npm - securenow - Versions diffs - 7.7.16 → 7.8.1 - Mend

securenow 7.7.16 → 7.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/cli/auth.js CHANGED Viewed

@@ -50,9 +50,10 @@ function decodeJwtPayload(token) {
   }
 }
-async function loginWithBrowser() {
+async function loginWithBrowser(options = {}) {
   const appUrl = config.getAppUrl();
   const nonce = crypto.randomBytes(24).toString('base64url');
+  const mode = options.mode || null;
   return new Promise((resolve, reject) => {
     let pendingToken = null;
@@ -108,7 +109,7 @@ async function loginWithBrowser() {
           const email = payload?.email || 'unknown account';
           const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
           const port = server.address().port;
-          const switchUrl = buildCliAuthUrl(appUrl, port, nonce, { force_login: 1 });
+          const switchUrl = buildCliAuthUrl(appUrl, port, nonce, { force_login: 1, ...(mode ? { mode } : {}) });
           res.end([
             '<!DOCTYPE html><html><head><meta charset="utf-8"><title>SecureNow CLI Login</title></head>',
@@ -181,7 +182,7 @@ async function loginWithBrowser() {
     server.listen(0, '127.0.0.1', () => {
       const port = server.address().port;
-      const authUrl = buildCliAuthUrl(appUrl, port, nonce);
+      const authUrl = buildCliAuthUrl(appUrl, port, nonce, mode ? { mode } : {});
       console.log('');
       ui.info('Opening browser for authentication...');
@@ -200,7 +201,7 @@ async function loginWithBrowser() {
       const timeout = setTimeout(() => {
         closeServer();
-        reject(new CLIError('Login timed out after 5 minutes. Try `securenow login --token <TOKEN>` instead.'));
+        reject(new CLIError('Login timed out after 5 minutes. Try `securenow admin login --token <TOKEN>` instead.'));
       }, 5 * 60 * 1000);
       server.on('close', () => clearTimeout(timeout));
@@ -235,7 +236,7 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
-    config.setAuth(token, email, exp, { local, enableFirewall: true });
+    config.setAuth(token, email, exp, { local });
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
@@ -253,14 +254,25 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
-    config.setAuth(token, email, exp, { local, app, enableFirewall: true });
-    if (apiKey) config.setApiKey(apiKey, { local });
+    config.setAuth(token, email, exp, { local });
+    if (app && (app.key || app.name)) {
+      config.setRuntime({
+        apiKey: apiKey || config.getApiKey() || null,
+        app: {
+          key: app.key || null,
+          name: app.name || null,
+        },
+      }, { local });
+    }
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
-    ui.info(local ? 'Credentials saved to project .securenow/ (local)' : 'Credentials saved to ~/.securenow/ (global)');
+    ui.info(local ? 'Admin auth saved to project .securenow/admin.json' : 'Admin auth saved to ~/.securenow/admin.json');
     if (app && (app.name || app.key)) {
       ui.info(`Linked to app ${ui.c.bold(app.name || app.key)}${app.key ? ` (${ui.c.dim(app.key)})` : ''}`);
+      ui.info(local ? 'Runtime app config saved to project .securenow/runtime.json' : 'Runtime app config saved to ~/.securenow/runtime.json');
+    } else {
+      ui.info('Runtime app config was not changed.');
     }
     if (apiKey) {
       ui.info(`Firewall API key saved — the firewall will activate automatically on next start`);
@@ -276,7 +288,7 @@ async function login(args, flags) {
       console.log('');
       console.log(`  1. Go to ${ui.c.cyan(config.getAppUrl() + '/dashboard/settings')}`);
       console.log(`  2. Copy your CLI token`);
-      console.log(`  3. Run: ${ui.c.bold('securenow login --token <YOUR_TOKEN>')}`);
+      console.log(`  3. Run: ${ui.c.bold('securenow admin login --token <YOUR_TOKEN>')}`);
       console.log('');
     } else {
       throw err;
@@ -284,48 +296,118 @@ async function login(args, flags) {
   }
 }
+async function adminLogin(args, flags) {
+  const local = flags.global ? false : true;
+  if (flags.token) {
+    const token = flags.token;
+    await loginWithToken(token);
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
+    ui.success(`Admin auth connected as ${ui.c.bold(email)}`);
+    ui.info(local ? 'Saved to project .securenow/admin.json' : 'Saved to ~/.securenow/admin.json');
+    return;
+  }
+  const { token } = await loginWithBrowser({ mode: 'admin' });
+  const payload = decodeJwtPayload(token);
+  const email = payload?.email || 'unknown';
+  const exp = payload?.exp ? payload.exp * 1000 : null;
+  config.setAuth(token, email, exp, { local });
+  if (local) config.ensureLocalGitignore();
+  ui.success(`Admin auth connected as ${ui.c.bold(email)}`);
+  ui.info(local ? 'Saved to project .securenow/admin.json' : 'Saved to ~/.securenow/admin.json');
+  ui.info('Runtime app config was not changed.');
+}
+async function appConnect(args, flags) {
+  const local = flags.global ? false : true;
+  const { app, apiKey } = await loginWithBrowser({ mode: 'runtime' });
+  if (!app || !app.key) {
+    throw new CLIError('No app was selected. Runtime app config was not changed.');
+  }
+  config.setRuntime({
+    apiKey: apiKey || config.getApiKey() || null,
+    app: {
+      key: app.key,
+      name: app.name || null,
+    },
+  }, { local });
+  if (local) config.ensureLocalGitignore();
+  ui.success(`Runtime app connected to ${ui.c.bold(app.name || app.key)}`);
+  ui.info(local ? 'Saved to project .securenow/runtime.json' : 'Saved to ~/.securenow/runtime.json');
+  if (apiKey) {
+    ui.info('Firewall API key saved; SDK runtime can enforce firewall without an admin token.');
+  } else {
+    ui.warn('No firewall API key was returned. Run `securenow api-key create` if firewall sync needs a key.');
+  }
+  ui.info('Admin auth was not changed.');
+}
 async function logout(args, flags) {
   // Default: clear project-local. --global clears ~/.securenow/.
   const local = !(flags && flags.global);
-  const creds = config.loadCredentials();
+  const creds = config.loadAdminCredentials();
   config.clearCredentials({ local });
   if (creds.email) {
-    ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
+    ui.success(`Admin auth logged out from ${ui.c.bold(creds.email)}`);
   } else {
-    ui.success('Logged out');
+    ui.success('Admin auth logged out');
   }
-  ui.info(local ? 'Cleared project-local credentials (.securenow/)' : 'Cleared global credentials (~/.securenow/)');
+  ui.info(local ? 'Cleared project-local admin auth (.securenow/admin.json)' : 'Cleared global admin auth (~/.securenow/admin.json)');
+  ui.info('Runtime app config was not changed.');
 }
 async function whoami() {
-  const creds = config.loadCredentials();
+  const admin = config.loadAdminCredentials();
+  const runtime = config.loadRuntimeCredentials();
   const token = config.getToken();
-  if (!token) {
-    ui.error('Not logged in. Run `securenow login` to authenticate.');
-    process.exit(1);
-  }
   const payload = decodeJwtPayload(token);
-  ui.heading('Current Session');
+  ui.heading('SecureNow Connection Status');
   console.log('');
-  const pairs = [
-    ['Email', creds.email || payload?.email || 'unknown'],
-    ['User ID', payload?.sub || 'unknown'],
-    ['API', config.getApiUrl()],
-    ['Auth Source', config.getAuthSource()],
+  const adminPairs = [
+    ['Status', token ? ui.c.green('connected') : ui.c.red('not connected')],
+    ['Email', token ? (admin.email || payload?.email || 'unknown') : '—'],
+    ['User ID', token ? (payload?.sub || 'unknown') : '—'],
+    ['Auth Source', token ? config.getAuthSource() : '—'],
+    ['System-rule admin', token ? 'server-enforced; use admin tools to verify' : 'no admin token'],
   ];
-  if (creds.expiresAt) {
-    const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
-    pairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
+  if (admin.expiresAt) {
+    const days = Math.ceil((admin.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
+    adminPairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
   }
+  ui.heading('Admin CLI / MCP');
+  ui.keyValue(adminPairs);
+  console.log('');
+  const runtimePairs = [
+    ['Status', runtime.app?.key ? ui.c.green('connected') : ui.c.red('no app selected')],
+    ['App', runtime.app?.name || '—'],
+    ['App Key', runtime.app?.key || '—'],
+    ['Firewall Key', runtime.apiKey ? ui.c.green('present') : ui.c.yellow('missing')],
+    ['Environment', runtime.config?.runtime?.deploymentEnvironment || 'production'],
+    ['Runtime Source', config.getRuntimeSource()],
+    ['API', config.getApiUrl()],
+  ];
   const defaultApp = config.getDefaultApp();
   if (defaultApp) {
-    pairs.push(['Default App', defaultApp]);
+    runtimePairs.push(['CLI Default App', defaultApp]);
   }
-  ui.keyValue(pairs);
+  ui.heading('SDK Runtime');
+  ui.keyValue(runtimePairs);
   console.log('');
+  if (!token) ui.info('Run `securenow admin login` for admin/control-plane CLI and MCP tools.');
+  if (!runtime.app?.key) ui.info('Run `securenow app connect` to select an app and write SDK runtime config.');
 }
-module.exports = { login, logout, whoami };
+module.exports = { login, logout, whoami, adminLogin, appConnect, loginWithBrowser };

package/cli/client.js CHANGED Viewed

@@ -50,14 +50,15 @@ function request(method, endpoint, { body, query, token, raw } = {}) {
           parsed = data;
         }
-        if (res.statusCode === 401) {
-          reject(new CLIError('Session expired. Run `securenow login` to re-authenticate.', 401));
-          return;
-        }
-        if (res.statusCode === 403) {
-          reject(new CLIError('Access denied. You may need to upgrade your plan.', 403));
-          return;
-        }
+        if (res.statusCode === 401) {
+          reject(new CLIError('Admin auth is missing or expired. Run `securenow admin login` to re-authenticate. Runtime app credentials are unrelated.', 401));
+          return;
+        }
+        if (res.statusCode === 403) {
+          const msg = parsed?.error || parsed?.message || 'Access denied';
+          reject(new CLIError(`${msg}. Admin auth is connected, but this user/plan may lack permission for this control-plane operation. Runtime app connection is unrelated.`, 403));
+          return;
+        }
         if (res.statusCode >= 400) {
           const msg = parsed?.error || parsed?.message || `Request failed (HTTP ${res.statusCode})`;
           const details = parsed?.details || parsed?.unauthorizedKeys;
@@ -96,11 +97,11 @@ class CLIError extends Error {
 }
 function requireAuth() {
-  const token = config.getToken();
-  if (!token) {
-    ui.error('Not logged in. Run `securenow login` first.');
-    process.exit(1);
-  }
+  const token = config.getToken();
+  if (!token) {
+    ui.error('Admin auth is not connected. Run `securenow admin login` first.');
+    process.exit(1);
+  }
   return token;
 }

package/cli/config.js CHANGED Viewed

@@ -8,10 +8,14 @@ const appConfig = require('../app-config');
 const CONFIG_DIR = path.join(os.homedir(), '.securenow');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
+const ADMIN_CREDENTIALS_FILE = path.join(CONFIG_DIR, 'admin.json');
+const RUNTIME_CREDENTIALS_FILE = path.join(CONFIG_DIR, 'runtime.json');
 const LOCAL_CONFIG_DIR = path.join(process.cwd(), '.securenow');
 const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
 const LOCAL_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'credentials.json');
+const LOCAL_ADMIN_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'admin.json');
+const LOCAL_RUNTIME_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'runtime.json');
 const DEFAULTS = {
   apiUrl: 'https://api.securenow.ai',
@@ -57,18 +61,90 @@ function credentialsFileForLocal(local) {
   return local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
 }
+function adminCredentialsFileForLocal(local) {
+  return local ? LOCAL_ADMIN_CREDENTIALS_FILE : ADMIN_CREDENTIALS_FILE;
+}
+function runtimeCredentialsFileForLocal(local) {
+  return local ? LOCAL_RUNTIME_CREDENTIALS_FILE : RUNTIME_CREDENTIALS_FILE;
+}
+function normalizeRuntimeCredentials(creds) {
+  const payload = { ...(creds || {}) };
+  delete payload.token;
+  delete payload.email;
+  delete payload.expiresAt;
+  delete payload.admin;
+  return appConfig.withCredentialDefaults(payload) || {};
+}
+function normalizeAdminCredentials(creds) {
+  const payload = { ...(creds || {}) };
+  delete payload.apiKey;
+  delete payload.app;
+  delete payload.config;
+  delete payload.runtime;
+  return payload;
+}
+function splitCredentialDocument(raw = {}) {
+  const doc = raw && typeof raw === 'object' && !Array.isArray(raw) ? raw : {};
+  const runtime = doc.runtime && typeof doc.runtime === 'object' && !Array.isArray(doc.runtime)
+    ? doc.runtime
+    : doc;
+  const admin = doc.admin && typeof doc.admin === 'object' && !Array.isArray(doc.admin)
+    ? doc.admin
+    : doc;
+  return { runtime, admin };
+}
+function pickExistingFile(...files) {
+  for (const file of files) {
+    try {
+      if (file && fs.existsSync(file)) return file;
+    } catch {}
+  }
+  return null;
+}
 function hasLocalCredentials() {
-  return !!appConfig.resolveLocalCredentialsFile();
+  return !!(
+    appConfig.resolveLocalCredentialsFile() ||
+    appConfig.resolveLocalAdminCredentialsFile()
+  );
 }
 function resolveCredentialsFile() {
   return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || CREDENTIALS_FILE;
 }
+function resolveAdminCredentialsFile() {
+  return appConfig.resolveLocalAdminCredentialsFile() || appConfig.resolveGlobalAdminCredentialsFile() || ADMIN_CREDENTIALS_FILE;
+}
+function resolveRuntimeCredentialsFile() {
+  return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || RUNTIME_CREDENTIALS_FILE;
+}
 function getAuthSource() {
   if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
-  if (appConfig.resolveLocalCredentialsFile()) return 'project (.securenow/)';
-  return 'global (~/.securenow/)';
+  const file = appConfig.resolveLocalAdminCredentialsFile() || appConfig.resolveGlobalAdminCredentialsFile();
+  if (!file) return 'not configured';
+  if (file.includes(`${path.sep}.securenow${path.sep}`) && file.startsWith(process.cwd())) {
+    return file.endsWith('admin.json') ? 'project admin (.securenow/admin.json)' : 'project legacy (.securenow/credentials.json)';
+  }
+  if (file.endsWith('admin.json')) return 'global admin (~/.securenow/admin.json)';
+  return 'global legacy (~/.securenow/credentials.json)';
+}
+function getRuntimeSource() {
+  const file = appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile();
+  if (!file) return 'not configured';
+  if (file.includes(`${path.sep}.securenow${path.sep}`) && file.startsWith(process.cwd())) {
+    return file.endsWith('runtime.json') ? 'project runtime (.securenow/runtime.json)' : 'project legacy (.securenow/credentials.json)';
+  }
+  if (file.endsWith('runtime.json')) return 'global runtime (~/.securenow/runtime.json)';
+  return 'global legacy (~/.securenow/credentials.json)';
 }
 function loadConfig() {
@@ -98,14 +174,112 @@ function setConfigValue(key, value) {
 }
 function loadCredentials() {
-  const credentialsFile = resolveCredentialsFile();
-  const credentials = loadJSON(credentialsFile);
-  return appConfig.withCredentialDefaults(credentials) || {};
+  const legacy = splitCredentialDocument(loadJSON(resolveCredentialsFile()));
+  const runtime = loadRuntimeCredentials();
+  const admin = loadAdminCredentials();
+  return appConfig.mergeCredentials(
+    normalizeRuntimeCredentials(runtime || legacy.runtime),
+    normalizeAdminCredentials(admin || legacy.admin)
+  ) || {};
 }
 function saveCredentials(creds, { local = false } = {}) {
-  const targetFile = credentialsFileForLocal(local);
-  saveJSON(targetFile, appConfig.withCredentialDefaults(creds) || {});
+  saveRuntimeCredentials(creds, { local });
+}
+function loadAdminCredentials() {
+  if (process.env.SECURENOW_TOKEN) {
+    return { token: process.env.SECURENOW_TOKEN, source: 'env' };
+  }
+  const adminFile = pickExistingFile(
+    appConfig.resolveLocalAdminCredentialsFile(),
+    appConfig.resolveGlobalAdminCredentialsFile()
+  );
+  if (!adminFile) return {};
+  const { admin } = splitCredentialDocument(loadJSON(adminFile));
+  return normalizeAdminCredentials(admin);
+}
+function saveAdminCredentials(creds, { local = false } = {}) {
+  const targetFile = adminCredentialsFileForLocal(local);
+  const existing = normalizeAdminCredentials(loadJSON(targetFile));
+  const payload = normalizeAdminCredentials({ ...existing, ...(creds || {}) });
+  payload._securenow = {
+    ...(payload._securenow || {}),
+    schemaVersion: appConfig.CONFIG_SCHEMA_VERSION,
+    note: 'SecureNow admin/control-plane CLI and MCP auth. This file may contain a user session token; do not commit it.',
+    runtimeSeparate: 'SDK runtime app credentials live in runtime.json and are not changed by admin login/logout.',
+  };
+  saveJSON(targetFile, payload);
+}
+function stripAdminFromCredentialFile(filepath) {
+  try {
+    if (!filepath || !fs.existsSync(filepath)) return;
+    const doc = loadJSON(filepath);
+    if (!doc || typeof doc !== 'object' || Array.isArray(doc)) return;
+    let changed = false;
+    if (doc.admin) {
+      delete doc.admin;
+      changed = true;
+    }
+    for (const field of ['token', 'email', 'expiresAt', 'roles', 'plan', 'user', 'userId']) {
+      if (Object.prototype.hasOwnProperty.call(doc, field)) {
+        delete doc[field];
+        changed = true;
+      }
+    }
+    if (changed) saveJSON(filepath, doc);
+  } catch {}
+}
+function clearAdminCredentials({ local } = {}) {
+  try {
+    const useLocal = local === true || (local == null && pickExistingFile(LOCAL_ADMIN_CREDENTIALS_FILE, LOCAL_CREDENTIALS_FILE));
+    if (useLocal) {
+      fs.unlinkSync(LOCAL_ADMIN_CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(ADMIN_CREDENTIALS_FILE);
+    }
+  } catch {}
+  if (local === true) {
+    stripAdminFromCredentialFile(LOCAL_CREDENTIALS_FILE);
+  } else if (local === false) {
+    stripAdminFromCredentialFile(CREDENTIALS_FILE);
+  } else if (pickExistingFile(LOCAL_CREDENTIALS_FILE)) {
+    stripAdminFromCredentialFile(LOCAL_CREDENTIALS_FILE);
+  } else {
+    stripAdminFromCredentialFile(CREDENTIALS_FILE);
+  }
+}
+function loadRuntimeCredentials() {
+  const runtimeFile = pickExistingFile(
+    appConfig.resolveLocalCredentialsFile(),
+    appConfig.resolveGlobalCredentialsFile()
+  );
+  if (!runtimeFile) return {};
+  const { runtime } = splitCredentialDocument(loadJSON(runtimeFile));
+  return normalizeRuntimeCredentials(runtime);
+}
+function saveRuntimeCredentials(creds, { local = false } = {}) {
+  const targetFile = runtimeCredentialsFileForLocal(local);
+  const existing = normalizeRuntimeCredentials(loadJSON(targetFile));
+  saveJSON(targetFile, normalizeRuntimeCredentials(appConfig.mergeCredentials(existing, creds || {}) || {}));
+}
+function clearRuntimeCredentials({ local } = {}) {
+  try {
+    if (local === true) {
+      fs.unlinkSync(LOCAL_RUNTIME_CREDENTIALS_FILE);
+    } else if (local === false || !pickExistingFile(LOCAL_RUNTIME_CREDENTIALS_FILE)) {
+      fs.unlinkSync(RUNTIME_CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(LOCAL_RUNTIME_CREDENTIALS_FILE);
+    }
+  } catch {}
 }
 function withOnboardingFirewallEnabled(creds) {
@@ -118,8 +292,8 @@ function withOnboardingFirewallEnabled(creds) {
 function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
+  const targetFile = runtimeCredentialsFileForLocal(useLocal);
+  const existing = useLocal ? loadRuntimeCredentials() : loadJSON(targetFile);
   const payload = enableFirewall
     ? withOnboardingFirewallEnabled(existing || {})
     : appConfig.withCredentialDefaults(existing || {}) || {};
@@ -127,21 +301,13 @@ function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
 }
 function clearCredentials({ local } = {}) {
-  try {
-    if (local === true) {
-      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
-    } else if (local === false || !hasLocalCredentials()) {
-      fs.unlinkSync(CREDENTIALS_FILE);
-    } else {
-      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
-    }
-  } catch {}
+  clearAdminCredentials({ local });
 }
 function getToken() {
   if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
-  const creds = loadCredentials();
+  const creds = loadAdminCredentials();
   if (!creds.token) return null;
   if (creds.expiresAt && Date.now() > creds.expiresAt) {
@@ -150,66 +316,62 @@ function getToken() {
   return creds.token;
 }
-function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
-  const targetFile = credentialsFileForLocal(local);
-  const payload = { ...loadJSON(targetFile), token, email, expiresAt };
-  if (app && (app.key || app.name)) {
-    payload.app = {
-      key: app.key || null,
-      name: app.name || null,
-    };
-  }
-  saveJSON(
-    targetFile,
-    enableFirewall ? withOnboardingFirewallEnabled(payload) : appConfig.withCredentialDefaults(payload) || {}
-  );
+function setAuth(token, email, expiresAt, { local = false } = {}) {
+  saveAdminCredentials({ token, email, expiresAt }, { local });
 }
 function getApp() {
-  const creds = loadCredentials();
+  const creds = loadRuntimeCredentials();
   return creds && creds.app ? creds.app : null;
 }
 function setApiKey(apiKey, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
-  saveJSON(targetFile, withOnboardingFirewallEnabled({ ...existing, apiKey }));
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(withOnboardingFirewallEnabled({ ...existing, apiKey }), { local: useLocal });
 }
 function clearApiKey({ local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = loadJSON(targetFile);
+  const existing = loadRuntimeCredentials();
   if (!existing || !existing.apiKey) return;
   delete existing.apiKey;
-  saveJSON(targetFile, appConfig.withCredentialDefaults(existing) || existing);
+  saveRuntimeCredentials(appConfig.withCredentialDefaults(existing) || existing, { local: useLocal });
 }
 function getApiKey() {
-  const creds = loadCredentials();
+  const creds = loadRuntimeCredentials();
   return creds && creds.apiKey ? creds.apiKey : null;
 }
 function setApp(app, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
-  saveJSON(targetFile, appConfig.withCredentialDefaults({
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(appConfig.withCredentialDefaults({
     ...existing,
     app: {
       key: app.key || null,
       name: app.name || null,
     },
-  }) || {});
+  }) || {}, { local: useLocal });
+}
+function setRuntime(runtime, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(withOnboardingFirewallEnabled(appConfig.mergeCredentials(existing, runtime || {}) || {}), { local: useLocal });
 }
 function ensureLocalGitignore() {
   const gitignorePath = path.join(process.cwd(), '.gitignore');
   const legacyEntry = '.securenow/';
   const entries = [
+    '.securenow/admin.json',
+    '.securenow/runtime.json',
     '.securenow/credentials.json',
     '.securenow/credentials.*.json',
+    '!.securenow/admin.example.json',
+    '!.securenow/runtime.example.json',
     '!.securenow/credentials.example.json',
     '!.securenow/credentials.*.example.json',
   ];
@@ -268,23 +430,35 @@ module.exports = {
   CONFIG_DIR,
   CONFIG_FILE,
   CREDENTIALS_FILE,
+  ADMIN_CREDENTIALS_FILE,
+  RUNTIME_CREDENTIALS_FILE,
   LOCAL_CONFIG_DIR,
   LOCAL_CREDENTIALS_FILE,
+  LOCAL_ADMIN_CREDENTIALS_FILE,
+  LOCAL_RUNTIME_CREDENTIALS_FILE,
   loadConfig,
   saveConfig,
   getConfigValue,
   setConfigValue,
   loadCredentials,
   saveCredentials,
+  loadAdminCredentials,
+  saveAdminCredentials,
+  clearAdminCredentials,
+  loadRuntimeCredentials,
+  saveRuntimeCredentials,
+  clearRuntimeCredentials,
   clearCredentials,
   getToken,
   setAuth,
   getApp,
   setApp,
+  setRuntime,
   setApiKey,
   clearApiKey,
   getApiKey,
   getAuthSource,
+  getRuntimeSource,
   hasLocalCredentials,
   ensureCredentialDefaults,
   withOnboardingFirewallEnabled,

package/cli/credentials.js CHANGED Viewed

@@ -14,7 +14,7 @@ function maskSecret(value) {
 }
 function buildRuntimeCredentials(options = {}) {
-  const creds = config.loadCredentials() || {};
+  const creds = config.loadRuntimeCredentials() || {};
   const deploymentEnvironment =
     options.environment ||
     options.env ||
@@ -67,10 +67,10 @@ async function runtime(_args, flags) {
   const warn = flags.stdout ? (msg) => console.error(`! ${msg}`) : ui.warn;
   if (!creds.app || !creds.app.key) {
-    warn('No app key found. Run `npx securenow login` first so telemetry routes to the selected app.');
+    warn('No app key found. Run `npx securenow app connect` first so telemetry routes to the selected app.');
   }
   if (!creds.apiKey) {
-    warn('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` before generating production runtime credentials.');
+    warn('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` before generating production runtime credentials.');
   }
   if (flags.stdout) {