securenow 7.7.15 → 7.8.1

package/mcp/server.js

@@ -43,29 +43,83 @@ function fail(id, code, message, data) {
   });
 }
 
-function bearerToken() {
-  return config.getToken() || config.getApiKey();
+const RUNTIME_READ_SCOPES = new Set(['firewall:read', 'blocklist:read', 'allowlist:read']);
+
+function toolCanUseRuntimeApiKey(tool) {
+  return tool && tool.readOnly !== false && RUNTIME_READ_SCOPES.has(tool.scope);
+}
+
+function withRuntimeAppDefaults(tool, args = {}) {
+  const runtimeApp = config.getApp();
+  if (!runtimeApp?.key) return args;
+  const next = { ...args };
+  const fields = new Set([
+    ...(tool.queryFields || []),
+    ...(tool.bodyFields || []),
+    ...(tool.pathParams || []),
+  ]);
+
+  if (fields.has('appKey') && !next.appKey) next.appKey = runtimeApp.key;
+  if (fields.has('applicationKey') && !next.applicationKey) next.applicationKey = runtimeApp.key;
+  if (fields.has('appKeys') && !next.appKeys) next.appKeys = runtimeApp.key;
+  return next;
+}
+
+function requiresExplicitOrRuntimeApp(tool) {
+  const required = new Set(tool?.inputSchema?.required || []);
+  return required.has('appKey') || required.has('appKeys') || required.has('applicationKey');
+}
+
+function hasAppScopeArg(args = {}) {
+  return !!(args.appKey || args.appKeys || args.applicationKey);
+}
+
+function bearerForTool(tool) {
+  const adminToken = config.getToken();
+  if (adminToken) return { token: adminToken, plane: 'admin' };
+
+  const runtimeKey = config.getApiKey();
+  if (runtimeKey && toolCanUseRuntimeApiKey(tool)) {
+    return { token: runtimeKey, plane: 'runtime' };
+  }
+
+  return { token: null, plane: toolCanUseRuntimeApiKey(tool) ? 'runtime' : 'admin' };
 }
 
 function localAuthStatus() {
   const cfg = config.loadConfig();
   const app = config.getApp();
+  const admin = config.loadAdminCredentials();
+  const runtime = config.loadRuntimeCredentials();
   const token = config.getToken();
   const apiKey = config.getApiKey();
   const hasBearer = !!(token || apiKey);
-  const runtimeFirewallWarning = token && !apiKey
-    ? 'MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.'
+  const runtimeFirewallWarning = app && !apiKey
+    ? 'Runtime app is connected, but the firewall key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.'
     : null;
   return {
     authenticated: hasBearer,
+    adminAuthenticated: !!token,
+    runtimeConnected: !!app?.key,
     sessionTokenAvailable: !!token,
     apiKeyAvailable: !!apiKey,
     runtimeFirewallKeyAvailable: !!apiKey,
-    authSource: config.getAuthSource(),
+    adminAuthSource: token ? config.getAuthSource() : null,
+    runtimeSource: config.getRuntimeSource(),
     apiUrl: config.getApiUrl(),
     appUrl: config.getAppUrl(),
     defaultApp: config.getDefaultApp(),
     app: app || null,
+    admin: token ? {
+      email: admin.email || null,
+      expiresAt: admin.expiresAt || null,
+      systemRuleAdmin: 'server-enforced',
+    } : null,
+    runtime: {
+      app: runtime.app || null,
+      environment: runtime.config?.runtime?.deploymentEnvironment || null,
+      apiKeyAvailable: !!apiKey,
+    },
     token: token ? maskSecret(token) : null,
     apiKey: apiKey ? maskSecret(apiKey) : null,
     config: {
@@ -76,10 +130,10 @@ function localAuthStatus() {
     },
     warnings: runtimeFirewallWarning ? [runtimeFirewallWarning] : [],
     nextStep: token
-      ? runtimeFirewallWarning
+      ? (runtimeFirewallWarning || (!app?.key ? 'Run `npx securenow app connect` to connect SDK runtime to an app.' : null))
       : apiKey
-        ? 'Using a scoped API key. Run `npx securenow login` for account-wide MCP tools.'
-        : 'Run `npx securenow login` from the project root.',
+        ? 'Using runtime API key for limited runtime read tools. Run `npx securenow admin login` for account-wide MCP tools.'
+        : 'Run `npx securenow admin login` for control-plane tools and `npx securenow app connect` for SDK runtime.',
   };
 }
 
@@ -94,12 +148,19 @@ async function callApiTool(tool, args) {
     throw new Error(`${tool.name} is only available in the local MCP server.`);
   }
 
-  const token = bearerToken();
+  const finalArgs = withRuntimeAppDefaults(tool, args);
+  if (requiresExplicitOrRuntimeApp(tool) && !hasAppScopeArg(finalArgs)) {
+    throw new Error(`${tool.name} requires an app scope. Pass applicationKey/appKey/appKeys explicitly or run \`npx securenow app connect\` to configure runtime app credentials.`);
+  }
+  const { token, plane } = bearerForTool(tool);
   if (!token) {
-    throw new Error('Not authenticated. Run `npx securenow login` from the project root, then retry.');
+    if (plane === 'runtime') {
+      throw new Error('Runtime credentials are missing. Run `npx securenow app connect` or pass an explicit app key, then retry.');
+    }
+    throw new Error('Admin auth is missing. Run `npx securenow admin login` from the project root, then retry. Runtime app credentials cannot grant admin/control-plane permissions.');
   }
 
-  const request = buildApiRequest(tool, args);
+  const request = buildApiRequest(tool, finalArgs);
   const options = {
     token,
     ...(Object.keys(request.query || {}).length > 0 ? { query: request.query } : {}),
@@ -197,7 +258,7 @@ async function handleRequest(message) {
       const result = await callApiTool(tool, args);
       return ok(id, asToolResult({
         tool: name,
-        arguments: sanitizeArgs(args),
+        arguments: sanitizeArgs(withRuntimeAppDefaults(tool, args)),
         result,
       }));
     }

package/nextjs.js

@@ -31,10 +31,13 @@
  */
 
 const { randomUUID } = require('crypto');
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
 const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
 
+defaultMetricsExporterToNone();
+
 let isRegistered = false;
 
 function requireRuntimeModule(name) {
@@ -189,6 +192,8 @@ function registerSecureNow(options = {}) {
       if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
       if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
       if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+      const headerString = appConfig.headersToString(headers);
+      if (headerString && !process.env.OTEL_EXPORTER_OTLP_HEADERS) process.env.OTEL_EXPORTER_OTLP_HEADERS = headerString;
     }
 
     console.log('[securenow] Next.js App -> service.name=%s', serviceName);
@@ -376,11 +381,11 @@ function registerSecureNow(options = {}) {
     // the remote end (ECONNRESET / "socket hang up"). These transient errors
     // sometimes escape as unhandled exceptions or rejections. We catch them
     // here and log at debug level instead of crashing the host app.
-    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
     function _isOtlpTransientError(err) {
       if (!err) return false;
       if (_TRANSIENT_CODES.has(err.code)) return true;
-      if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+      if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
       return false;
     }
     function _looksLikeOtlpStack(err) {
@@ -389,21 +394,53 @@ function registerSecureNow(options = {}) {
       return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
         || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
     }
+    function _looksLikeConfiguredOtlpEndpoint(err) {
+      const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+      try {
+        const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+        return hosts.some((host) => host && text.includes(host));
+      } catch (_) {
+        return false;
+      }
+    }
     const _diagDebug = otelLogLevel === 'debug';
+    let _lastSuppressedOtlpErrorLogAt = 0;
+    function _originalConsole(method) {
+      const originals = console.__securenow_original || console.__securenowOriginalConsole;
+      return (originals && originals[method]) || console[method] || console.log;
+    }
+    function _formatOtlpError(err) {
+      if (!err) return 'unknown error';
+      const parts = [err.message || String(err)];
+      if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+      if (err.syscall) parts.push(`syscall=${err.syscall}`);
+      if (err.hostname) parts.push(`host=${err.hostname}`);
+      return parts.join(' ');
+    }
+    function _reportSuppressedOtlpError(kind, err, origin) {
+      if (otelLogLevel === 'none') return;
+      const now = Date.now();
+      if (!_diagDebug && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+      _lastSuppressedOtlpErrorLogAt = now;
+      const method = _diagDebug ? 'debug' : 'error';
+      _originalConsole(method).call(
+        console,
+        '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+        kind,
+        origin || 'async',
+        _formatOtlpError(err)
+      );
+    }
     process.on('uncaughtException', (err, origin) => {
-      if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-        }
+      if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+        _reportSuppressedOtlpError('error', err, origin);
         return;
       }
       throw err;
     });
     process.on('unhandledRejection', (reason) => {
-      if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-        }
+      if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+        _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
         return;
       }
       throw reason;
@@ -625,13 +662,14 @@ function registerSecureNow(options = {}) {
   // Key and environment come from .securenow/credentials.json (written by
   // login/init or credentials runtime), so no .env entry is needed.
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       requireRuntimeModule('./firewall').init({
         apiKey: firewallOptions.apiKey,
         appKey: firewallOptions.appKey,
         environment: deploymentEnvironment || firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/nuxt-server-plugin.mjs

@@ -7,11 +7,8 @@
  * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
  */
 
-import { NodeSDK } from '@opentelemetry/sdk-node';
-import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
 import * as otelResources from '@opentelemetry/resources';
 import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
-import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
 import {
   context as otelContext,
   trace as otelTrace,
@@ -23,6 +20,12 @@ import { randomUUID } from 'node:crypto';
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
 const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
+const { defaultMetricsExporterToNone } = nodeRequire('./otel-defaults');
+defaultMetricsExporterToNone();
+
+const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
+const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
+const { HttpInstrumentation } = nodeRequire('@opentelemetry/instrumentation-http');
 
 // ── Helpers ──
 
@@ -318,7 +321,7 @@ export default defineNitroPlugin(async (nitroApp) => {
 
   // ── Firewall — runs independently from OTel ──
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({
@@ -326,6 +329,7 @@ export default defineNitroPlugin(async (nitroApp) => {
         appKey: firewallOptions.appKey,
         environment: deploymentEnvironment || firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/otel-defaults.js

@@ -0,0 +1,11 @@
+'use strict';
+
+function defaultMetricsExporterToNone(env = process.env) {
+  if (!env) return false;
+  const current = env.OTEL_METRICS_EXPORTER;
+  if (current != null && String(current).trim() !== '') return false;
+  env.OTEL_METRICS_EXPORTER = 'none';
+  return true;
+}
+
+module.exports = { defaultMetricsExporterToNone };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.15",
+  "version": "7.8.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -132,6 +132,7 @@
     "resolve-ip.js",
     "cidr.js",
     "firewall.js",
+    "otel-defaults.js",
     "rate-limits.js",
     "rate-limits.d.ts",
     "firewall-only.js",

package/tracing.js

@@ -14,6 +14,9 @@
  *   Production should mount/copy tokenless runtime credentials to the same path.
  */
 
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
+defaultMetricsExporterToNone();
+
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
@@ -580,11 +583,11 @@ if (loggingEnabled) {
 // request's error path isn't fully covered by the OTel library. We install
 // targeted process-level handlers to catch them and log at debug level instead
 // of crashing the host app.
-const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
 function _isOtlpTransientError(err) {
   if (!err) return false;
   if (_TRANSIENT_CODES.has(err.code)) return true;
-  if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+  if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
   return false;
 }
 function _looksLikeOtlpStack(err) {
@@ -593,22 +596,55 @@ function _looksLikeOtlpStack(err) {
   return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
     || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
 }
+function _looksLikeConfiguredOtlpEndpoint(err) {
+  const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+  try {
+    const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+    return hosts.some((host) => host && text.includes(host));
+  } catch (_) {
+    return false;
+  }
+}
+function _originalConsole(method) {
+  const originals = console.__securenow_original || console.__securenowOriginalConsole;
+  return (originals && originals[method]) || console[method] || console.log;
+}
+let _lastSuppressedOtlpErrorLogAt = 0;
+function _formatOtlpError(err) {
+  if (!err) return 'unknown error';
+  const parts = [err.message || String(err)];
+  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+  if (err.syscall) parts.push(`syscall=${err.syscall}`);
+  if (err.hostname) parts.push(`host=${err.hostname}`);
+  return parts.join(' ');
+}
+function _reportSuppressedOtlpError(kind, err, origin) {
+  const level = String(diagLevel || '').toLowerCase();
+  if (level === 'none') return;
+  const now = Date.now();
+  if (level !== 'debug' && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+  _lastSuppressedOtlpErrorLogAt = now;
+  const method = level === 'debug' ? 'debug' : 'error';
+  _originalConsole(method).call(
+    console,
+    '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+    kind,
+    origin || 'async',
+    _formatOtlpError(err)
+  );
+}
 
 process.on('uncaughtException', (err, origin) => {
-  if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-    }
-    return; // swallow — do not crash
+  if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+    _reportSuppressedOtlpError('error', err, origin);
+    return; // swallow - do not crash
   }
   // Not ours — re-throw so the default handler (or the app's own handler) fires
   throw err;
 });
 process.on('unhandledRejection', (reason) => {
-  if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-    }
+  if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+    _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
     return; // swallow
   }
   // Not ours — re-throw as unhandled so Node's default behaviour applies
@@ -663,12 +699,13 @@ const sdk = new NodeSDK({
     // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
     // only an app-routing UUID (or nothing at all) — no 401 polling loops.
     const firewallOptions = appConfig.resolveFirewallOptions();
-    if (firewallOptions.apiKey && firewallOptions.enabled) {
+    if (firewallOptions.apiKey) {
       require('./firewall').init({
         apiKey: firewallOptions.apiKey,
         appKey: firewallOptions.appKey,
         environment: firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/web-vite.mjs

@@ -145,6 +145,9 @@ const tracesUrl =
 const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
 const deploymentEnvironment =
   env('SECURENOW_DEPLOYMENT_ENVIRONMENT') || env('SECURENOW_ENVIRONMENT') || viteEnv.MODE || 'production';
+const browserAppKey = env('SECURENOW_APPID');
+if (browserAppKey && !headers['x-api-key']) headers['x-api-key'] = browserAppKey;
+if (deploymentEnvironment && !headers['x-securenow-environment']) headers['x-securenow-environment'] = deploymentEnvironment;
 
 // ---- naming rules (mirrors tracing.js) ----
 const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');