npm - securenow - Versions diffs - 7.7.14 → 7.7.16 - Mend

securenow 7.7.14 → 7.7.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/NPM_README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# SecureNow - Complete OpenTelemetry Observability for Node.js
+# SecureNow - Complete OpenTelemetry Observability for Node.js
 OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt applications. Send distributed traces and logs to any OTLP-compatible observability backend.
@@ -86,7 +86,7 @@ This detects your framework and:
 #### Configure Locally
-Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, collector URL, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 #### Run Your Application
@@ -127,7 +127,7 @@ const app = express();
 You'll see confirmation in the console:
 ```
-[securenow] OTel SDK started -> http://your-otlp-collector:4318/v1/traces
+[securenow] OTel SDK started -> https://ingest.securenow.ai/v1/traces
 [securenow] Firewall: ENABLED
 [securenow] Firewall: synced 142 blocked IPs (138 exact + 4 CIDR ranges)
 ```
@@ -138,7 +138,7 @@ You'll see confirmation in the console:
 The `securenow` CLI gives you full access to the SecureNow platform from the terminal -- no browser required for day-to-day workflows. Zero additional dependencies.
-**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, `SECURENOW_TEST_SPAN` -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
+**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, startup smoke spans -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
 ### Getting Started
@@ -374,7 +374,7 @@ npx securenow test-span
 npx securenow test-span "ci.smoke-test"          # custom span name
 ```
-Both commands use the resolved `SECURENOW_INSTANCE` / `OTEL_EXPORTER_OTLP_*` endpoints and honor `OTEL_EXPORTER_OTLP_HEADERS` for API-key auth. Non-zero exit on HTTP errors so CI/cron can detect failures.
+Both commands use the resolved credentials JSON endpoints and headers. Non-zero exit on HTTP errors so CI/cron can detect failures.
 ### Utilities -- Redaction, CIDR, Diagnostics
@@ -434,14 +434,18 @@ Every command supports these flags:
 | `--help` | | Show help for the command |
 | `--app <key>` | | Override the default application key |
-### Environment Variables
+### Legacy CLI Overrides
-| Variable | Description |
+Normal CLI, SDK, and production runtime setup uses `.securenow/credentials.json`.
+Old per-terminal CLI overrides still exist for operator troubleshooting, but
+they are not part of the SDK runtime configuration path.
+| Override | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | JWT token - overrides all file-based credentials |
-| `SECURENOW_API_URL` | Override the API base URL |
-| `SECURENOW_DEBUG` | Show stack traces on errors |
-| `NO_COLOR` | Disable colored output |
+| `SECURENOW_TOKEN` | Legacy CLI auth override for a single terminal session |
+| `SECURENOW_API_URL` | Legacy CLI API base override for testing |
+| `SECURENOW_DEBUG` | CLI stack traces while debugging |
+| `NO_COLOR` | Disable colored CLI output |
 ### Multi-Project Sessions
@@ -460,7 +464,7 @@ npx securenow login
 npx securenow whoami   # Shows auth source: project (.securenow/)
 ```
-For new automation, prefer project-local or runtime credentials files. `SECURENOW_TOKEN` remains a legacy fallback for per-terminal sessions.
+For new automation, use project-local or runtime credentials files.
 ### CI/CD Integration
@@ -566,7 +570,7 @@ npx securenow logs --json --level error | jq '.logs'
 ## Framework-Specific Setup
-> **v5.6.0+:** When `SECURENOW_LOGGING_ENABLED=1`, all `console.log`/`warn`/`error`/`info`/`debug` calls
+> **v5.6.0+:** When `config.logging.enabled` is `true`, all `console.log`/`warn`/`error`/`info`/`debug` calls
 > are **automatically** forwarded as OTLP log records. The separate `require('securenow/console-instrumentation')` is no longer needed (but still available for backward compat).
 ### Express.js
@@ -641,7 +645,7 @@ fastify.listen({ port: 3000 }, (err) => {
 });
 ```
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Fastify version or plugin stack reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 ---
@@ -764,7 +768,7 @@ const init = async () => {
 init().catch((err) => { console.error(err); process.exit(1); });
 ```
-> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `SECURENOW_CAPTURE_BODY=0` as a local override.
+> **Default:** Traces, logs, POST body capture, multipart metadata capture, and firewall protection are on. If a specific Hapi version or payload plugin reports request-stream conflicts, set `config.capture.body=false` in credentials as a local override.
 ---
@@ -1061,10 +1065,10 @@ The Nuxt server plugin (v5.13.0+) initializes the firewall independently from Op
 | Framework | Traces | Logs | Body Capture | Firewall | Notes |
 |-----------|--------|------|--------------|----------|-------|
 | Express | Yes | Yes | Yes | Yes | Fully compatible |
-| Fastify | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Fastify | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | Koa | Yes | Yes | Yes | Yes | Needs `koa-bodyparser` |
 | NestJS | Yes | Yes | Yes | Yes | Use `-r ts-node/register` |
-| Hapi | Yes | Yes | Yes | Yes | Default on; use `SECURENOW_CAPTURE_BODY=0` only for local stream conflicts |
+| Hapi | Yes | Yes | Yes | Yes | Default on; use `config.capture.body=false` only for local stream conflicts |
 | h3 | Yes | Yes | Yes | Yes | Uses `toNodeListener()` |
 | Polka | Yes | Yes | Yes | Yes | Needs manual body parser |
 | Micro/HTTP | Yes | Yes | Yes | Yes | Full control |
@@ -1095,7 +1099,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order. Legacy `SECURENOW_API_KEY` overrides still work for existing deployments.
+The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
 On startup, you'll see:
@@ -1155,12 +1159,12 @@ node -r securenow/firewall-only app.js
 The firewall supports four layers -- Layer 1 is always on, the rest are opt-in:
-| Layer | Env Var | Description |
+| Layer | Credentials key | Description |
 |-------|---------|-------------|
 | **Layer 1: HTTP** | *(always on)* | Returns 403 Forbidden with a security alert page. Works with proxy headers. |
-| **Layer 2: TCP** | `SECURENOW_FIREWALL_TCP=1` | `socket.destroy()` -- zero bytes sent back |
-| **Layer 3: iptables** | `SECURENOW_FIREWALL_IPTABLES=1` | Kernel-level DROP (Linux, requires root) |
-| **Layer 4: Cloud WAF** | `SECURENOW_FIREWALL_CLOUD=cloudflare` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
+| **Layer 2: TCP** | `config.firewall.tcp=true` | `socket.destroy()` -- zero bytes sent back |
+| **Layer 3: iptables** | `config.firewall.iptables=true` | Kernel-level DROP (Linux, requires root) |
+| **Layer 4: Cloud WAF** | `config.firewall.cloud="cloudflare"` | Pushes to Cloudflare, AWS WAF, or GCP Cloud Armor |
 ### Blocked Page
@@ -1192,8 +1196,8 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | Field | Description | Default |
 |----------|-------------|---------|
-| `app.key` | SecureNow app routing UUID / OTel service name. | chosen during login |
-| `app.instance` | OTLP collector base URL. | `https://freetrial.securenow.ai:4318` |
+| `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
+| `app.name` | Human-readable app label. | selected during login |
 | `apiKey` | Scoped firewall key (`snk_live_...`). | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
@@ -1202,90 +1206,18 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | `config.firewall.enabled` | Local SDK firewall switch; dashboard toggle is per environment. | `true` |
 | `config.otel.*` | Optional custom endpoints, headers, and log level. | empty |
-Legacy env fallback aliases are listed below for existing installs only.
-### Legacy App Identity Fallbacks
-| Variable | Description | Example |
-|----------|-------------|---------|
-| `SECURENOW_APPID` | Fallback for missing credentials `app.key`. Used as the app routing key/service name. | `<uuid>` |
-| `SECURENOW_INSTANCE` | Fallback for missing credentials `app.instance`. Base URL of your OTLP collector endpoint. | `https://freetrial.securenow.ai:4318` |
-### Optional Configuration
-#### Service Naming
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_SERVICE_NAME` | Fallback for missing `app.name`. Standard OpenTelemetry variable. | - |
-| `SECURENOW_NO_UUID` | Legacy fallback for `config.runtime.noUuid`. | `0` |
-| `SECURENOW_STRICT` | Legacy fallback for `config.runtime.strict`. | `0` |
-#### Connection Settings
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_EXPORTER_OTLP_ENDPOINT` | Fallback for `config.otel.endpoint`. | - |
-| `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT` | Fallback for `config.otel.tracesEndpoint`. | `{instance}/v1/traces` |
-| `OTEL_EXPORTER_OTLP_LOGS_ENDPOINT` | Fallback for `config.otel.logsEndpoint`. | `{instance}/v1/logs` |
-| `OTEL_EXPORTER_OTLP_HEADERS` | Fallback for `config.otel.headers`. Format: `key1=value1,key2=value2` | - |
-#### Logging
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_LOGGING_ENABLED` | Enable automatic logging to OTLP backend. Set to `0` to disable. | `1` |
-#### Request Body Capture
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_CAPTURE_BODY` | Capture request bodies in traces. Set to `0` to disable. | `1` |
-| `SECURENOW_MAX_BODY_SIZE` | Maximum body size to capture in bytes. Bodies larger than this are truncated. | `10240` (10KB) |
-| `SECURENOW_SENSITIVE_FIELDS` | Comma-separated list of additional field names to redact. | - |
-| `SECURENOW_CAPTURE_MULTIPART` | Capture multipart/form-data metadata. Streams through the request to extract text field values and file metadata (name, filename, content-type, size) without buffering file content. Set to `0` to disable. | `1` |
+The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads
+all runtime settings from this JSON plus built-in defaults. Production should
+mount a tokenless runtime credentials file at `.securenow/credentials.json`.
+Legacy env fallback is disabled by default and exists only for old deployments
+that explicitly opt in with `SECURENOW_ENABLE_LEGACY_ENV=1`.
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
-#### Instrumentation Control
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated list of instrumentation packages to disable. | - |
-**Example:** `SECURENOW_DISABLE_INSTRUMENTATIONS=fs,dns` disables filesystem and DNS instrumentations.
-#### Firewall
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_API_KEY` | Legacy firewall key override. Prefer `apiKey` in `.securenow/credentials.json`. | from creds file |
-| `SECURENOW_API_URL` | SecureNow API base URL. Auto-detected for co-located deployments (falls back to `http://localhost:4000` on ECONNREFUSED). | `https://api.securenow.ai` |
-| `SECURENOW_FIREWALL_VERSION_INTERVAL` | Seconds between lightweight ETag checks. | `10` |
-| `SECURENOW_FIREWALL_SYNC_INTERVAL` | Safety-net full blocklist refresh interval in seconds. | `3600` |
-| `SECURENOW_FIREWALL_FAIL_MODE` | `open` (allow when unavailable) or `closed` (block all). | `open` |
-| `SECURENOW_FIREWALL_STATUS_CODE` | HTTP status code for blocked requests. | `403` |
-| `SECURENOW_FIREWALL_LOG` | Log blocked requests and sync events to console. Set to `0` to silence. | `1` |
-| `SECURENOW_FIREWALL_TCP` | Enable Layer 2 TCP blocking. | `0` |
-| `SECURENOW_FIREWALL_IPTABLES` | Enable Layer 3 iptables blocking. | `0` |
-| `SECURENOW_FIREWALL_CLOUD` | Cloud WAF provider: `cloudflare`, `aws`, or `gcp`. | - |
-| `SECURENOW_FIREWALL_CLOUD_DRY_RUN` | Log cloud pushes without applying changes. | `0` |
-| `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs. | - |
-Use `npx securenow help firewall` for complete details on all layers.
-#### Debugging
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `OTEL_LOG_LEVEL` | OpenTelemetry diagnostic override. Options: `debug`, `info`, `warn`, `error`, `none`. Overrides `config.otel.logLevel` for emergency debugging. | `error` |
-| `SECURENOW_TEST_SPAN` | Set to `1` to emit a test span on startup. | `0` |
-#### Environment
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `SECURENOW_ENVIRONMENT` / `SECURENOW_DEPLOYMENT_ENVIRONMENT` / `NODE_ENV` | Fallback for `config.runtime.deploymentEnvironment`. | `production` |
+For instrumentation, firewall layers, debugging, trusted proxies, and deployment
+environment, edit the matching `config.*` keys in `.securenow/credentials.json`.
+Use `npx securenow env --json` to inspect the resolved values and
+`npx securenow help firewall` for the firewall command reference.
 ---
@@ -1310,13 +1242,15 @@ SecureNow provides multiple entry points depending on your needs:
 ### Automatic Console Logging
-Since **v5.6.0**, when `SECURENOW_LOGGING_ENABLED=1`, all console calls are automatically forwarded as OTLP log records:
+Console log forwarding is enabled by default through
+`config.logging.enabled: true`; all console calls are automatically forwarded as
+OTLP log records:
 ```javascript
 // At the top of your main file
 require('securenow/register');
-// With SECURENOW_LOGGING_ENABLED=1, all console logs are automatically sent
+// With config.logging.enabled=true, all console logs are automatically sent
 console.log('Application started');
 console.info('User action', { userId: 123, action: 'login' });
 console.warn('Deprecation warning');
@@ -1331,10 +1265,7 @@ console.debug('Debug info');
 - `console.error()` -> ERROR
 - `console.debug()` -> DEBUG
-**Environment variable:**
-```bash
-SECURENOW_LOGGING_ENABLED=1
-```
+Logging is controlled by `config.logging.enabled` in `.securenow/credentials.json`.
 ### Direct Logger API
@@ -1377,13 +1308,20 @@ node -r securenow/register app.js
 ## Request Body Capture
-SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `SECURENOW_CAPTURE_BODY=0` only when you need a local opt-out.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `config.capture.body=false` in `.securenow/credentials.json` only when you need a local opt-out.
 ### Body Capture Defaults
-```bash
-export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
-# export SECURENOW_CAPTURE_BODY=0     # optional opt-out
+```json
+{
+  "config": {
+    "capture": {
+      "body": true,
+      "maxBodySize": 10240,
+      "multipart": true
+    }
+  }
+}
 ```
 ### Supported Content Types
@@ -1391,11 +1329,11 @@ export SECURENOW_MAX_BODY_SIZE=10240  # 10KB (optional)
 - `application/json`
 - `application/x-www-form-urlencoded`
 - `application/graphql`
-- `multipart/form-data` (metadata capture is on unless `SECURENOW_CAPTURE_MULTIPART=0`)
+- `multipart/form-data` (metadata capture is on unless `config.capture.multipart=false`)
 ### Multipart Body Capture (v5.8.0+)
-Multipart/form-data metadata capture is enabled by default. Set `SECURENOW_CAPTURE_MULTIPART=0` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
+Multipart/form-data metadata capture is enabled by default. Set `config.capture.multipart=false` to disable it. Uses a streaming parser that never buffers file content -- memory stays at ~few KB regardless of upload size.
 **What gets captured:**
 - **Text fields** -- field name and value (up to 1000 chars), with sensitive fields auto-redacted
@@ -1422,8 +1360,14 @@ All request bodies are automatically scanned and sensitive fields are redacted:
 **Add custom fields to redact:**
-```bash
-export SECURENOW_SENSITIVE_FIELDS="custom_secret,internal_token"
+```json
+{
+  "config": {
+    "capture": {
+      "sensitiveFields": ["custom_secret", "internal_token"]
+    }
+  }
+}
 ```
 ### Example
@@ -1874,10 +1818,10 @@ Do not hardcode configuration in code or deployment dashboards. Use `.securenow/
 ```javascript
 // Bad
-process.env.SECURENOW_APPID = 'hardcoded-value';
+const appKey = 'hardcoded-value';
 // Good: use .securenow/credentials.json
-// { "app": { "key": "my-app", "instance": "https://freetrial.securenow.ai:4318" } }
+// { "app": { "key": "my-app", "instance": "https://ingest.securenow.ai" } }
 ```
 ### 2. Use Structured Logging

package/README.md CHANGED Viewed

@@ -45,7 +45,7 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
   "app": {
     "key": "<uuid>",
     "name": "my-backend",
-    "instance": "https://freetrial.securenow.ai:4318"
+    "instance": "https://ingest.securenow.ai"
   },
   "config": {
     "runtime": { "deploymentEnvironment": "local" },
@@ -181,7 +181,7 @@ Resolution order:
 4. Global named runtime credentials in the same fixed order
 5. `package.json#name` (label only)
-Legacy environment variables are fallback-only for existing installs. New local, CI, Docker, and production setups should use the credentials file.
+SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
 ---
@@ -244,8 +244,8 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | Field | Default | Purpose |
 |---|---|---|
-| `app.key` | selected during login | App routing UUID, sent as OTel `service.name` |
-| `app.instance` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
+| `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
+| `app.name` | selected during login | Human-readable label for CLI and dashboard output |
 | `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
@@ -256,25 +256,20 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
 | `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
-Legacy env fallback aliases:
+The credentials file is versioned with `_securenow.schemaVersion`, so future SDK
+versions can migrate defaults without asking customers to manage env vars. For
+production, generate a tokenless runtime file:
-| Variable | Default | Purpose |
-|---|---|---|
-| `SECURENOW_APPID` | from credentials file | App routing key (UUID), sent as OTel `service.name` |
-| `SECURENOW_INSTANCE` | `https://freetrial.securenow.ai:4318` | OTLP collector endpoint |
-| `SECURENOW_API_KEY` | from credentials file | Scoped firewall API key (`snk_live_...`) |
-| `SECURENOW_LOGGING_ENABLED` | `1` (on) | Forward `console.*` as OTLP logs. Set to `0` to disable. |
-| `SECURENOW_CAPTURE_BODY` | `1` (on) | Capture JSON / form request bodies. Set to `0` only for a local stream conflict. |
-| `SECURENOW_CAPTURE_MULTIPART` | `1` (on) | Capture multipart metadata (not content). |
-| `SECURENOW_MAX_BODY_SIZE` | `10240` | Max bytes captured per body. |
-| `SECURENOW_SENSITIVE_FIELDS` | `password,token,authorization,...` | Extra fields to redact (comma-separated). |
-| `SECURENOW_DISABLE_INSTRUMENTATIONS` | - | Comma-separated OTel instrumentations to disable. |
-| `SECURENOW_NO_UUID` | `0` | Don't append a UUID to `service.instance.id`. |
-| `SECURENOW_STRICT` | `0` | Exit with code 1 if `SECURENOW_APPID` is missing in a PM2 cluster. |
-| `OTEL_EXPORTER_OTLP_HEADERS` | - | Raw OTLP headers (e.g. `x-api-key=...`). |
-| `OTEL_LOG_LEVEL` | - | `debug`/`info`/`warn`/`error`. |
-New installs should use `.securenow/credentials.json`; environment variables remain legacy fallbacks for existing deployments.
+```bash
+npx securenow credentials runtime --env production
+```
+Mount or copy that JSON as `.securenow/credentials.json` in the deployed app.
+New runtime credentials do not include a per-instance collector URL; the SDK
+uses `https://ingest.securenow.ai` by default and the gateway routes by
+`app.key`.
+Legacy env fallback exists only for old deployments that explicitly opt in with
+`SECURENOW_ENABLE_LEGACY_ENV=1`; new installs should not use it.
 ---
@@ -289,7 +284,7 @@ PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 ### Other
 HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
-> MongoDB instrumentation is opt-in (`SECURENOW_ENABLE_MONGODB_INSTRUMENTATION=1`) because older versions corrupted cursors on `mongodb@6.6+`. Safe again since SDK v6.0.2.
+> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/credentials.json`.
 ---
@@ -431,7 +426,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
-Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env vars are fallback-only for older installs and do not choose the credentials filename.
+Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
 Override the dashboard API with `securenow config set apiUrl <url>`.