ * @param obj - Object to redact
+ * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
+ * @returns Redacted copy of the object
+ */
+export function redactSensitiveData<T = any>(
+  obj: T,
+  sensitiveFields?: string[]
+): T;
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ * @param query - GraphQL query string
+ * @param sensitiveFields - Array of field names to redact
+ * @returns Redacted query string
+ */
+export function redactGraphQLQuery(
+  query: string,
+  sensitiveFields?: string[]
+): string;