securenow 7.7.14 → 7.7.15

package/NPM_README.md

@@ -1,4 +1,4 @@
-# SecureNow - Complete OpenTelemetry Observability for Node.js
+# SecureNow - Complete OpenTelemetry Observability for Node.js
 
 OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt applications. Send distributed traces and logs to any OTLP-compatible observability backend.
 
@@ -86,7 +86,7 @@ This detects your framework and:
 
 #### Configure Locally
 
-Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, collector URL, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 
 #### Run Your Application
 
@@ -127,7 +127,7 @@ const app = express();
 You'll see confirmation in the console:
 
 ```
-[securenow] OTel SDK started -> http://your-otlp-collector:4318/v1/traces
+[securenow] OTel SDK started -> https://ingest.securenow.ai/v1/traces
 [securenow] Firewall: ENABLED
 [securenow] Firewall: synced 142 blocked IPs (138 exact + 4 CIDR ranges)
 ```
@@ -138,7 +138,7 @@ You'll see confirmation in the console:
 
 The `securenow` CLI gives you full access to the SecureNow platform from the terminal -- no browser required for day-to-day workflows. Zero additional dependencies.
 
-**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, `SECURENOW_TEST_SPAN` -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
+**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, startup smoke spans -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
 
 ### Getting Started
 
@@ -374,7 +374,7 @@ npx securenow test-span
 npx securenow test-span "ci.smoke-test"          # custom span name
 ```
 
-Both commands use the resolved `SECURENOW_INSTANCE` / `OTEL_EXPORTER_OTLP_*` endpoints and honor `OTEL_EXPORTER_OTLP_HEADERS` for API-key auth. Non-zero exit on HTTP errors so CI/cron can detect failures.
+Both commands use the resolved credentials JSON endpoints and headers. Non-zero exit on HTTP errors so CI/cron can detect failures.
 
 ### Utilities -- Redaction, CIDR, Diagnostics
 
@@ -434,14 +434,18 @@ Every command supports these flags:
 | `--help` | | Show help for the command |
 | `--app <key>` | | Override the default application key |
 
-### Environment Variables
+### Legacy CLI Overrides
 
-| Variable | Description |
+Normal CLI, SDK, and production runtime setup uses `.securenow/credentials.json`.
+Old per-terminal CLI overrides still exist for operator troubleshooting, but
+they are not part of the SDK runtime configuration path.
+
+| Override | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | JWT token - overrides all file-based credentials |
-| `SECURENOW_API_URL` | Override the API base URL |
-| `SECURENOW_DEBUG` | Show stack traces on errors |
-| `NO_COLOR` | Disable colored output |
+| `SECURENOW_TOKEN` | Legacy CLI auth override for a single terminal session |
+| `SECURENOW_API_URL` | Legacy CLI API base override for testing |
+| `SECURENOW_DEBUG` | CLI stack traces while debugging |
+| `NO_COLOR` | Disable colored CLI output |
 
 ### Multi-Project Sessions
 
@@ -460,7 +464,7 @@ npx securenow login
 npx securenow whoami   # Shows auth source: project (.securenow/)
 ```
 
-For new automation, prefer project-local or runtime credentials files. `SECURENOW_TOKEN` remains a legacy fallback for per-terminal sessions.
+For new automation, use project-local or runtime credentials files.
 
 ### CI/CD Integration
 
@@ -566,7 +570,7 @@ npx securenow logs --json --level error | jq '.logs'
 
 ## Framework-Specific Setup
 
-> **v5.6.0+:** When `SECURENOW_LOGGING_ENABLED=1`, all `console.log`/`warn`/`error`/`info`/`debug` calls
+> **v5.6.0+:** When `config.logging.enabled` is `true`, all `console.log`/`warn`/`error`/`info`/`debug` calls
 > are **automatically** forwarded as OTLP log records. The separate `require('securenow/console-instrumentation')` is no longer needed (but still available for backward compat).
 
 ### Express.js
@@ -641,7 +645,7 @@ fastify.listen({ port: 3000 }, (err) => {
 });
 ```
 
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 
 ---
 
@@ -764,7 +768,7 @@ const init = async () => {
 init().catch((err) => { console.error(err); process.exit(1); });
 ```
 
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 
 ---
 
@@ -1061,10 +1065,10 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Framework | Traces | Logs | Body Capture | Firewall | Notes |
 |-----------|--------|------|--------------|----------|-------|
 | Express | Yes | Yes | Yes | Yes | Fully compatible |
-| Fastify | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Fastify | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | Koa | Yes | Yes | Yes | Yes | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | Yes | Use `-r ts-node/register` |
-| Hapi | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Hapi | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | h3 | Yes | Yes | Yes | Yes | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | Yes | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
@@ -1095,7 +1099,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
 
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
 
 On startup, you'll see:
 
@@ -1155,12 +1159,12 @@ node -r securenow/firewall-only app.js
 
 The firewall supports four layers -- Layer 1 is always on, the rest are opt-in:
 
-| Layer | Env Var | Description |
+| Layer | Credentials key | Description |
 |-------|---------|-------------|
 | **Layer 1: HTTP** | *(always on)* | Returns 403 Forbidden with a security alert page. Works with proxy headers. |
-| **Layer 2: TCP** | `SECURENOW_FIREWALL_TCP=1` | `socket.destroy()` -- zero bytes sent back |
-| **Layer 3: iptables** | `SECURENOW_FIREWALL_IPTABLES=1` | Kernel-level DROP (Linux, requires root) |
-| **Layer 4: Cloud WAF** | `SECURENOW_FIREWALL_CLOUD=cloudflare` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
+| **Layer 2: TCP** | `config.firewall.tcp=true` | `socket.destroy()` -- zero bytes sent back |
+| **Layer 3: iptables** | `config.firewall.iptables=true` | Kernel-level DROP (Linux, requires root) |
+| **Layer 4: Cloud WAF** | `config.firewall.cloud="cloudflare"` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
 
 ### Blocked Page
 
@@ -1192,8 +1196,8 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 
 | Field | Description | Default |
 |----------|-------------|---------|
-| `app.key` | SecureNow app routing UUID / OTel service name. | chosen during login |
-| `app.instance` | OTLP collector base URL. | `https://freetrial.securenow.ai:4318` |
+| `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
+| `app.name` | Human-readable app label. | selected during login |
 | `apiKey` | Scoped firewall key (`snk_live_...`). | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
@@ -1202,90 +1206,18 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | `config.firewall.enabled` | Local SDK firewall switch; dashboard toggle is per environment. | `true` |
 | `config.otel.*` | Optional custom endpoints, headers, and log level. | empty |
 
-Legacy env fallback aliases are listed below for existing installs only.
-
-### Legacy App Identity Fallbacks
-
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `SECURENOW_APPID` | Fallback for missing credentials `app.key`. Used as the app routing key/service name. | `<uuid>` |
-| `SECURENOW_INSTANCE` | Fallback for missing credentials `app.instance`. Base URL of your OTLP collector endpoint. | `https://freetrial.securenow.ai:4318` |
-
-### Optional Configuration
-
-#### Service Naming
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_SERVICE_NAME` | Fallback for missing `app.name`. Standard OpenTelemetry variable. | - |
-| `SECURENOW_NO_UUID` | Legacy fallback for `config.runtime.noUuid`. | `0` |
-| `SECURENOW_STRICT` | Legacy fallback for `config.runtime.strict`. | `0` |
-
-#### Connection Settings
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_EXPORTER_OTLP_ENDPOINT` | Fallback for `config.otel.endpoint`. | - |
-| `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` | Fallback for `config.otel.tracesEndpoint`. | `{instance}/v1/traces` |
-| `OTEL_EXPORTER_OTLP_LOGS_ENDPOINT` | Fallback for `config.otel.logsEndpoint`. | `{instance}/v1/logs` |
-| `OTEL_EXPORTER_OTLP_HEADERS` | Fallback for `config.otel.headers`. Format: `key1=value1,key2=value2` | - |
-
-#### Logging
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `0` to disable. | `1` |
-
-#### Request Body Capture
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_CAPTURE_BODY` | Capture request bodies in traces. Set to `0` to disable. | `1` |
-| `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
-| `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
-| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data metadata. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `0` to disable. | `1` |
+The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads
+all runtime settings from this JSON plus built-in defaults. Production should
+mount a tokenless runtime credentials file at `.securenow/credentials.json`.
+Legacy env fallback is disabled by default and exists only for old deployments
+that explicitly opt in with `SECURENOW_ENABLE_LEGACY_ENV=1`.
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
-#### Instrumentation Control
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated list of instrumentation packages to disable. | - |
-
-**Example:** `SECURENOW_DISABLE_INSTRUMENTATIONS=fs,dns` disables filesystem and DNS instrumentations.
-
-#### Firewall
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_API_KEY` | Legacy firewall key override. Prefer `apiKey` in `.securenow/credentials.json`. | from creds file |
-| `SECURENOW_API_URL` | SecureNow API base URL. Auto-detected for co-located deployments (falls back to `http://localhost:4000` on ECONNREFUSED). | `https://api.securenow.ai` |
-| `SECURENOW_FIREWALL_VERSION_INTERVAL` | Seconds between lightweight ETag checks. | `10` |
-| `SECURENOW_FIREWALL_SYNC_INTERVAL` | Safety-net full blocklist refresh interval in seconds. | `3600` |
-| `SECURENOW_FIREWALL_FAIL_MODE` | `open` (allow when unavailable) or `closed` (block all). | `open` |
-| `SECURENOW_FIREWALL_STATUS_CODE` | HTTP status code for blocked requests. | `403` |
-| `SECURENOW_FIREWALL_LOG` | Log blocked requests and sync events to console. Set to `0` to silence. | `1` |
-| `SECURENOW_FIREWALL_TCP` | Enable Layer 2 TCP blocking. | `0` |
-| `SECURENOW_FIREWALL_IPTABLES` | Enable Layer 3 iptables blocking. | `0` |
-| `SECURENOW_FIREWALL_CLOUD` | Cloud WAF provider: `cloudflare`, `aws`, or `gcp`. | - |
-| `SECURENOW_FIREWALL_CLOUD_DRY_RUN` | Log cloud pushes without applying changes. | `0` |
-| `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs. | - |
-
-Use `npx securenow help firewall` for complete details on all layers.
-
-#### Debugging
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_LOG_LEVEL` | OpenTelemetry diagnostic override. Options: `debug`, `info`, `warn`, `error`, `none`. Overrides `config.otel.logLevel` for emergency debugging. | `error` |
-| `SECURENOW_TEST_SPAN` | Set to `1` to emit a test span on startup. | `0` |
-
-#### Environment
-
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_ENVIRONMENT` / `SECURENOW_DEPLOYMENT_ENVIRONMENT` / `NODE_ENV` | Fallback for `config.runtime.deploymentEnvironment`. | `production` |
+For instrumentation, firewall layers, debugging, trusted proxies, and deployment
+environment, edit the matching `config.*` keys in `.securenow/credentials.json`.
+Use `npx securenow env --json` to inspect the resolved values and
+`npx securenow help firewall` for the firewall command reference.
 
 ---
 
@@ -1310,13 +1242,15 @@ SecureNow provides multiple entry points depending on your needs:
 
 ### Automatic Console Logging
 
-Since **v5.6.0**, when `SECURENOW_LOGGING_ENABLED=1`, all console calls are automatically forwarded as OTLP log records:
+Console log forwarding is enabled by default through
+`config.logging.enabled: true`; all console calls are automatically forwarded as
+OTLP log records:
 
 ```javascript
 // At the top of your main file
 require('securenow/register');
 
-// With SECURENOW_LOGGING_ENABLED=1, all console logs are automatically sent
+// With config.logging.enabled=true, all console logs are automatically sent
 console.log('Application started');
 console.info('User action', { userId: 123, action: 'login' });
 console.warn('Deprecation warning');
@@ -1331,10 +1265,7 @@ console.debug('Debug info');
 - `console.error()` -> ERROR
 - `console.debug()` -> DEBUG
 
-**Environment variable:**
-```bash
-SECURENOW_LOGGING_ENABLED=1
-```
+Logging is controlled by `config.logging.enabled` in `.securenow/credentials.json`.
 
 ### Direct Logger API
 
@@ -1377,13 +1308,20 @@ node -r securenow/register app.js
 
 ## Request Body Capture
 
-SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `SECURENOW_CAPTURE_BODY=0` only when you need a local opt-out.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `config.capture.body=false` in `.securenow/credentials.json` only when you need a local opt-out.
 
 ### Body Capture Defaults
 
-```bash
-export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
-# export SECURENOW_CAPTURE_BODY=0     # optional opt-out
+```json
+{
+  "config": {
+    "capture": {
+      "body": true,
+      "maxBodySize": 10240,
+      "multipart": true
+    }
+  }
+}
 ```
 
 ### Supported Content Types
@@ -1391,11 +1329,11 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-- `multipart/form-data` (metadata capture is on unless `SECURENOW_CAPTURE_MULTIPART=0`)
+- `multipart/form-data` (metadata capture is on unless `config.capture.multipart=false`)
 
 ### Multipart Body Capture (v5.8.0+)
 
-Multipart/form-data metadata capture is enabled by default. Set `SECURENOW_CAPTURE_MULTIPART=0` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
+Multipart/form-data metadata capture is enabled by default. Set `config.capture.multipart=false` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
 
 **What gets captured:**
 - **Text fields** -- field name and value (up to 1000 chars), with sensitive fields auto-redacted
@@ -1422,8 +1360,14 @@ All request bodies are automatically scanned and sensitive fields are redacted:
 
 **Add custom fields to redact:**
 
-```bash
-export SECURENOW_SENSITIVE_FIELDS="custom_secret,internal_token"
+```json
+{
+  "config": {
+    "capture": {
+      "sensitiveFields": ["custom_secret", "internal_token"]
+    }
+  }
+}
 ```
 
 ### Example
@@ -1874,10 +1818,10 @@ Do not hardcode configuration in code or deployment dashboards. Use `.securenow/
 
 ```javascript
 // Bad
-process.env.SECURENOW_APPID = 'hardcoded-value';
+const appKey = 'hardcoded-value';
 
 // Good: use .securenow/credentials.json
-// { "app": { "key": "my-app", "instance": "https://freetrial.securenow.ai:4318" } }
+// { "app": { "key": "my-app", "instance": "https://ingest.securenow.ai" } }
 ```
 
 ### 2. Use Structured Logging

package/README.md

@@ -45,7 +45,7 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
   "app": {
     "key": "<uuid>",
     "name": "my-backend",
-    "instance": "https://freetrial.securenow.ai:4318"
+    "instance": "https://ingest.securenow.ai"
   },
   "config": {
     "runtime": { "deploymentEnvironment": "local" },
@@ -181,7 +181,7 @@ Resolution order:
 4. Global named runtime credentials in the same fixed order
 5. `package.json#name` (label only)
 
-Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
+SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
 
 ---
 
@@ -244,8 +244,8 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 
 | Field | Default | Purpose |
 |---|---|---|
-| `app.key` | selected during login | App routing UUID, sent as OTel `service.name` |
-| `app.instance` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
+| `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
+| `app.name` | selected during login | Human-readable label for CLI and dashboard output |
 | `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
@@ -256,25 +256,20 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
 | `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
 
-Legacy env fallback aliases:
+The credentials file is versioned with `_securenow.schemaVersion`, so future SDK
+versions can migrate defaults without asking customers to manage env vars. For
+production, generate a tokenless runtime file:
 
-| Variable | Default | Purpose |
-|---|---|---|
-| `SECURENOW_APPID` | from credentials file | App routing key (UUID), sent as OTel `service.name` |
-| `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
-| `SECURENOW_API_KEY` | from credentials file | Scoped firewall API key (`snk_live_...`) |
-| `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
-| `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
-| `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
-| `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | - | Comma-separated OTel instrumentations to disable. |
-| `SECURENOW_NO_UUID` | `0` | Don't append a UUID to `service.instance.id`. |
-| `SECURENOW_STRICT` | `0` | Exit with code 1 if `SECURENOW_APPID` is missing in a PM2 cluster. |
-| `OTEL_EXPORTER_OTLP_HEADERS` | - | Raw OTLP headers (e.g. `x-api-key=...`). |
-| `OTEL_LOG_LEVEL` | - | `debug`/`info`/`warn`/`error`. |
-
-New installs should use `.securenow/credentials.json`; environment variables remain legacy fallbacks for existing deployments.
+```bash
+npx securenow credentials runtime --env production
+```
+
+Mount or copy that JSON as `.securenow/credentials.json` in the deployed app.
+New runtime credentials do not include a per-instance collector URL; the SDK
+uses `https://ingest.securenow.ai` by default and the gateway routes by
+`app.key`.
+Legacy env fallback exists only for old deployments that explicitly opt in with
+`SECURENOW_ENABLE_LEGACY_ENV=1`; new installs should not use it.
 
 ---
 
@@ -289,7 +284,7 @@ PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 ### Other
 HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
 
-> MongoDB instrumentation is opt-in (`SECURENOW_ENABLE_MONGODB_INSTRUMENTATION=1`) because older versions corrupted cursors on `mongodb@6.6+`. Safe again since SDK v6.0.2.
+> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/credentials.json`.
 
 ---
 
@@ -431,7 +426,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env vars are fallback-only for older installs and do not choose the credentials filename.
+Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
 
 Override the dashboard API with `securenow config set apiUrl <url>`.