securenow 7.7.14 → 7.7.16

package/tracing.js

@@ -1,31 +1,17 @@
-'use strict';
+'use strict';
 
 /**
  * Preload with: node --require securenow/register app.js
  *
  * Works for both CJS and ESM apps. On Node >=20.6 the ESM loader hook is
- * auto-registered via module.register() — no --import flag needed.
+ * auto-registered via module.register() — no --import flag needed.
  * On Node 18 with "type": "module", add the hook manually:
  *   node --import @opentelemetry/instrumentation/hook.mjs --require securenow/register app.js
  *
- * Env:
- *   SECURENOW_APPID=logical-name              # or OTEL_SERVICE_NAME=logical-name
- *   SECURENOW_NO_UUID=1|0                     # override. Default: auto — 1 when
- *                                              logged in (appId is routing UUID,
- *                                              dashboard does exact match),
- *                                              0 pre-login (use suffix to
- *                                              distinguish PM2 cluster workers).
- *   SECURENOW_INSTANCE=http://host:4318       # OTLP/HTTP base (default https://freetrial.securenow.ai:4318)
- *   OTEL_EXPORTER_OTLP_ENDPOINT=...           # alternative base
- *   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=...    # full traces URL
- *   OTEL_EXPORTER_OTLP_HEADERS="k=v,k2=v2"
- *   SECURENOW_DISABLE_INSTRUMENTATIONS="pkg1,pkg2"
- *   SECURENOW_CAPTURE_MULTIPART=1                # capture multipart/form-data fields & file metadata (streaming, no file content buffered)
- *   OTEL_LOG_LEVEL=error|warn|info|debug|none
- *   SECURENOW_TEST_SPAN=1
- *
- * Safety:
- *   SECURENOW_STRICT=1  -> if no appid/name is provided in cluster, exit(1) so PM2 restarts the worker
+ * Config:
+ *   Runtime config is read from .securenow/credentials.json.
+ *   Run `npx securenow login` and `npx securenow init` to create it.
+ *   Production should mount/copy tokenless runtime credentials to the same path.
  */
 
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
@@ -40,8 +26,6 @@ const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongo
 const { randomUUID } = require('crypto');
 const appConfig = require('./app-config');
 
-const env = appConfig.env;
-
 function createResource(attributes) {
   if (typeof otelResources.resourceFromAttributes === 'function') {
     return otelResources.resourceFromAttributes(attributes);
@@ -265,7 +249,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
         const hasCliHook = execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle');
         const hasModuleRegister = typeof require('node:module').register === 'function';
         if (!hasCliHook && !hasModuleRegister) {
-          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
+          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
           console.warn('[securenow]    Upgrade to Node >=20.6 (recommended) or add: --import @opentelemetry/instrumentation/hook.mjs');
         }
       }
@@ -274,7 +258,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
 })();
 
 // -------- diagnostics --------
-const diagLevel = ((process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : env('OTEL_LOG_LEVEL')) || '').toLowerCase();
+const diagLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
 (() => {
   const level = diagLevel === 'debug' ? DiagLogLevel.DEBUG :
                 diagLevel === 'info'  ? DiagLogLevel.INFO  :
@@ -285,7 +269,7 @@ const diagLevel = ((process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LE
 })();
 
 // -------- endpoints & app resolution --------
-// Resolution order for endpoint/appId/apiKey: .securenow/credentials.json -> legacy env fallback -> package.json#name -> defaults.
+// Resolution order for endpoint/appId/apiKey: .securenow/credentials.json -> package.json#name -> defaults.
 const resolvedApp = appConfig.resolveAll();
 const resolvedEndpoints = appConfig.resolveEndpoints();
 
@@ -301,10 +285,10 @@ const headers = resolvedEndpoints.headers;
 const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 // Auto-disables the per-worker suffix when we resolved a routing UUID from
-// credentials — the dashboard does exact-match IN on service.name, so any
+// credentials — the dashboard does exact-match IN on service.name, so any
 // suffix breaks routing. config.runtime.noUuid can override.
 const noUuid   = appConfig.resolveNoUuid();
-const strict   = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
+const strict   = appConfig.boolConfig('runtime.strict', false);
 const inPm2Cluster = !!(process.env.NODE_APP_INSTANCE || process.env.pm_id);
 
 // Fail fast in cluster if base is missing (no more "free" names)
@@ -328,7 +312,7 @@ const instancePrefix   = baseName || 'securenow';
 const serviceInstanceId = `${instancePrefix}-${randomUUID()}`;
 
 // Loud line per worker to prove what was used
-console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=%s instance.id=%s',
+console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=%s instance.id=%s',
   process.pid,
   JSON.stringify(baseName),
   JSON.stringify(endpointBase),
@@ -339,18 +323,18 @@ console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=
 
 // -------- instrumentations --------
 const disabledMap = {};
-for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map(s => s.trim()).filter(Boolean)) {
+for (const n of appConfig.listConfig('otel.disableInstrumentations')) {
   disabledMap[n] = { enabled: false };
 }
 
 // -------- Body Capture Configuration --------
 // Opt-out defaults: set config.capture.body=false to disable.
-const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
-const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+const captureBody = appConfig.boolConfig('capture.body', true);
+const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
-const captureMultipart = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_MULTIPART') ?? ''));
+const captureMultipart = appConfig.boolConfig('capture.multipart', true);
 
 const BODY_CAPTURE_PATCH = Symbol.for('securenow.bodyCapture.emitPatch');
 
@@ -370,7 +354,7 @@ function installRequestBodyObserver(span, request, contentType) {
   if (isMultipartBody && !captureMultipart) {
     span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
     span.setAttribute('http.request.body.type', 'multipart');
-    span.setAttribute('http.request.body.note', 'Multipart capture disabled (SECURENOW_CAPTURE_MULTIPART=0)');
+    span.setAttribute('http.request.body.note', 'Multipart capture disabled by config.capture.multipart=false');
     return;
   }
 
@@ -537,8 +521,8 @@ const httpInstrumentation = new HttpInstrumentation({
 });
 
 // -------- Logging Configuration --------
-// Opt-out default: set =0 or =false to disable.
-const loggingEnabled = !/^(0|false)$/i.test(String(env('SECURENOW_LOGGING_ENABLED') ?? ''));
+// Opt-out default: set config.logging.enabled=false to disable.
+const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
 
 // Create shared resource for both traces and logs
 const sharedResource = createResource({
@@ -596,11 +580,11 @@ if (loggingEnabled) {
 // request's error path isn't fully covered by the OTel library. We install
 // targeted process-level handlers to catch them and log at debug level instead
 // of crashing the host app.
-const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
 function _isOtlpTransientError(err) {
   if (!err) return false;
   if (_TRANSIENT_CODES.has(err.code)) return true;
-  if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+  if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
   return false;
 }
 function _looksLikeOtlpStack(err) {
@@ -609,25 +593,58 @@ function _looksLikeOtlpStack(err) {
   return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
     || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
 }
+function _looksLikeConfiguredOtlpEndpoint(err) {
+  const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+  try {
+    const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+    return hosts.some((host) => host && text.includes(host));
+  } catch (_) {
+    return false;
+  }
+}
+function _originalConsole(method) {
+  const originals = console.__securenow_original || console.__securenowOriginalConsole;
+  return (originals && originals[method]) || console[method] || console.log;
+}
+let _lastSuppressedOtlpErrorLogAt = 0;
+function _formatOtlpError(err) {
+  if (!err) return 'unknown error';
+  const parts = [err.message || String(err)];
+  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+  if (err.syscall) parts.push(`syscall=${err.syscall}`);
+  if (err.hostname) parts.push(`host=${err.hostname}`);
+  return parts.join(' ');
+}
+function _reportSuppressedOtlpError(kind, err, origin) {
+  const level = String(diagLevel || '').toLowerCase();
+  if (level === 'none') return;
+  const now = Date.now();
+  if (level !== 'debug' && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+  _lastSuppressedOtlpErrorLogAt = now;
+  const method = level === 'debug' ? 'debug' : 'error';
+  _originalConsole(method).call(
+    console,
+    '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+    kind,
+    origin || 'async',
+    _formatOtlpError(err)
+  );
+}
 
 process.on('uncaughtException', (err, origin) => {
-  if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-    }
-    return; // swallow — do not crash
+  if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+    _reportSuppressedOtlpError('error', err, origin);
+    return; // swallow - do not crash
   }
-  // Not ours — re-throw so the default handler (or the app's own handler) fires
+  // Not ours — re-throw so the default handler (or the app's own handler) fires
   throw err;
 });
 process.on('unhandledRejection', (reason) => {
-  if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-    }
+  if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+    _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
     return; // swallow
   }
-  // Not ours — re-throw as unhandled so Node's default behaviour applies
+  // Not ours — re-throw as unhandled so Node's default behaviour applies
   throw reason;
 });
 
@@ -651,19 +668,19 @@ const sdk = new NodeSDK({
 (async () => {
   try {
     await Promise.resolve(sdk.start?.());
-    console.log('[securenow] OTel SDK started → %s', tracesUrl);
+    console.log('[securenow] OTel SDK started → %s', tracesUrl);
     if (loggingEnabled) {
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
     } else {
       console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
     }
     if (captureBody) {
-      console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
+      console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
     }
     if (captureMultipart) {
-      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
+      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
     }
-    if (String(env('SECURENOW_TEST_SPAN')) === '1') {
+    if (appConfig.boolConfig('runtime.testSpan', false)) {
       const api = require('@opentelemetry/api');
       const tracer = api.trace.getTracer('securenow-smoke');
       const span = tracer.startSpan('securenow.startup.smoke'); span.end();
@@ -671,13 +688,13 @@ const sdk = new NodeSDK({
 
     // Free trial banner
     const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
-    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
       patchHttpForBanner();
     }
 
-    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
+    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
     // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
-    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
+    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
     const firewallOptions = appConfig.resolveFirewallOptions();
     if (firewallOptions.apiKey && firewallOptions.enabled) {
       require('./firewall').init({
@@ -685,6 +702,7 @@ const sdk = new NodeSDK({
         appKey: firewallOptions.appKey,
         environment: firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/web-vite.mjs

@@ -11,9 +11,24 @@ import { UserInteractionInstrumentation } from '@opentelemetry/instrumentation-u
 import { FetchInstrumentation } from '@opentelemetry/instrumentation-fetch';
 import { XMLHttpRequestInstrumentation } from '@opentelemetry/instrumentation-xml-http-request';
 
-// ---- helpers / env ----
+// ---- helpers / browser config ----
 const viteEnv = import.meta.env || {};
 
+const ENV_TO_BROWSER_CONFIG_PATH = Object.freeze({
+  SECURENOW_APPID: 'app.key',
+  SECURENOW_INSTANCE: 'config.otel.endpoint',
+  OTEL_SERVICE_NAME: 'app.name',
+  OTEL_EXPORTER_OTLP_ENDPOINT: 'config.otel.endpoint',
+  OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: 'config.otel.tracesEndpoint',
+  OTEL_EXPORTER_OTLP_HEADERS: 'config.otel.headers',
+  SECURENOW_NO_UUID: 'config.runtime.noUuid',
+  SECURENOW_STRICT: 'config.runtime.strict',
+  SECURENOW_TEST_SPAN: 'config.runtime.testSpan',
+  SECURENOW_HIDE_BANNER: 'config.runtime.hideBanner',
+  SECURENOW_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
+  SECURENOW_DEPLOYMENT_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
+});
+
 function createResource(attributes) {
   if (typeof otelResources.resourceFromAttributes === 'function') {
     return otelResources.resourceFromAttributes(attributes);
@@ -24,17 +39,62 @@ function createResource(attributes) {
   throw new Error('Unsupported @opentelemetry/resources version');
 }
 
+function legacyViteEnvFallbackEnabled() {
+  const raw =
+    viteEnv.SECURENOW_ENABLE_LEGACY_ENV ??
+    viteEnv.VITE_SECURENOW_ENABLE_LEGACY_ENV ??
+    viteEnv.SECURENOW_ALLOW_ENV_CONFIG ??
+    viteEnv.VITE_SECURENOW_ALLOW_ENV_CONFIG;
+  return /^(1|true|yes)$/i.test(String(raw || '').trim());
+}
+
+function getPath(obj, path) {
+  if (!obj || !path) return undefined;
+  let cur = obj;
+  for (const part of String(path).split('.')) {
+    if (cur == null || typeof cur !== 'object' || !(part in cur)) return undefined;
+    cur = cur[part];
+  }
+  return cur;
+}
+
+function headersToString(headers) {
+  if (!headers || typeof headers !== 'object' || Array.isArray(headers)) return undefined;
+  return Object.entries(headers)
+    .filter(([, value]) => value !== undefined && value !== null && value !== '')
+    .map(([key, value]) => `${key}=${value}`)
+    .join(',');
+}
+
+function toConfigString(value) {
+  if (value === undefined || value === null || value === '') return undefined;
+  if (typeof value === 'boolean') return value ? '1' : '0';
+  if (Array.isArray(value)) return value.join(',');
+  if (typeof value === 'object') return headersToString(value);
+  return String(value);
+}
+
 function env(k) {
-  // Accept both Vite envs (VITE_*) and raw names for window.__SECURENOW__
+  // Browser config should be injected as window.__SECURENOW__ by the app.
+  const w = globalThis.window;
+  const injected = w && w.__SECURENOW__;
+  const mappedPath = ENV_TO_BROWSER_CONFIG_PATH[String(k).toUpperCase()];
+  if (injected) {
+    if (mappedPath) {
+      const mappedValue = getPath(injected, mappedPath);
+      const resolved = toConfigString(mappedValue);
+      if (resolved !== undefined) return resolved;
+    }
+    if (!mappedPath && k in injected) return toConfigString(injected[k]);
+  }
+
+  // Vite env fallbacks are legacy and disabled by default.
+  if (!legacyViteEnvFallbackEnabled()) return undefined;
   const direct =
     viteEnv[k] ??
     viteEnv[k.toUpperCase()] ??
     viteEnv[k.toLowerCase()];
   if (direct != null) return String(direct);
-
-  // Optionally support runtime overrides via window.__SECURENOW__
-  const w = globalThis.window;
-  if (w && w.__SECURENOW__ && k in w.__SECURENOW__) return String(w.__SECURENOW__[k]);
   return undefined;
 }
 
@@ -51,20 +111,50 @@ function parseHeaders(str) {
   return out;
 }
 
+function normalizeEndpointBase(value) {
+  const endpoint = String(value || '').trim().replace(/\/$/, '');
+  if (!endpoint) return endpoint;
+  if (endpoint === 'https://api.securenow.ai/api/otlp') return 'https://ingest.securenow.ai';
+
+  try {
+    const parseable = /^[a-z][a-z0-9+.-]*:\/\//i.test(endpoint) ? endpoint : `https://${endpoint}`;
+    const url = new URL(parseable);
+    if (url.port === '4318' && url.hostname.toLowerCase().endsWith('.securenow.ai')) {
+      return 'https://ingest.securenow.ai';
+    }
+  } catch {}
+
+  return endpoint;
+}
+
+function normalizeSignalEndpoint(value, signalType) {
+  if (!value) return value;
+  const endpoint = String(value).trim().replace(/\/$/, '');
+  const signalPath = `/v1/${signalType}`;
+  if (endpoint.endsWith(signalPath)) {
+    return `${normalizeEndpointBase(endpoint.slice(0, -signalPath.length))}${signalPath}`;
+  }
+  return endpoint;
+}
+
 // ---- endpoints (same defaults as tracing.js) ----
 const endpointBase =
-  (env('SECURENOW_INSTANCE') || env('OTEL_EXPORTER_OTLP_ENDPOINT') || 'https://freetrial.securenow.ai:4318')
-    .replace(/\/$/, '');
+  normalizeEndpointBase(env('SECURENOW_INSTANCE') || env('OTEL_EXPORTER_OTLP_ENDPOINT') || 'https://ingest.securenow.ai');
 const tracesUrl =
-  env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
+  normalizeSignalEndpoint(env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT'), 'traces') || `${endpointBase}/v1/traces`;
 const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+const deploymentEnvironment =
+  env('SECURENOW_DEPLOYMENT_ENVIRONMENT') || env('SECURENOW_ENVIRONMENT') || viteEnv.MODE || 'production';
+const browserAppKey = env('SECURENOW_APPID');
+if (browserAppKey && !headers['x-api-key']) headers['x-api-key'] = browserAppKey;
+if (deploymentEnvironment && !headers['x-securenow-environment']) headers['x-securenow-environment'] = deploymentEnvironment;
 
 // ---- naming rules (mirrors tracing.js) ----
 const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 // Default to no suffix whenever a baseName is resolved: the dashboard filters
 // service.name by exact match, and browsers have no PM2 cluster problem
-// (each tab has its own service.instance.id). Explicit SECURENOW_NO_UUID=0
+// (each tab has its own service.instance.id). Explicit config.runtime.noUuid=false
 // still re-enables the suffix if someone really wants it.
 const noUuidEnv = env('SECURENOW_NO_UUID');
 const noUuid =
@@ -95,7 +185,7 @@ if (baseName) {
   serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
 } else {
   if (strict) {
-    console.error('[securenow/web-vite] FATAL: SECURENOW_APPID/OTEL_SERVICE_NAME missing and SECURENOW_STRICT=1. Tracing disabled.');
+    console.error('[securenow/web-vite] FATAL: SecureNow app key missing and config.runtime.strict=true. Tracing disabled.');
     // @ts-expect-error
     window.__SECURENOW_DISABLED__ = true;
     disabled = true;
@@ -112,7 +202,7 @@ const serviceInstanceId = `${instancePrefix}-${uuidv4()}`;
 try {
   // eslint-disable-next-line no-console
   console.log(
-    '[securenow] web preload loaded SECURENOW_APPID=%s OTEL_SERVICE_NAME=%s SECURENOW_NO_UUID=%s SECURENOW_STRICT=%s → service.name=%s instance.id=%s',
+    '[securenow] web preload loaded app.key=%s app.name=%s config.runtime.noUuid=%s config.runtime.strict=%s → service.name=%s instance.id=%s',
     JSON.stringify(env('SECURENOW_APPID')),
     JSON.stringify(env('OTEL_SERVICE_NAME')),
     JSON.stringify(env('SECURENOW_NO_UUID')),
@@ -138,7 +228,7 @@ export function startSecurenowWeb() {
     resource: createResource({
       [S.SERVICE_NAME]: serviceName,
       [S.SERVICE_INSTANCE_ID]: serviceInstanceId,
-      [S.DEPLOYMENT_ENVIRONMENT]: viteEnv.MODE || 'production',
+      [S.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
       [S.SERVICE_VERSION]: viteEnv.VITE_APP_VERSION || undefined,
     }),
     spanProcessors: [new BatchSpanProcessor(exporter)],
@@ -174,9 +264,9 @@ export function startSecurenowWeb() {
 
 // ---- Free trial banner (browser DOM injection) ----
 function injectFreeTrialBanner() {
-  const FREETRIAL_HOST = 'freetrial.securenow.ai';
+  const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
   const hideBanner = String(env('SECURENOW_HIDE_BANNER')) === '1';
-  if (hideBanner || !endpointBase.includes(FREETRIAL_HOST)) return;
+  if (hideBanner || !FREE_TRIAL_HOSTS.some(host => endpointBase.includes(host))) return;
   if (typeof document === 'undefined') return;
 
   function create() {