securenow 7.7.15 → 7.8.1

package/NPM_README.md

@@ -11,12 +11,16 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - Multi-layer firewall -- auto-blocks IPs from your SecureNow blocklist
 - `securenow init` scaffolds Next.js instrumentation, safe `serverExternalPackages`, and standalone output tracing includes
 - `securenow/firewall-only` entry point for firewall without tracing overhead
-- Local and production configuration via `.securenow/credentials.json`
+- Split local credentials: `.securenow/admin.json` for CLI/MCP admin auth and `.securenow/runtime.json` for SDK runtime
 - Single `-r securenow/register` flag -- works for both CJS and ESM apps
 - Native Nuxt 3 module (`securenow/nuxt`)
 
 ---
 
+> **v7.8 credential model:** admin/control-plane CLI and MCP auth lives in `.securenow/admin.json`; SDK runtime app config and the firewall key live in `.securenow/runtime.json`. `npx securenow login` can run both lanes for onboarding, `npx securenow admin login` refreshes only admin auth, and `npx securenow app connect` refreshes only runtime app config. Legacy combined `.securenow/credentials.json` files are still read, and production runtime exports can still be mounted as `.securenow/credentials.json`.
+
+---
+
 ## Table of Contents
 
 - [Installation](#installation)
@@ -65,7 +69,9 @@ Run login - it is a browser flow that picks or creates an app and connects the f
 npx securenow login
 ```
 
-During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
+During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes runtime config into `.securenow/runtime.json`. Admin auth, when part of the flow, is saved separately to `.securenow/admin.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
+
+Metrics export is intentionally off by default. SecureNow sets `OTEL_METRICS_EXPORTER=none` when the app has not explicitly configured metrics, preventing the OpenTelemetry SDK from creating a default metrics reader that retries `localhost:4318`.
 
 For framework scaffolding (Next.js `instrumentation.ts`, `next.config.*`, etc.) use:
 
@@ -76,17 +82,17 @@ npx securenow init --key snk_live_abc123...
 ```
 
 This detects your framework and:
-- **Credentials**: Ensures `.securenow/credentials.json` has secure defaults and explanations
+- **Credentials**: Ensures `.securenow/runtime.json` has secure defaults and explanations
 - **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, or prints a Codex/Claude-ready merge prompt for existing files
 - **Nuxt 3**: Suggests adding `securenow/nuxt` to modules
 - **Express / Node.js**: Shows how to add `-r securenow/register` to your start script
-- **All**: Stores `--key` in `.securenow/credentials.json`; no local `.env` file is needed
+- **All**: Stores `--key` in `.securenow/runtime.json`; no local `.env` file is needed
 
 ### 2. Manual Setup
 
 #### Configure Locally
 
-Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 
 #### Run Your Application
 
@@ -143,13 +149,15 @@ The `securenow` CLI gives you full access to the SecureNow platform from the ter
 ### Getting Started
 
 ```bash
-# Log in (opens browser for OAuth + app picker)
-# The browser flow mints and stores the firewall API key automatically in
-# .securenow/credentials.json (no env var needed).
+# Friendly onboarding: admin auth + app runtime connection.
 npx securenow login
 
-# Or use a token for CI/headless environments
-npx securenow login --token <YOUR_JWT>
+# Admin/control-plane CLI and MCP auth only.
+npx securenow admin login
+npx securenow admin login --token <YOUR_JWT>
+
+# App/runtime SDK config only.
+npx securenow app connect
 
 # Save to ~/.securenow/ instead of this project
 npx securenow login --global
@@ -170,7 +178,7 @@ npx securenow api-key clear                    # remove just the key
 # Auto-detect framework and scaffold instrumentation files
 npx securenow init
 
-# Pass your API key to store it in .securenow/credentials.json
+# Pass your API key to store it in .securenow/runtime.json
 npx securenow init --key snk_live_abc123...
 ```
 
@@ -178,7 +186,7 @@ For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeSc
 
 ### MCP for Codex and Claude
 
-SecureNow includes a local stdio MCP server that uses the same credentials and API client as the CLI:
+SecureNow includes a local stdio MCP server that resolves credentials by operation type:
 
 ```bash
 npx securenow login
@@ -187,7 +195,7 @@ codex mcp add securenow -- npx securenow mcp
 npx -p securenow securenow-mcp
 ```
 
-The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, rate-limit remediation, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
+Admin/global tools use `.securenow/admin.json`. App-scoped runtime reads can use `.securenow/runtime.json` or an explicit app key. The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, rate-limit remediation, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
 
 For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
 
@@ -418,11 +426,14 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | File | Description |
 |------|-------------|
 | `~/.securenow/config.json` | API URL, default app, output format |
-| `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
-| `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
+| `~/.securenow/admin.json` | Global admin/control-plane CLI and MCP auth |
+| `~/.securenow/runtime.json` | Global SDK runtime app config and firewall key |
+| `.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
+| `.securenow/runtime.json` | Project-local SDK runtime app config and firewall key |
+| `.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 
-**Resolution order:** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** runtime config resolves from project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Legacy CLI token overrides still work for existing automation.
 
 ### Global Flags
 
@@ -436,7 +447,7 @@ Every command supports these flags:
 
 ### Legacy CLI Overrides
 
-Normal CLI, SDK, and production runtime setup uses `.securenow/credentials.json`.
+Normal SDK runtime setup uses `.securenow/runtime.json`; admin CLI/MCP auth uses `.securenow/admin.json`.
 Old per-terminal CLI overrides still exist for operator troubleshooting, but
 they are not part of the SDK runtime configuration path.
 
@@ -488,16 +499,18 @@ npx securenow logs --json --level error | jq '.logs'
 | Category | Command | Description |
 |----------|---------|-------------|
 | **Setup** | `init` | Auto-scaffold instrumentation for your framework |
-| **Auth** | `login` | Authenticate via browser, `--token`, or `--local` |
-| | `logout` | Clear credentials (`--local` for project only) |
-| | `whoami` | Show session info and auth source |
+| **Auth** | `login` | Friendly onboarding: admin auth + app runtime connection |
+| | `admin login` | Authenticate admin/control-plane CLI and MCP tools |
+| | `app connect` | Select/create app and write SDK runtime config |
+| | `logout` | Clear admin auth; runtime app config remains |
+| | `whoami` | Show admin auth and runtime app status separately |
 | **Apps** | `apps` | List applications |
 | | `apps create <name>` | Create application |
 | | `apps info <id>` | Application details |
 | | `apps delete <id>` | Delete application |
 | | `apps default <key>` | Set default app |
 | **API Key** | `api-key create [--name "CLI firewall"] [--global]` | Mint and save a firewall key with your logged-in session |
-| | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/credentials.json` |
+| | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/runtime.json` |
 | | `api-key show` | Show masked key + source |
 | | `api-key clear [--global]` | Remove stored key (leaves session/app) |
 | **Observe** | `traces` | List traces |
@@ -1203,7 +1216,7 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 | `config.logging.enabled` | Automatic console log export. | `true` |
 | `config.capture.body` | Request body capture with redaction. | `true` |
 | `config.capture.multipart` | Multipart metadata capture, never file content. | `true` |
-| `config.firewall.enabled` | Local SDK firewall switch; dashboard toggle is per environment. | `true` |
+| `config.firewall.enabled` | Deprecated local hint. Runtime enable/disable uses the dashboard/API environment toggle. | ignored |
 | `config.otel.*` | Optional custom endpoints, headers, and log level. | empty |
 
 The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads

package/README.md

@@ -12,9 +12,8 @@ Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt: traces, logs, body cap
 # 1. Install
 npm install securenow
 
-# 2. Pick (or create) your app in the browser - writes .securenow/ locally.
-#    Since v7.4.0, the browser step enables the app firewall and stores
-#    a scoped firewall API key in the same file - no env vars.
+# 2. Pick (or create) your app in the browser - writes .securenow/runtime.json.
+#    The friendly login flow can also refresh admin CLI/MCP auth in .securenow/admin.json.
 npx securenow login
 
 # 3. Start your app - one flag is all it takes
@@ -35,12 +34,17 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 
 ## How it works
 
-`npx securenow login` opens a browser, lets you pick (or create) an application, and writes a **project-local** credentials file to `.securenow/credentials.json`:
+`npx securenow login` opens a browser and runs both lanes for onboarding:
+
+- admin/control-plane CLI and MCP auth goes to `.securenow/admin.json`
+- app/runtime SDK config and the firewall API key go to `.securenow/runtime.json`
+
+Use `npx securenow admin login` to refresh only admin auth, or `npx securenow app connect` to refresh only runtime app config. Legacy combined `.securenow/credentials.json` files are still read for old installs.
+
+Runtime credentials look like:
 
 ```json
 {
-  "token": "...",
-  "email": "you@example.com",
   "apiKey": "snk_live_...",
   "app": {
     "key": "<uuid>",
@@ -56,7 +60,7 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 }
 ```
 
-The SDK reads this file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. The file is auto-added to `.gitignore` so it never lands in git.
+The SDK reads the runtime file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. Local credential files are auto-added to `.gitignore` so they never land in git.
 
 ---
 
@@ -71,7 +75,7 @@ npx securenow login
 Then ask your coding agent to wire each app with this prompt:
 
 ```text
-I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/credentials.json plus tokenless .securenow/credentials.production.json, gitignore .securenow, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json, gitignore only SecureNow credential files, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
 ```
 
 For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
@@ -151,7 +155,9 @@ Run `npx securenow init` after installing so the credentials file and secure def
 - Multipart upload metadata (field names, file names, sizes, content-types; never file content)
 - Firewall protection from the selected app's SecureNow blocklist and IPDB sync - activates as soon as you've logged in
 
-All of these are **on by default**. Tune them in `.securenow/credentials.json` under the `config` block.
+All of these are **on by default**. Tune them in `.securenow/runtime.json` under the `config` block.
+
+SecureNow does not export metrics by default. The preload sets `OTEL_METRICS_EXPORTER=none` when the app has not explicitly configured a metrics exporter, which prevents OpenTelemetry's default metrics reader from falling back to `localhost:4318`.
 
 ---
 
@@ -175,11 +181,13 @@ Starting in v7.7.2, the SDK also accepts generated runtime filenames directly wi
 
 Resolution order:
 
-1. Project-local `.securenow/credentials.json`
-2. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
-3. Global `~/.securenow/credentials.json`
-4. Global named runtime credentials in the same fixed order
-5. `package.json#name` (label only)
+1. Project-local `.securenow/runtime.json`
+2. Legacy project-local `.securenow/credentials.json`
+3. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
+4. Global `~/.securenow/runtime.json`
+5. Legacy global `~/.securenow/credentials.json`
+6. Global named runtime credentials in the same fixed order
+7. `package.json#name` (label only)
 
 SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
 
@@ -189,13 +197,14 @@ SDK runtime config is credentials-json based. Legacy environment fallbacks are d
 
 ```bash
 # Setup
-npx securenow login                 # browser auth + app picker + firewall enabled by default
-npx securenow login --global        # save to ~/.securenow/ instead
-npx securenow login --token <TOKEN> # headless (CI)
+npx securenow login                 # friendly flow: admin auth + app runtime connection
+npx securenow admin login           # admin/control-plane CLI + MCP auth only
+npx securenow app connect           # app/runtime SDK connection only
+npx securenow admin login --token <TOKEN> # headless admin auth (CI)
 npx securenow init --env local      # scaffold framework files + local env scope
 npx securenow credentials runtime --env production # write tokenless production credentials file
 npx securenow api-key create --name "CLI firewall" # mint + store firewall key
-npx securenow api-key set snk_live_... # store firewall key in .securenow/credentials.json
+npx securenow api-key set snk_live_... # store firewall key in .securenow/runtime.json
 
 # Apps
 npx securenow apps                  # list all apps
@@ -211,6 +220,7 @@ npx securenow doctor                # diagnose config + connectivity
 # Security
 npx securenow firewall status --env production
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
+npx securenow blocklist add 1.2.3.4 --route /admin* --mode prefix --method ALL --reason "admin probing"
 npx securenow blocklist unblock <id> --reason "reviewed safe"
 npx securenow fp ai-fill --description "Stripe webhook POST /api/stripe/webhook"
 
@@ -229,18 +239,20 @@ SecureNow ships a local stdio MCP server for agent clients:
 
 ```bash
 npx securenow login
+npx securenow admin login      # admin/control-plane only
+npx securenow app connect      # runtime app/firewall key only
 codex mcp add securenow -- npx securenow mcp
 # or run directly:
 npx -p securenow securenow-mcp
 ```
 
-The MCP server reuses the same project-local `.securenow/credentials.json` as the CLI and SDK. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, rate-limit remediation, plus resources for the bundled SecureNow docs and setup prompts.
+The MCP server resolves credentials by operation type: admin/global tools use `.securenow/admin.json`, while app-scoped runtime reads can use `.securenow/runtime.json` or an explicit app key. Legacy combined `.securenow/credentials.json` remains a fallback. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, rate-limit remediation, plus resources for the bundled SecureNow docs and setup prompts.
 
 ---
 
 ## Credentials Config
 
-Use `.securenow/credentials.json` fields for new local, CI, Docker, and production setups. The credentials file is the product path.
+Use `.securenow/runtime.json` fields for new local SDK/runtime setups. Production exports still use tokenless `.securenow/credentials.<environment>.json` files that can be mounted as `.securenow/credentials.json`.
 
 | Field | Default | Purpose |
 |---|---|---|
@@ -253,7 +265,7 @@ Use `.securenow/credentials.json` fields for new local, CI, Docker, and producti
 | `config.capture.multipart` | `true` | Capture multipart metadata, never file content |
 | `config.capture.maxBodySize` | `10240` | Max bytes captured per body |
 | `config.capture.sensitiveFields` | `[]` | Extra field-name fragments to redact |
-| `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
+| `config.firewall.enabled` | Deprecated | Ignored as a local kill switch; dashboard/API firewall toggle is scoped per environment |
 | `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
 
 The credentials file is versioned with `_securenow.schemaVersion`, so future SDK
@@ -284,7 +296,7 @@ PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 ### Other
 HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
 
-> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/credentials.json`.
+> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/runtime.json`.
 
 ---
 
@@ -310,14 +322,16 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 
 | Command | Description |
 |---|---|
-| `securenow login` | Browser auth + pick app; firewall key is minted automatically (writes ./.securenow/ by default) |
+| `securenow login` | Friendly onboarding: admin auth + runtime app connection |
+| `securenow admin login` | Admin/control-plane CLI and MCP auth only |
+| `securenow app connect` | App/runtime SDK connection only |
 | `securenow login --global` | Save to ~/.securenow/ instead |
-| `securenow login --token <TOKEN>` | Headless (CI/servers) |
-| `securenow logout` | Clear project-local credentials |
+| `securenow admin login --token <TOKEN>` | Headless admin auth (CI/servers) |
+| `securenow logout` | Clear admin auth only; runtime app config stays intact |
 | `securenow logout --global` | Clear ~/.securenow/ instead |
-| `securenow whoami` | Show current session (email, app, expiry) |
+| `securenow whoami` | Show admin auth and runtime app status separately |
 | `securenow api-key create [--name "CLI firewall"]` | Mint and store a firewall key using your session token |
-| `securenow api-key set <snk_live_...>` | Store firewall key in `.securenow/credentials.json` (`--global` for `~/.securenow/`) |
+| `securenow api-key set <snk_live_...>` | Store firewall key in `.securenow/runtime.json` (`--global` for `~/.securenow/`) |
 | `securenow api-key show` | Print masked key + source file |
 | `securenow api-key clear` | Remove stored key (`--global` for `~/.securenow/`) |
 
@@ -368,14 +382,14 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | Command | Description |
 |---|---|
 | `securenow firewall status` | Firewall layers + key info |
-| `securenow firewall test-ip <ip>` | Would this IP be blocked? |
+| `securenow firewall test-ip <ip> [--path /admin/users]` | Would this IP be blocked? |
 
 ### Remediation
 
 | Command | Description |
 |---|---|
 | `securenow blocklist` | List blocked IPs |
-| `securenow blocklist add <ip> [--reason ...]` | Block an IP |
+| `securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--reason ...]` | Block an IP globally or only for matching routes |
 | `securenow blocklist unblock <id> [--reason ...]` | Stop enforcement and keep block history |
 | `securenow ratelimit parse "<request>"` | Fill a rate-limit rule draft from natural language |
 | `securenow ratelimit from-text "<request>" --yes` | Create a soft rate-limit rule from natural language |
@@ -420,13 +434,17 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 
 | File | Purpose |
 |---|---|
-| `./.securenow/credentials.json` | Project-local or production runtime credentials |
+| `./.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
+| `./.securenow/runtime.json` | Project-local SDK runtime app config and firewall key |
+| `./.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
-| `~/.securenow/credentials.json` | Global (with `login --global`) |
+| `~/.securenow/admin.json` | Global admin/control-plane auth |
+| `~/.securenow/runtime.json` | Global SDK runtime app config |
+| `~/.securenow/credentials.json` | Legacy global combined credentials |
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
+Runtime resolution order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials -> package name fallback. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
 
 Override the dashboard API with `securenow config set apiUrl <url>`.
 

package/SKILL-API.md

@@ -4,7 +4,7 @@ Instrument any Node.js application with OpenTelemetry tracing, structured loggin
 
 **CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
 
-**MCP parity (v7.5+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reuses the same `.securenow/credentials.json` file as the CLI/SDK and exposes SecureNow tools, bundled docs resources, and setup prompts to agents. Alert-rule operators can inspect notifications, read exact `metadata.matchedSubdetectors`, dry-run candidate SQL with `securenow_alert_rule_candidate_test`, and apply global system-rule query fixes with `securenow_alert_rule_query_update` when evidence is clear.
+**MCP parity (v7.8+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reads admin/control-plane auth from `.securenow/admin.json` and SDK runtime app credentials from `.securenow/runtime.json`, with legacy `.securenow/credentials.json` still supported. Alert-rule operators can inspect notifications, read exact `metadata.matchedSubdetectors`, dry-run candidate SQL with `securenow_alert_rule_candidate_test`, and apply global system-rule query fixes with `securenow_alert_rule_query_update` only when the admin user/plan permits it.
 
 **Noisy alert-rule reviews:** prefer fixing a generic system-rule detector over creating customer-specific false positives. Dry-run candidate SQL first, preserve tenant scoping with `__USER_APP_KEYS__`, keep exploit-specific indicators, then save the shared query mapping only with an audit reason and explicit confirmation.
 
@@ -27,10 +27,12 @@ npm install securenow@latest
 node -p "require('./node_modules/securenow/package.json').version"
 npx securenow version
 npx securenow login
+npx securenow admin login     # admin/control-plane CLI + MCP auth only
+npx securenow app connect     # SDK runtime app + firewall key only
 npx securenow init
 ```
 
-Use `securenow@7.5.1` or newer. Start authentication with `npx securenow login`; do not manually open auth URLs, because the CLI generates the callback/state values. The login flow lets the user pick or create an app, enables the app firewall by default, writes `.securenow/credentials.json`, and `init` scaffolds the framework integration.
+Use `securenow@7.8.0` or newer for split admin/runtime credentials. Start authentication with `npx securenow login`; do not manually open auth URLs, because the CLI generates the callback/state values. The friendly login flow can connect both lanes, while `npx securenow admin login` only writes `.securenow/admin.json` and `npx securenow app connect` only writes `.securenow/runtime.json`. `init` scaffolds the framework integration.
 
 ### 2. Run With Instrumentation
 
@@ -54,19 +56,21 @@ npx securenow init
 
 That's it. Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are on by default. No code changes for Express, Fastify, NestJS, Koa, Hapi, and raw Node.
 
+Metrics export is off by default. SecureNow sets `OTEL_METRICS_EXPORTER=none` only when the app has not explicitly configured a metrics exporter, so `@opentelemetry/sdk-node` will not start a default metrics reader that retries `localhost:4318`.
+
 ### 3. Firewall Is Enabled by Default
 
-Since v7.5.1, the browser login flow connects the firewall automatically after
-the user picks or creates an app. The firewall key lives in your credentials
-file — no env var required:
+Since v7.8, the app runtime flow connects the firewall automatically after
+the user picks or creates an app. The firewall key lives in `.securenow/runtime.json`
+so admin CLI/MCP login cannot overwrite it:
 
 ```bash
-npx securenow login              # pick/create app; firewall key is minted automatically
+npx securenow app connect        # pick/create app; firewall key is minted automatically
 # or, if you already have one:
 npx securenow api-key set snk_live_abc123...
 ```
 
-Both paths write the key to `.securenow/credentials.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json`.
+Both paths write the key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
 
 The firewall syncs your blocklist and enforces it on every request — zero code changes.
 
@@ -77,7 +81,7 @@ reblock context.
 
 For near-realtime propagation after a block/unblock, set
 `config.firewall.versionCheckInterval` to `1` or `2` in the protected app's
-`.securenow/credentials.json`. The SDK polls `/firewall/sync` with ETag/304, so
+`.securenow/runtime.json` or production runtime credentials. The SDK polls `/firewall/sync` with ETag/304, so
 unchanged checks are lightweight; keep `config.firewall.syncInterval` high as a
 safety-net full refresh.
 
@@ -138,7 +142,7 @@ module.exports = {
     script: './app.js',
     instances: 4,
     node_args: '-r securenow/register',
-    // Reads .securenow/credentials.json from the project root.
+    // Reads .securenow/runtime.json from the project root.
   }],
 };
 ```
@@ -146,7 +150,7 @@ module.exports = {
 **Docker:**
 
 ```dockerfile
-COPY .securenow/credentials.json ./.securenow/credentials.json
+COPY .securenow/credentials.production.json ./.securenow/credentials.production.json
 CMD ["node", "-r", "securenow/register", "app.js"]
 ```
 
@@ -214,7 +218,7 @@ On Vercel it uses `@vercel/otel`; self-hosted uses vanilla `@opentelemetry/sdk-n
 }
 ```
 
-Local development and production do not need `.env.local`; `npx securenow login` and `npx securenow init` keep `.securenow/credentials.json` filled and gitignored. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json`.
+Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled and gitignored. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
 
 #### Next.js Body Capture
 
@@ -254,11 +258,11 @@ export const POST = withSecureNow(async (req) => {
 #### Next.js with `securenow init`
 
 ```bash
-npx securenow login
+npx securenow app connect
 npx securenow init
 ```
 
-Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and reuses the app, instance, firewall key, and secure defaults in `.securenow/credentials.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
+Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and reuses the app, instance, firewall key, and secure defaults in `.securenow/runtime.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
 
 ---
 
@@ -270,12 +274,12 @@ Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages
 export default defineNuxtConfig({
   modules: ['securenow/nuxt'],
   securenow: {
-    // optional overrides (defaults come from .securenow/credentials.json)
+    // optional overrides (defaults come from .securenow/runtime.json)
   },
 });
 ```
 
-The Nuxt module auto-configures Nitro externals, runtime config, and a server plugin that sets up OTel tracing + logging + firewall. Local and production app identity, firewall key, and secure defaults come from `.securenow/credentials.json`.
+The Nuxt module auto-configures Nitro externals, runtime config, and a server plugin that sets up OTel tracing + logging + firewall. Local app identity, firewall key, and secure defaults come from `.securenow/runtime.json`; production can use tokenless `.securenow/credentials.<env>.json`.
 
 ---
 
@@ -296,7 +300,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.5.1**, `npx securenow login` enables the selected app firewall by default and writes the scoped key to `.securenow/credentials.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Resolution order: project `./.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Runtime config is credentials-json based; legacy env fallback is disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
+The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.8**, `npx securenow app connect` enables the selected app firewall by default and writes the scoped key to `.securenow/runtime.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Runtime resolution order is project `./.securenow/runtime.json` -> legacy project credentials -> project named runtime credentials -> global runtime/legacy/named runtime credentials. Admin auth lives separately in `admin.json`.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -308,8 +312,8 @@ Layer 1: HTTP Handler      →  403 JSON response (always active)
 ### Activate
 
 ```bash
-# Zero-config (recommended) — writes the key to .securenow/credentials.json
-npx securenow login              # pick/create app; firewall connects automatically
+# Zero-config runtime (recommended) - writes the key to .securenow/runtime.json
+npx securenow app connect        # pick/create app; firewall connects automatically
 # or, if you already have a key:
 npx securenow api-key set snk_live_abc123...
 
@@ -317,6 +321,26 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
 
+### Scoped Blocklist Entries
+
+Manual blocklist entries can target all routes or only matching request scopes.
+Use the dashboard Advanced section, the API, CLI, or MCP with the same fields:
+
+```json
+{
+  "ip": "203.0.113.42",
+  "pathPattern": "/admin*",
+  "pathMatchMode": "prefix",
+  "method": "ALL",
+  "appKey": "optional-app-key",
+  "environment": "production",
+  "reason": "Admin probing"
+}
+```
+
+`pathMatchMode` accepts `prefix`, `exact`, or `regex`. Omit `pathPattern` and
+use `method: "ALL"` for a global IP/CIDR block.
+
 ### Firewall-Only Mode (No Tracing Overhead)
 
 ```bash
@@ -336,7 +360,7 @@ const appConfig = require('securenow/app-config');
 
 await firewall.init({
   ...appConfig.resolveFirewallOptions(),
-  apiUrl: 'https://api.securenow.ai',
+  apiUrl: 'https://ingest.securenow.ai',
   syncInterval: 3600,       // safety-net full sync every hour
   versionCheckInterval: 10, // lightweight ETag check every 10s
   failMode: 'open',         // 'open' or 'closed'
@@ -500,7 +524,7 @@ const safe = redactSensitiveData({ username: 'alice', password: 's3cret', token:
 
 **Auto-redacted fields:** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`.
 
-Add custom fields via `config.capture.sensitiveFields` in `.securenow/credentials.json`.
+Add custom fields via `config.capture.sensitiveFields` in `.securenow/runtime.json`.
 
 **CLI equivalent** (for piping, scripts, debugging what a payload looks like post-redaction):
 
@@ -513,7 +537,7 @@ securenow redact @request.json --fields internal_id,sessionHash
 
 ## Credentials Configuration
 
-Local development and production use `.securenow/credentials.json`. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Legacy env fallback is disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set.
+Local development uses `.securenow/runtime.json`; legacy `.securenow/credentials.json` is still read. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Legacy env fallback is disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set.
 
 | Credentials path | Purpose |
 |---|---|
@@ -565,7 +589,7 @@ npm install securenow@latest
 npx securenow login
 ```
 
-No `.env` is needed. `npx securenow login` writes app identity, firewall key, and secure defaults to `.securenow/credentials.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key`. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
+No `.env` is needed. `npx securenow app connect` writes app identity, firewall key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key`. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
 
 Update `package.json`:
 ```json
@@ -578,10 +602,10 @@ No code changes to the application needed.
 
 ```bash
 npm install securenow@latest
-npx securenow login              # pick/create app; firewall key is minted automatically
+npx securenow app connect        # pick/create app; firewall key is minted automatically
 ```
 
-`securenow login` enables the selected app's firewall toggle and writes session, app, and firewall key to `.securenow/credentials.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
+`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the firewall key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
 
 ### Enable Firewall With Zero Tracing Overhead
 
@@ -591,7 +615,7 @@ For apps that only need IP blocking:
 node -r securenow/firewall-only app.js
 ```
 
-Make sure an API key is resolvable by running `npx securenow login` first. If you already have a key, `securenow api-key set snk_live_...` writes the creds file. For production, run `npx securenow credentials runtime --env production` and mount/copy it as `.securenow/credentials.json`.
+Make sure an API key is resolvable by running `npx securenow app connect` first. If you already have a key, `securenow api-key set snk_live_...` writes the runtime credentials file. For production, run `npx securenow credentials runtime --env production` and mount/copy it as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
 
 ### Production Hardened Configuration