securenow 7.7.14 → 7.7.15

package/cli/auth.js

@@ -75,7 +75,6 @@ async function loginWithBrowser() {
         const returnedState = url.searchParams.get('state');
         const appKey = url.searchParams.get('app_key');
         const appName = url.searchParams.get('app_name');
-        const appInstance = url.searchParams.get('app_instance');
         const apiKey = url.searchParams.get('api_key');
 
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
@@ -96,11 +95,10 @@ async function loginWithBrowser() {
 
         if (token) {
           pendingToken = token;
-          if (appKey || appName || appInstance) {
+          if (appKey || appName) {
             pendingApp = {
               key: appKey || null,
               name: appName || null,
-              instance: appInstance || null,
             };
           }
           if (apiKey && apiKey.startsWith('snk_live_')) {

package/cli/config.js

@@ -153,11 +153,10 @@ function getToken() {
 function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
   const targetFile = credentialsFileForLocal(local);
   const payload = { ...loadJSON(targetFile), token, email, expiresAt };
-  if (app && (app.key || app.name || app.instance)) {
+  if (app && (app.key || app.name)) {
     payload.app = {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     };
   }
   saveJSON(
@@ -201,23 +200,52 @@ function setApp(app, { local } = {}) {
     app: {
       key: app.key || null,
       name: app.name || null,
-      instance: app.instance || null,
     },
   }) || {});
 }
 
 function ensureLocalGitignore() {
   const gitignorePath = path.join(process.cwd(), '.gitignore');
-  const entry = '.securenow/';
+  const legacyEntry = '.securenow/';
+  const entries = [
+    '.securenow/credentials.json',
+    '.securenow/credentials.*.json',
+    '!.securenow/credentials.example.json',
+    '!.securenow/credentials.*.example.json',
+  ];
   try {
+    let content = '';
     if (fs.existsSync(gitignorePath)) {
-      const content = fs.readFileSync(gitignorePath, 'utf8');
-      if (!content.split('\n').some(line => line.trim() === entry)) {
-        fs.appendFileSync(gitignorePath, `\n# SecureNow local credentials\n${entry}\n`);
+      content = fs.readFileSync(gitignorePath, 'utf8');
+    }
+
+    const lines = content ? content.split(/\r?\n/) : [];
+    let replacedLegacyEntry = false;
+    const nextLines = [];
+
+    for (const line of lines) {
+      if (line.trim() === legacyEntry) {
+        if (!replacedLegacyEntry) {
+          nextLines.push(...entries);
+          replacedLegacyEntry = true;
+        }
+        continue;
       }
-    } else {
-      fs.writeFileSync(gitignorePath, `# SecureNow local credentials\n${entry}\n`);
+      nextLines.push(line);
+    }
+
+    const hasLine = (entry) => nextLines.some(line => line.trim() === entry);
+    const missing = entries.filter(entry => !hasLine(entry));
+    if (!replacedLegacyEntry && missing.length === 0) return;
+
+    let nextContent = nextLines.join('\n').replace(/\s*$/, '');
+
+    if (missing.length > 0) {
+      const block = ['# SecureNow local credential files', '# Keep .securenow/ itself trackable for repo-owned docs/templates.', ...missing].join('\n');
+      nextContent = nextContent ? `${nextContent}\n\n${block}` : block;
     }
+
+    fs.writeFileSync(gitignorePath, `${nextContent}\n`);
   } catch {}
 }
 

package/cli/credentials.js

@@ -25,7 +25,6 @@ function buildRuntimeCredentials(options = {}) {
     app: {
       key: creds.app?.key || null,
       name: creds.app?.name || null,
-      instance: creds.app?.instance || appConfig.FREE_TRIAL_INSTANCE,
     },
     config: {
       ...(creds.config || {}),
@@ -41,6 +40,7 @@ function buildRuntimeCredentials(options = {}) {
     _securenow: {
       ...(creds._securenow || {}),
       note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
+      routing: 'Telemetry is sent to the default SecureNow ingestion gateway. The gateway routes by app.key, so runtime credentials do not expose per-instance collector URLs.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',
     },

package/cli/diagnostics.js

@@ -36,10 +36,10 @@ function resolvedConfig(options = {}) {
     apiKey,
     firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
-    loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
-    captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
-    captureMultipart: appConfig.boolEnv('SECURENOW_CAPTURE_MULTIPART', true),
-    otelLogLevel: (process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : appConfig.env('OTEL_LOG_LEVEL')) || 'error',
+    loggingEnabled: appConfig.boolConfig('logging.enabled', true),
+    captureBody: appConfig.boolConfig('capture.body', true),
+    captureMultipart: appConfig.boolConfig('capture.multipart', true),
+    otelLogLevel: appConfig.configValue('otel.logLevel', 'error') || 'error',
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
@@ -467,8 +467,12 @@ async function doctor(_args, flags) {
   if (!cfg.appKey) {
     warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
   }
-  if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
-    warnings.push('Using the free-trial collector. For production, set app.instance in .securenow/credentials.json.');
+  if (cfg.instance === 'https://ingest.securenow.ai') {
+    warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
+  } else if (cfg.instance === 'https://api.securenow.ai/api/otlp') {
+    warnings.push('Using the legacy SecureNow telemetry gateway path. Regenerate credentials so telemetry uses https://ingest.securenow.ai.');
+  } else if (cfg.instance === 'https://freetrial.securenow.ai:4318') {
+    warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
     warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');

package/cli/init.js

@@ -234,6 +234,7 @@ function printAgentPrompt(kind, filename, major, project) {
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
     'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
+    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/free-trial-banner.js

@@ -7,10 +7,10 @@
  * Opt-out: set config.runtime.hideBanner=true in .securenow/credentials.json
  */
 
-const FREETRIAL_HOST = 'freetrial.securenow.ai';
+const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
 
 function isFreeTrial(endpointBase) {
-  return !!endpointBase && endpointBase.includes(FREETRIAL_HOST);
+  return !!endpointBase && FREE_TRIAL_HOSTS.some((host) => endpointBase.includes(host));
 }
 
 /* istanbul ignore next — runs in browser, not Node */

package/mcp/catalog.js

@@ -17,7 +17,7 @@ Primary goals:
 
 Safety rules:
 - Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
-- Do not commit secrets. Ensure .securenow/ is in .gitignore.
+- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -42,7 +42,7 @@ Runbook:
    - Confirm .securenow/credentials.json exists.
    - Confirm it has SecureNow's default config/explanations block.
    - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
-   - Confirm .securenow/ is ignored by git.
+   - Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
 6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.

package/nextjs.d.ts

@@ -1,8 +1,8 @@
-/**
- * SecureNow Next.js Integration TypeScript Declarations
- */
-
-export interface RegisterOptions {
+/**
+ * SecureNow Next.js Integration TypeScript Declarations
+ */
+
+export interface RegisterOptions {
   /**
    * Service name for OpenTelemetry traces
    * @default .securenow/credentials.json app.key/app.name
@@ -11,7 +11,11 @@ export interface RegisterOptions {
 
   /**
    * OTLP endpoint for traces
-   * @default .securenow/credentials.json app.instance, or https://freetrial.securenow.ai:4318
+   * @default https://ingest.securenow.ai
+   *
+   * Advanced OTLP endpoint override. Normal SecureNow apps should leave this
+   * unset so the ingest gateway can route by app.key to the dashboard-selected
+   * instance.
    */
   endpoint?: string;
 
@@ -20,26 +24,26 @@ export interface RegisterOptions {
    * @default .securenow/credentials.json config.runtime.deploymentEnvironment
    */
   environment?: string;
-
-  /**
-   * Don't append UUID to service name
-   * @default false
-   */
-  noUuid?: boolean;
-
+
+  /**
+   * Don't append UUID to service name
+   * @default false
+   */
+  noUuid?: boolean;
+
    /**
    * Enable request body capture
    * @default true from .securenow/credentials.json secure defaults
    */
   captureBody?: boolean;
 }
-
-/**
- * Register SecureNow OpenTelemetry instrumentation for Next.js
- * 
- * @param options - Optional configuration options
- * 
- * @example
+
+/**
+ * Register SecureNow OpenTelemetry instrumentation for Next.js
+ * 
+ * @param options - Optional configuration options
+ * 
+ * @example
  * ```typescript
  * // instrumentation.ts
  * import { createRequire } from 'node:module';
@@ -53,46 +57,46 @@ export interface RegisterOptions {
  *   require('securenow/nextjs-auto-capture');
  * }
  * ```
- * 
- * @example
- * ```typescript
- * // With custom options
- * import { registerSecureNow } from 'securenow/nextjs';
- * 
- * export function register() {
- *   registerSecureNow({
- *     serviceName: 'my-nextjs-app',
- *     endpoint: 'http://your-otlp-backend.example.com:4318',
- *     noUuid: true,
- *   });
- * }
- * ```
- */
-export function registerSecureNow(options?: RegisterOptions): void;
-
-/**
- * Default sensitive fields that are automatically redacted from traces
- */
-export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
-
-/**
- * Redact sensitive fields from an object
- * @param obj - Object to redact
- * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
- * @returns Redacted copy of the object
- */
-export function redactSensitiveData<T = any>(
-  obj: T,
-  sensitiveFields?: string[]
-): T;
-
-/**
- * Redact sensitive data from GraphQL query strings
- * @param query - GraphQL query string
- * @param sensitiveFields - Array of field names to redact
- * @returns Redacted query string
- */
-export function redactGraphQLQuery(
-  query: string,
-  sensitiveFields?: string[]
-): string;
+ * 
+ * @example
+ * ```typescript
+ * // With custom options
+ * import { registerSecureNow } from 'securenow/nextjs';
+ * 
+ * export function register() {
+ *   registerSecureNow({
+ *     serviceName: 'my-nextjs-app',
+ *     endpoint: 'http://your-otlp-backend.example.com:4318',
+ *     noUuid: true,
+ *   });
+ * }
+ * ```
+ */
+export function registerSecureNow(options?: RegisterOptions): void;
+
+/**
+ * Default sensitive fields that are automatically redacted from traces
+ */
+export const DEFAULT_SENSITIVE_FIELDS: readonly string[];
+
+/**
+ * Redact sensitive fields from an object
+ * @param obj - Object to redact
+ * @param sensitiveFields - Array of field names to redact (case-insensitive substring match)
+ * @returns Redacted copy of the object
+ */
+export function redactSensitiveData<T = any>(
+  obj: T,
+  sensitiveFields?: string[]
+): T;
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ * @param query - GraphQL query string
+ * @param sensitiveFields - Array of field names to redact
+ * @returns Redacted query string
+ */
+export function redactGraphQLQuery(
+  query: string,
+  sensitiveFields?: string[]
+): string;

package/nextjs.js

@@ -35,8 +35,6 @@ const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
 
-const env = appConfig.env;
-
 let isRegistered = false;
 
 function requireRuntimeModule(name) {
@@ -126,7 +124,7 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
  * @param {string} options.serviceName - Service name (defaults to .securenow/credentials.json app.key/app.name)
- * @param {string} options.endpoint - Traces endpoint (defaults to .securenow/credentials.json app.instance)
+ * @param {string} options.endpoint - Advanced OTLP endpoint override (defaults to the SecureNow ingest gateway)
  * @param {string} options.environment - deployment.environment override (defaults to config.runtime.deploymentEnvironment)
  * @param {boolean} options.noUuid - Don't append UUID to service name
  */
@@ -144,24 +142,26 @@ function registerSecureNow(options = {}) {
   }
 
   // Detect environment outside try block for error handling
-  const isVercel = !!(env('VERCEL') || env('VERCEL_ENV') || env('VERCEL_URL'));
+  const isVercel = !!(process.env.VERCEL || process.env.VERCEL_ENV || process.env.VERCEL_URL);
   let deploymentEnvironment = appConfig.resolveDeploymentEnvironment();
 
   try {
     console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
 
     // -------- Configuration --------
-    // Resolution order: explicit options -> .securenow/credentials.json -> legacy env fallback -> package.json#name
+    // Resolution order: explicit options -> .securenow/credentials.json -> package.json#name.
+    // Telemetry goes to the stable ingest gateway by default; the API gateway
+    // routes by app.key to the dashboard-selected instance.
     const resolvedApp = appConfig.resolveAll();
 
     const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
     const baseName = rawBase || null;
     // Default: auto-disable suffix when logged in (appId is the routing UUID
-    // and the dashboard does exact match). opts.noUuid or SECURENOW_NO_UUID
-    // override.
+    // and the dashboard does exact match). opts.noUuid or config.runtime.noUuid
+    // can still override.
     const noUuid = appConfig.resolveNoUuid({ noUuid: options.noUuid });
     deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
-      options.environment || resolvedApp.deploymentEnvironment || env('VERCEL_ENV')
+      options.environment || resolvedApp.deploymentEnvironment
     );
 
     // service.name
@@ -170,7 +170,7 @@ function registerSecureNow(options = {}) {
       serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
     } else {
       serviceName = `nextjs-app-${randomUUID()}`;
-      console.warn('[securenow] ⚠️  No app identity resolved. Using fallback: %s', serviceName);
+      console.warn('[securenow] No app identity resolved. Using fallback: %s', serviceName);
       console.warn('[securenow] Run `npx securenow login` and `npx securenow init` to write .securenow/credentials.json');
     }
 
@@ -180,24 +180,30 @@ function registerSecureNow(options = {}) {
     const tracesUrl = resolvedEndpoints.tracesUrl;
     const logsUrl = resolvedEndpoints.logsUrl;
     const headers = resolvedEndpoints.headers;
+    const otelLogLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
+    const isDevelopmentRuntime = process.env.NODE_ENV === 'development';
 
-    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
-    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    // @vercel/otel still reads OTel process variables internally. These are
+    // derived from credentials JSON; customers do not set them.
+    if (isVercel) {
+      if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+      if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+      if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    }
 
     console.log('[securenow] Next.js App -> service.name=%s', serviceName);
     console.log('[securenow] Environment: %s', deploymentEnvironment);
 
     // -------- Body Capture Configuration --------
     // Opt-out default: set config.capture.body=false (or options.captureBody=false) to disable.
-    const captureBody = options.captureBody ?? !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const captureBody = options.captureBody ?? appConfig.boolConfig('capture.body', true);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
     // -------- Log environment detection --------
     if (!isVercel) {
-      console.log('[securenow] 🖥️  Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
+      console.log('[securenow] Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
     }
 
     // -------- Use different initialization based on environment --------
@@ -331,8 +337,8 @@ function registerSecureNow(options = {}) {
           }
 
           // Debug log in development
-          if (env('NODE_ENV') === 'development' || env('OTEL_LOG_LEVEL') === 'debug') {
-            console.log('[securenow] 📡 Captured IP: %s (from: %s)', 
+          if (isDevelopmentRuntime || otelLogLevel === 'debug') {
+            console.log('[securenow] Captured IP: %s (from: %s)',
               primaryIp, 
               ipDetails.source || 'unknown'
             );
@@ -345,8 +351,8 @@ function registerSecureNow(options = {}) {
           
         } catch (error) {
           // Silently fail to not break the request
-          if (env('OTEL_LOG_LEVEL') === 'debug') {
-            console.error('[securenow] ⚠️  Error in requestHook:', error.message);
+          if (otelLogLevel === 'debug') {
+            console.error('[securenow] Error in requestHook:', error.message);
           }
         }
       },
@@ -383,7 +389,7 @@ function registerSecureNow(options = {}) {
       return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
         || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
     }
-    const _diagDebug = (env('OTEL_LOG_LEVEL') || '').toLowerCase() === 'debug';
+    const _diagDebug = otelLogLevel === 'debug';
     process.on('uncaughtException', (err, origin) => {
       if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
         if (_diagDebug) {
@@ -455,11 +461,11 @@ function registerSecureNow(options = {}) {
       });
       
       sdk.start();
-      console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
+      console.log('[securenow] Vanilla SDK initialized for self-hosted environment');
 
       // -------- Logging (self-hosted only) --------
       // Opt-out default: set config.logging.enabled=false to disable.
-      const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
+      const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
       if (loggingEnabled) {
         try {
           const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
@@ -511,7 +517,7 @@ function registerSecureNow(options = {}) {
             _emitLog(SeverityNumber.ERROR, 'ERROR', args);
           };
 
-          console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+          console.log('[securenow] Logging: ENABLED -> %s', logsUrl);
 
           // Auto-log every incoming HTTP request/response
           try {
@@ -559,51 +565,51 @@ function registerSecureNow(options = {}) {
               }
               return originalEmit.apply(this, arguments);
             };
-            console.log('[securenow] 📋 HTTP request logging: ENABLED');
+            console.log('[securenow] HTTP request logging: ENABLED');
           } catch (_) {}
 
           // Graceful shutdown for logs
           process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
           process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
         } catch (e) {
-          console.warn('[securenow] ⚠️  Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
+          console.warn('[securenow] Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
         }
       } else {
-        console.log('[securenow] 📋 Logging: DISABLED (SECURENOW_LOGGING_ENABLED=0)');
+        console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
       }
     }
 
     isRegistered = true;
 
-    // Free trial banner (optional — may not be bundled in standalone builds)
+    // Free trial banner (optional - may not be bundled in standalone builds)
     try {
       const { isFreeTrial, patchHttpForBanner } = requireRuntimeModule('./free-trial-banner');
-      if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+      if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
         patchHttpForBanner();
       }
     } catch (_) {}
 
-    console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
-    console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
-    console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');
-    console.log('[securenow]    • User-Agent, Referer, Origin, Accept headers');
-    console.log('[securenow]    • Protocol, Host, Port (proxy-aware)');
-    console.log('[securenow]    • Geographic data (Vercel/Cloudflare)');
-    console.log('[securenow]    • Request IDs, CSRF tokens, Auth presence');
-    console.log('[securenow]    • Response status, content-type, content-length');
-    console.log('[securenow] ⚠️  Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
+    console.log('[securenow] OpenTelemetry started for Next.js -> %s', tracesUrl);
+    console.log('[securenow] Auto-capturing comprehensive request metadata:');
+    console.log('[securenow]    - IP addresses (x-forwarded-for, x-real-ip, socket)');
+    console.log('[securenow]    - User-Agent, Referer, Origin, Accept headers');
+    console.log('[securenow]    - Protocol, Host, Port (proxy-aware)');
+    console.log('[securenow]    - Geographic data (Vercel/Cloudflare)');
+    console.log('[securenow]    - Request IDs, CSRF tokens, Auth presence');
+    console.log('[securenow]    - Response status, content-type, content-length');
+    console.log('[securenow] Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
     if (captureBody) {
-      console.log('[securenow] 💡 For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
+      console.log('[securenow] For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
     }
 
     // Optional test span
-    if (String(env('SECURENOW_TEST_SPAN')) === '1') {
+    if (appConfig.boolConfig('runtime.testSpan', false)) {
       const api = require('@opentelemetry/api');
       const tracer = api.trace.getTracer('securenow-nextjs');
       const span = tracer.startSpan('securenow.nextjs.startup');
       span.setAttribute('next.runtime', process.env.NEXT_RUNTIME || 'nodejs');
       span.end();
-      console.log('[securenow] 🧪 Test span created');
+      console.log('[securenow] Test span created');
     }
 
   } catch (error) {
@@ -615,7 +621,7 @@ function registerSecureNow(options = {}) {
     }
   }
 
-  // Firewall — runs independently from OTel so it works even if tracing fails.
+  // Firewall - runs independently from OTel so it works even if tracing fails.
   // Key and environment come from .securenow/credentials.json (written by
   // login/init or credentials runtime), so no .env entry is needed.
   const firewallOptions = appConfig.resolveFirewallOptions();

package/nuxt-server-plugin.mjs

@@ -26,8 +26,6 @@ const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
 
 // ── Helpers ──
 
-const env = appConfig.env;
-
 function createResource(attributes) {
   if (typeof otelResources.resourceFromAttributes === 'function') {
     return otelResources.resourceFromAttributes(attributes);
@@ -74,7 +72,7 @@ function getRuntimeOptions() {
 export default defineNitroPlugin(async (nitroApp) => {
   const opts = getRuntimeOptions();
 
-  // Resolution order: opts -> .securenow/credentials.json -> legacy env fallback -> package.json#name
+  // Resolution order: opts -> .securenow/credentials.json -> package.json#name
   const resolvedApp = appConfig.resolveAll();
 
   // ── Naming ──
@@ -125,12 +123,9 @@ export default defineNitroPlugin(async (nitroApp) => {
   // Opt-out default: set config.capture.body=false (or opts.captureBody=false) to disable.
   const captureBody =
     opts.captureBody ??
-    !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
-  const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-  const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '')
-    .split(',')
-    .map((s) => s.trim())
-    .filter(Boolean);
+    appConfig.boolConfig('capture.body', true);
+  const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+  const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
   const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
   // ── HTTP instrumentation ──
@@ -238,7 +233,7 @@ export default defineNitroPlugin(async (nitroApp) => {
   // Opt-out default: set config.logging.enabled=false (or opts.logging=false) to disable.
   const loggingEnabled =
     opts.logging ??
-    !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
+    appConfig.boolConfig('logging.enabled', true);
 
   let loggerProvider = null;
 
@@ -314,7 +309,7 @@ export default defineNitroPlugin(async (nitroApp) => {
   // ── Free trial banner ──
   try {
     const { isFreeTrial, patchHttpForBanner } = await import('./free-trial-banner.js');
-    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
       patchHttpForBanner();
     }
   } catch {