npm - securenow - Versions diffs - 7.7.16 → 7.8.1 - Mend

securenow 7.7.16 → 7.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/mcp/catalog.js CHANGED Viewed

@@ -10,14 +10,15 @@ const MARKDOWN = 'text/markdown';
 const UNIVERSAL_SECURENOW_SETUP_PROMPT = `You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
 Primary goals:
-- Use the latest published SecureNow npm package. Require securenow@7.5.1 or newer.
+- Use the latest published SecureNow npm package. Require securenow@7.8.0 or newer for split admin/runtime credentials.
 - By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
 - If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
-- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
+- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
+- Do not confuse IP Allowlist with Trusted IPs. IP Allowlist is restrictive deny-by-default: when any allowlist entry exists for an app/environment, only listed IPs can reach it and all other IPs are blocked. Use Trusted IPs for known-safe monitors, office/VPN traffic, or false-positive suppression. Only use allowlist after explicit human approval to lock the app/environment to known IPs.
 Safety rules:
-- Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
-- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
+- Do not print full API keys, JWTs, tokens, or local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, or .securenow/credentials.*.json). Mask secrets.
+- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, .securenow/credentials.json, and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -31,33 +32,35 @@ Runbook:
 2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
    node -p "require('./node_modules/securenow/package.json').version"
    npx securenow version
-   Stop and fix the install if either is below 7.5.1 or npx still resolves an older local package.
+   Stop and fix the install if either is below 7.8.0 or npx still resolves an older local package.
 3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
-4. Mandatory auth gate:
-   - Run npx securenow whoami from the project root.
-   - If not logged in, run npx securenow login from the project root and wait for the browser flow.
-   - After the CLI exits, rerun npx securenow whoami.
-   - Do not proceed to app edits or verification until whoami succeeds.
+4. Mandatory auth/runtime gate:
+   - Run npx securenow whoami from the project root.
+   - If admin auth is missing, run npx securenow admin login from the project root and wait for the browser flow.
+   - If runtime app config is missing, run npx securenow app connect from the project root and wait for the browser flow.
+   - After the CLI exits, rerun npx securenow whoami.
+   - Do not proceed to app edits or verification until whoami shows the required lane(s). SDK setup needs runtime app config; admin/global MCP operations need admin auth.
 5. Validate project-local credentials without exposing secrets:
-   - Confirm .securenow/credentials.json exists.
-   - Confirm it has SecureNow's default config/explanations block.
-   - Confirm it has an app key/name/instance and a firewall API key after login/app selection.
-   - Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
-6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
+   - Confirm .securenow/runtime.json exists for SDK runtime setup, or legacy .securenow/credentials.json exists for old installs.
+   - Confirm the runtime file has SecureNow's default config/explanations block.
+   - Confirm the runtime file has an app key/name/instance and a firewall API key after app selection.
+   - Confirm .securenow/admin.json exists only when admin CLI/MCP auth is needed.
+   - Confirm .securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
+6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.8.0, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.
    - Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
    - Express/Fastify/NestJS/Koa/Hapi/Hono/raw Node: preload securenow/register through existing scripts, NODE_OPTIONS, PM2 node_args, Docker CMD, or the process manager already used.
    - Firewall-only: preload securenow/firewall-only or use the documented securenow run --firewall-only command. Do not add OTel/tracing/logging in this mode.
    - Vite/browser-only: use only documented browser integration and state that server firewall protection requires a server runtime.
-8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/credentials.json:
+8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/runtime.json, with legacy .securenow/credentials.json and generated runtime credential files still supported:
    - config.logging.enabled: true
    - config.capture.body: true
    - config.capture.multipart: true
    - config.firewall.enabled: true
    - config.firewall.failMode: "open"
    - config.capture.maxBodySize: 10240
-   For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
+   For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json or <app-root>/.securenow/credentials.production.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
    Local credentials should use config.runtime.deploymentEnvironment="local". Production runtime credentials should use "production". The app key stays the same; traces, logs, firewall status, forensics, and CLI/MCP queries are scoped by environment.
 9. Verify firewall and threshold:
    - Run npx securenow firewall apps and npx securenow firewall status.
@@ -1108,19 +1111,22 @@ const TOOLS = [
   {
     name: 'securenow_blocklist_add',
     title: 'Add Blocked IP',
-    description: 'Add an IP/CIDR to the blocklist. Write action; requires confirmation.',
+    description: 'Add an IP/CIDR to the blocklist, optionally scoped to a route/method. Write action; requires confirmation.',
     scope: 'blocklist:write',
     readOnly: false,
     confirm: true,
     method: 'POST',
     endpoint: '/blocklist',
-    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment'],
+    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata', 'appKey', 'environment', 'pathPattern', 'pathMatchMode', 'method'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       reason: string('Reason for blocking.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       metadata: { type: 'object', additionalProperties: true, description: 'Optional metadata.' },
       appKey: string('Optional application key to scope this block. Omit for all apps.'),
+      pathPattern: string('Optional route/path pattern, for example /admin*. Omit to block all routes.'),
+      pathMatchMode: { type: 'string', enum: ['exact', 'prefix', 'regex'], description: 'Path matching mode. Defaults to prefix.' },
+      method: { type: 'string', enum: ['ALL', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], description: 'HTTP method scope. Defaults to ALL.' },
       ...environmentInput,
       ...confirmSchema,
     }, ['ip', 'confirm', 'reason']),
@@ -1169,8 +1175,8 @@ const TOOLS = [
   },
   {
     name: 'securenow_allowlist_list',
-    title: 'List Allowlist',
-    description: 'List allowed IPs.',
+    title: 'List Restrictive Allowlist',
+    description: 'List restrictive allowlist entries. If any active entry exists for an app/environment, only listed IPs can reach it and all other IPs are blocked. This is not the Trusted IP list.',
     scope: 'allowlist:read',
     readOnly: true,
     method: 'GET',
@@ -1184,24 +1190,26 @@ const TOOLS = [
   },
   {
     name: 'securenow_allowlist_add',
-    title: 'Add Allowed IP',
-    description: 'Add an IP/CIDR to the allowlist. Write action; requires confirmation.',
+    title: 'Add Restrictive Allowlist IP',
+    description: 'Dangerous production action: add an IP/CIDR to the restrictive allowlist. Once active, allowlist mode blocks every IP except listed entries. Do not use this to mark an IP trusted or suppress false positives; use securenow_trusted_add instead. Requires explicit human approval confirming deny-all behavior.',
     scope: 'allowlist:write',
     readOnly: false,
     confirm: true,
     method: 'POST',
     endpoint: '/allowlist',
-    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment'],
+    fixedBody: { initiatedBy: 'mcp' },
+    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys', 'environment', 'allowlistDenyAllApproved'],
     inputSchema: objectSchema({
       ip: string('IPv4 address or CIDR.'),
       label: string('Human-readable label.'),
-      reason: string('Reason for allowing.'),
+      reason: string('Required human-approved reason. Must acknowledge that allowlist blocks all non-listed IPs and why Trusted IPs is not the correct action.'),
       expiresAt: string('Optional expiry time as ISO 8601.'),
       applicationsAll: boolean('Apply to all applications.'),
       applicationKeys: arrayOfStrings('Application keys to scope this allowlist entry to.'),
+      allowlistDenyAllApproved: boolean('Must be true only after the user explicitly approves deny-by-default allowlist behavior. Do not set this for trusted IPs, monitors, false positives, or investigation cleanup.'),
       ...environmentInput,
       ...confirmSchema,
-    }, ['ip', 'confirm', 'reason']),
+    }, ['ip', 'confirm', 'reason', 'allowlistDenyAllApproved']),
   },
   {
     name: 'securenow_allowlist_remove',
@@ -1221,7 +1229,7 @@ const TOOLS = [
   {
     name: 'securenow_trusted_list',
     title: 'List Trusted IPs',
-    description: 'List trusted IPs.',
+    description: 'List trusted IPs. Trusted IPs are for known-safe traffic and do not turn on deny-by-default allowlist mode.',
     scope: 'trusted_ips:read',
     readOnly: true,
     method: 'GET',
@@ -1235,7 +1243,7 @@ const TOOLS = [
   {
     name: 'securenow_trusted_add',
     title: 'Add Trusted IP',
-    description: 'Add a trusted IP/CIDR. Write action; requires confirmation.',
+    description: 'Add a trusted IP/CIDR for known-safe infrastructure, monitors, office/VPN traffic, or scoped false-positive suppression. This does not enable deny-by-default allowlist mode and is the correct tool when an IP should be trusted without blocking other visitors. Write action; requires confirmation.',
     scope: 'trusted_ips:write',
     readOnly: false,
     confirm: true,
@@ -1417,7 +1425,7 @@ function promptMessages(name, args = {}) {
             'Verify SecureNow default-on protection for this project.',
             args.appKey ? `App key: ${args.appKey}` : null,
             'Check npx securenow whoami, npx securenow api-key show, npx securenow firewall apps, and npx securenow firewall status.',
-            'Confirm traces, logs, capture.body, capture.multipart, and firewall.enabled are enabled by .securenow/credentials.json defaults unless explicitly set false.',
+            'Confirm traces, logs, capture.body, capture.multipart, and firewall.enabled are enabled by .securenow/runtime.json defaults unless explicitly set false. Legacy .securenow/credentials.json is still accepted.',
             'Do not print full tokens or API keys.',
           ].filter(Boolean).join('\n'),
         },
@@ -1436,7 +1444,7 @@ function promptMessages(name, args = {}) {
             args.appKeys ? `Scope to app keys: ${args.appKeys}` : null,
             `Environment scope: ${args.environment || 'production'}.`,
             'Use IP intelligence first, then related traces/logs, then recommend remediation.',
-            'Only block, allow, or trust the IP after explicit user confirmation.',
+            'Only block or trust the IP after explicit user confirmation. Never use IP Allowlist for false positives or trusted traffic; allowlist is deny-by-default and blocks all non-listed IPs.',
           ].filter(Boolean).join('\n'),
         },
       },
@@ -1461,6 +1469,7 @@ function promptMessages(name, args = {}) {
             'Return one clear outcome: Block IP, Rate Limit, False Positive, Rule Tuning Needed, or Ambiguous. If evidence is ambiguous, stop and explain what is missing.',
             'Use rate limiting only as temporary soft remediation for repeated route-specific abuse such as login brute force, credential stuffing, scraping/API bursts, enumeration, recon/probing, or repeated noisy payloads where risk/impact evidence is below the block threshold.',
             'Do not rate-limit instead of blocking when there is confirmed exploit success, token/data exposure, SSRF reachability, file read, RCE, persistence, malware/C2, or riskScore >= 85 with high-confidence malicious evidence. Do not rate-limit benign false positives, trusted monitors, app-server/proxy attribution problems, isolated one-off requests, or broad noisy rules that need alert tuning.',
+            'Do not create or recommend IP Allowlist entries during investigations unless the user explicitly asks to lock the app/environment to a known set of IPs. For safe monitors, offices, VPNs, or false positives, use Trusted IPs or scoped false-positive exclusions instead.',
             confirmWrites
               ? 'The user requested execution. If evidence supports the decision, call securenow_human_action_block, securenow_rate_limit_create_from_text plus securenow_human_action_decision_report_add(outcome=rate_limited), or securenow_human_action_false_positive with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant. If you skip/mark ambiguous but still need to record the audit trail, call securenow_human_action_decision_report_add.'
               : 'Do not execute write tools yet. Prepare the recommended decision and exact tool call the user can approve.',
@@ -1487,6 +1496,7 @@ function promptMessages(name, args = {}) {
             'For each row choose exactly one outcome: Block IP, Rate Limit, False Positive, Rule Tuning Needed, or Skip because evidence is insufficient. Explain skipped rows.',
             'Use Rate Limit only for repeated route-specific abuse where temporary friction is safer than blocking: login brute force/credential stuffing, password reset/account enumeration, scraping/API bursts, path or ID enumeration, recon/probing, or repeated noisy payloads without confirmed exploit success.',
             'Do not rate-limit confirmed high-risk attacks that should be blocked, benign traffic that should be false-positive scoped, broad noisy rules that need tuning, app-server/proxy attribution problems, or isolated one-off requests.',
+            'Do not create or recommend IP Allowlist entries while working this queue unless the user explicitly approves deny-by-default allowlist mode for the whole app/environment. Use Trusted IPs for trusted/bypass cases.',
             confirmWrites
               ? 'The user requested execution. For supported decisions, call the correct write tool with confirm:true, a precise reason, and a decisionReport containing summary, evidence, reviewedHistory, traceIds, and missingProof when relevant, then continue. For skipped/ambiguous/rule-tuning-needed rows that should be auditable without changing IP status, use securenow_human_action_decision_report_add.'
               : 'Do not execute write tools yet. Produce a row-by-row action plan and exact MCP write calls for user approval.',
@@ -1595,6 +1605,9 @@ function assertConfirmed(tool, args = {}) {
   if (!args.reason || !String(args.reason).trim()) {
     throw new Error(`${tool.name} requires a non-empty reason.`);
   }
+  if (tool.name === 'securenow_allowlist_add' && args.allowlistDenyAllApproved !== true) {
+    throw new Error('securenow_allowlist_add is deny-by-default: it blocks every non-listed IP for the scoped app/environment. Pass allowlistDenyAllApproved:true only after explicit human approval. Use securenow_trusted_add for trusted IPs or false positives.');
+  }
 }
 function buildApiRequest(tool, rawArgs = {}) {

package/mcp/server.js CHANGED Viewed

@@ -43,29 +43,83 @@ function fail(id, code, message, data) {
   });
 }
-function bearerToken() {
-  return config.getToken() || config.getApiKey();
+const RUNTIME_READ_SCOPES = new Set(['firewall:read', 'blocklist:read', 'allowlist:read']);
+function toolCanUseRuntimeApiKey(tool) {
+  return tool && tool.readOnly !== false && RUNTIME_READ_SCOPES.has(tool.scope);
+}
+function withRuntimeAppDefaults(tool, args = {}) {
+  const runtimeApp = config.getApp();
+  if (!runtimeApp?.key) return args;
+  const next = { ...args };
+  const fields = new Set([
+    ...(tool.queryFields || []),
+    ...(tool.bodyFields || []),
+    ...(tool.pathParams || []),
+  ]);
+  if (fields.has('appKey') && !next.appKey) next.appKey = runtimeApp.key;
+  if (fields.has('applicationKey') && !next.applicationKey) next.applicationKey = runtimeApp.key;
+  if (fields.has('appKeys') && !next.appKeys) next.appKeys = runtimeApp.key;
+  return next;
+}
+function requiresExplicitOrRuntimeApp(tool) {
+  const required = new Set(tool?.inputSchema?.required || []);
+  return required.has('appKey') || required.has('appKeys') || required.has('applicationKey');
+}
+function hasAppScopeArg(args = {}) {
+  return !!(args.appKey || args.appKeys || args.applicationKey);
+}
+function bearerForTool(tool) {
+  const adminToken = config.getToken();
+  if (adminToken) return { token: adminToken, plane: 'admin' };
+  const runtimeKey = config.getApiKey();
+  if (runtimeKey && toolCanUseRuntimeApiKey(tool)) {
+    return { token: runtimeKey, plane: 'runtime' };
+  }
+  return { token: null, plane: toolCanUseRuntimeApiKey(tool) ? 'runtime' : 'admin' };
 }
 function localAuthStatus() {
   const cfg = config.loadConfig();
   const app = config.getApp();
+  const admin = config.loadAdminCredentials();
+  const runtime = config.loadRuntimeCredentials();
   const token = config.getToken();
   const apiKey = config.getApiKey();
   const hasBearer = !!(token || apiKey);
-  const runtimeFirewallWarning = token && !apiKey
-    ? 'MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.'
+  const runtimeFirewallWarning = app && !apiKey
+    ? 'Runtime app is connected, but the firewall key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.'
     : null;
   return {
     authenticated: hasBearer,
+    adminAuthenticated: !!token,
+    runtimeConnected: !!app?.key,
     sessionTokenAvailable: !!token,
     apiKeyAvailable: !!apiKey,
     runtimeFirewallKeyAvailable: !!apiKey,
-    authSource: config.getAuthSource(),
+    adminAuthSource: token ? config.getAuthSource() : null,
+    runtimeSource: config.getRuntimeSource(),
     apiUrl: config.getApiUrl(),
     appUrl: config.getAppUrl(),
     defaultApp: config.getDefaultApp(),
     app: app || null,
+    admin: token ? {
+      email: admin.email || null,
+      expiresAt: admin.expiresAt || null,
+      systemRuleAdmin: 'server-enforced',
+    } : null,
+    runtime: {
+      app: runtime.app || null,
+      environment: runtime.config?.runtime?.deploymentEnvironment || null,
+      apiKeyAvailable: !!apiKey,
+    },
     token: token ? maskSecret(token) : null,
     apiKey: apiKey ? maskSecret(apiKey) : null,
     config: {
@@ -76,10 +130,10 @@ function localAuthStatus() {
     },
     warnings: runtimeFirewallWarning ? [runtimeFirewallWarning] : [],
     nextStep: token
-      ? runtimeFirewallWarning
+      ? (runtimeFirewallWarning || (!app?.key ? 'Run `npx securenow app connect` to connect SDK runtime to an app.' : null))
       : apiKey
-        ? 'Using a scoped API key. Run `npx securenow login` for account-wide MCP tools.'
-        : 'Run `npx securenow login` from the project root.',
+        ? 'Using runtime API key for limited runtime read tools. Run `npx securenow admin login` for account-wide MCP tools.'
+        : 'Run `npx securenow admin login` for control-plane tools and `npx securenow app connect` for SDK runtime.',
   };
 }
@@ -94,12 +148,19 @@ async function callApiTool(tool, args) {
     throw new Error(`${tool.name} is only available in the local MCP server.`);
   }
-  const token = bearerToken();
+  const finalArgs = withRuntimeAppDefaults(tool, args);
+  if (requiresExplicitOrRuntimeApp(tool) && !hasAppScopeArg(finalArgs)) {
+    throw new Error(`${tool.name} requires an app scope. Pass applicationKey/appKey/appKeys explicitly or run \`npx securenow app connect\` to configure runtime app credentials.`);
+  }
+  const { token, plane } = bearerForTool(tool);
   if (!token) {
-    throw new Error('Not authenticated. Run `npx securenow login` from the project root, then retry.');
+    if (plane === 'runtime') {
+      throw new Error('Runtime credentials are missing. Run `npx securenow app connect` or pass an explicit app key, then retry.');
+    }
+    throw new Error('Admin auth is missing. Run `npx securenow admin login` from the project root, then retry. Runtime app credentials cannot grant admin/control-plane permissions.');
   }
-  const request = buildApiRequest(tool, args);
+  const request = buildApiRequest(tool, finalArgs);
   const options = {
     token,
     ...(Object.keys(request.query || {}).length > 0 ? { query: request.query } : {}),
@@ -197,7 +258,7 @@ async function handleRequest(message) {
       const result = await callApiTool(tool, args);
       return ok(id, asToolResult({
         tool: name,
-        arguments: sanitizeArgs(args),
+        arguments: sanitizeArgs(withRuntimeAppDefaults(tool, args)),
         result,
       }));
     }

package/nextjs.js CHANGED Viewed

@@ -31,10 +31,13 @@
  */
 const { randomUUID } = require('crypto');
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
 const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
+defaultMetricsExporterToNone();
 let isRegistered = false;
 function requireRuntimeModule(name) {
@@ -659,7 +662,7 @@ function registerSecureNow(options = {}) {
   // Key and environment come from .securenow/credentials.json (written by
   // login/init or credentials runtime), so no .env entry is needed.
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       requireRuntimeModule('./firewall').init({
         apiKey: firewallOptions.apiKey,

package/nuxt-server-plugin.mjs CHANGED Viewed

@@ -7,11 +7,8 @@
  * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
  */
-import { NodeSDK } from '@opentelemetry/sdk-node';
-import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
 import * as otelResources from '@opentelemetry/resources';
 import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
-import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
 import {
   context as otelContext,
   trace as otelTrace,
@@ -23,6 +20,12 @@ import { randomUUID } from 'node:crypto';
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
 const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
+const { defaultMetricsExporterToNone } = nodeRequire('./otel-defaults');
+defaultMetricsExporterToNone();
+const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
+const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
+const { HttpInstrumentation } = nodeRequire('@opentelemetry/instrumentation-http');
 // ── Helpers ──
@@ -318,7 +321,7 @@ export default defineNitroPlugin(async (nitroApp) => {
   // ── Firewall — runs independently from OTel ──
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({

package/otel-defaults.js ADDED Viewed

@@ -0,0 +1,11 @@
+'use strict';
+function defaultMetricsExporterToNone(env = process.env) {
+  if (!env) return false;
+  const current = env.OTEL_METRICS_EXPORTER;
+  if (current != null && String(current).trim() !== '') return false;
+  env.OTEL_METRICS_EXPORTER = 'none';
+  return true;
+}
+module.exports = { defaultMetricsExporterToNone };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.16",
+  "version": "7.8.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -132,6 +132,7 @@
     "resolve-ip.js",
     "cidr.js",
     "firewall.js",
+    "otel-defaults.js",
     "rate-limits.js",
     "rate-limits.d.ts",
     "firewall-only.js",

package/tracing.js CHANGED Viewed

@@ -14,6 +14,9 @@
  *   Production should mount/copy tokenless runtime credentials to the same path.
  */
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
+defaultMetricsExporterToNone();
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
@@ -696,7 +699,7 @@ const sdk = new NodeSDK({
     // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
     // only an app-routing UUID (or nothing at all) â€” no 401 polling loops.
     const firewallOptions = appConfig.resolveFirewallOptions();
-    if (firewallOptions.apiKey && firewallOptions.enabled) {
+    if (firewallOptions.apiKey) {
       require('./firewall').init({
         apiKey: firewallOptions.apiKey,
         appKey: firewallOptions.appKey,