npm - securenow - Versions diffs - 7.7.16 → 8.0.0 - Mend

securenow 7.7.16 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/NPM_README.md +44 -36
package/README.md +56 -38
package/SKILL-API.md +51 -27
package/SKILL-CLI.md +67 -45
package/app-config.js +90 -160
package/cli/apiKey.js +21 -12
package/cli/apps.js +3 -3
package/cli/auth.js +114 -32
package/cli/client.js +14 -13
package/cli/config.js +219 -52
package/cli/credentials.js +4 -4
package/cli/diagnostics.js +5 -6
package/cli/firewall.js +19 -7
package/cli/human.js +13 -8
package/cli/init.js +5 -5
package/cli/run.js +1 -5
package/cli/security.js +31 -11
package/cli/utils.js +2 -3
package/cli.js +68 -35
package/console-instrumentation.js +1 -1
package/firewall-only.js +7 -11
package/firewall.js +110 -35
package/mcp/catalog.js +582 -45
package/mcp/server.js +73 -12
package/nextjs-auto-capture.js +3 -6
package/nextjs-middleware.js +2 -4
package/nextjs-wrapper.js +3 -6
package/nextjs.js +4 -11
package/nuxt-server-plugin.mjs +7 -4
package/otel-defaults.js +11 -0
package/package.json +3 -3
package/rate-limits.js +0 -2
package/register-vite.js +5 -12
package/register.js +5 -13
package/resolve-ip.js +1 -1
package/tracing.d.ts +1 -1
package/tracing.js +6 -3
package/web-vite.mjs +58 -62

package/NPM_README.md CHANGED Viewed

@@ -11,12 +11,16 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 - Multi-layer firewall -- auto-blocks IPs from your SecureNow blocklist
 - `securenow init` scaffolds Next.js instrumentation, safe `serverExternalPackages`, and standalone output tracing includes
 - `securenow/firewall-only` entry point for firewall without tracing overhead
-- Local and production configuration via `.securenow/credentials.json`
+- Split local credentials: `.securenow/admin.json` for CLI/MCP admin auth and `.securenow/runtime.json` for SDK runtime
 - Single `-r securenow/register` flag -- works for both CJS and ESM apps
 - Native Nuxt 3 module (`securenow/nuxt`)
 ---
+> **v8.0 credential model:** admin/control-plane CLI and MCP auth lives in `.securenow/admin.json`; SDK runtime app config and the runtime API key live in `.securenow/runtime.json`. `npx securenow login` can run both lanes for onboarding, `npx securenow admin login` refreshes only admin auth, and `npx securenow app connect` refreshes only runtime app config. Legacy combined `.securenow/credentials.json` files are still read, and production runtime exports can still be mounted as `.securenow/credentials.json`.
+---
 ## Table of Contents
 - [Installation](#installation)
@@ -65,7 +69,9 @@ Run login - it is a browser flow that picks or creates an app and connects the f
 npx securenow login
 ```
-During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes it into `.securenow/credentials.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
+During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes runtime config into `.securenow/runtime.json`. Admin auth, when part of the flow, is saved separately to `.securenow/admin.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
+Metrics export is intentionally off by default. SecureNow sets `OTEL_METRICS_EXPORTER=none` when the app has not explicitly configured metrics, preventing the OpenTelemetry SDK from creating a default metrics reader that retries `localhost:4318`.
 For framework scaffolding (Next.js `instrumentation.ts`, `next.config.*`, etc.) use:
@@ -76,17 +82,17 @@ npx securenow init --key snk_live_abc123...
 ```
 This detects your framework and:
-- **Credentials**: Ensures `.securenow/credentials.json` has secure defaults and explanations
+- **Credentials**: Ensures `.securenow/runtime.json` has secure defaults and explanations
 - **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, or prints a Codex/Claude-ready merge prompt for existing files
 - **Nuxt 3**: Suggests adding `securenow/nuxt` to modules
 - **Express / Node.js**: Shows how to add `-r securenow/register` to your start script
-- **All**: Stores `--key` in `.securenow/credentials.json`; no local `.env` file is needed
+- **All**: Stores `--key` in `.securenow/runtime.json`; no local `.env` file is needed
 ### 2. Manual Setup
 #### Configure Locally
-Run `npx securenow login` to write `.securenow/credentials.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, runtime API key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway, routes by `app.key`, and authenticates with the runtime API key, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 #### Run Your Application
@@ -143,13 +149,15 @@ The `securenow` CLI gives you full access to the SecureNow platform from the ter
 ### Getting Started
 ```bash
-# Log in (opens browser for OAuth + app picker)
-# The browser flow mints and stores the firewall API key automatically in
-# .securenow/credentials.json (no env var needed).
+# Friendly onboarding: admin auth + app runtime connection.
 npx securenow login
-# Or use a token for CI/headless environments
-npx securenow login --token <YOUR_JWT>
+# Admin/control-plane CLI and MCP auth only.
+npx securenow admin login
+npx securenow admin login --token <YOUR_JWT>
+# App/runtime SDK config only.
+npx securenow app connect
 # Save to ~/.securenow/ instead of this project
 npx securenow login --global
@@ -157,8 +165,8 @@ npx securenow login --global
 # Check who you're logged in as (shows auth source)
 npx securenow whoami
-# Need or already have a firewall key? Create or store it without re-running login:
-npx securenow api-key create --name "CLI firewall"
+# Need or already have a runtime API key? Create or store it without re-running login:
+npx securenow api-key create --name "CLI runtime"
 npx securenow api-key set snk_live_abc123...   # --global for ~/.securenow/
 npx securenow api-key show                     # masked key + source
 npx securenow api-key clear                    # remove just the key
@@ -170,7 +178,7 @@ npx securenow api-key clear                    # remove just the key
 # Auto-detect framework and scaffold instrumentation files
 npx securenow init
-# Pass your API key to store it in .securenow/credentials.json
+# Pass your API key to store it in .securenow/runtime.json
 npx securenow init --key snk_live_abc123...
 ```
@@ -178,7 +186,7 @@ For Next.js projects, `init` creates `instrumentation.ts` (or `.js` if no TypeSc
 ### MCP for Codex and Claude
-SecureNow includes a local stdio MCP server that uses the same credentials and API client as the CLI:
+SecureNow includes a local stdio MCP server that resolves credentials by operation type:
 ```bash
 npx securenow login
@@ -187,7 +195,7 @@ codex mcp add securenow -- npx securenow mcp
 npx -p securenow securenow-mcp
 ```
-The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, rate-limit remediation, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
+Admin/global tools use `.securenow/admin.json`. App-scoped runtime reads can use `.securenow/runtime.json` or an explicit app key. The MCP surface exposes tools for applications, traces, logs, firewall, IP intelligence, forensics, notifications, blocklist, allowlist, trusted IPs, rate-limit remediation, and docs-backed prompts/resources. Write actions require `confirm:true` and a reason. Use `securenow_blocklist_unblock` to stop firewall enforcement while keeping the block report/history; `securenow_blocklist_remove` is a compatibility alias.
 For hosted clients, SecureNow can expose the same surface at `https://api.securenow.ai/mcp`. The hosted endpoint uses the same API authentication and scope checks as the rest of SecureNow.
@@ -418,11 +426,14 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 | File | Description |
 |------|-------------|
 | `~/.securenow/config.json` | API URL, default app, output format |
-| `~/.securenow/credentials.json` | Auth token, app, API key, config - global (use `login --global`) |
-| `.securenow/credentials.json` | Auth token, app, API key, config, explanations - project-local default |
+| `~/.securenow/admin.json` | Global admin/control-plane CLI and MCP auth |
+| `~/.securenow/runtime.json` | Global SDK runtime app config and runtime API key |
+| `.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
+| `.securenow/runtime.json` | Project-local SDK runtime app config and runtime API key |
+| `.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
-**Resolution order:** project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order. Legacy CLI token overrides still work for existing automation.
+**Resolution order:** runtime config resolves from project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Legacy CLI token overrides still work for existing automation.
 ### Global Flags
@@ -434,17 +445,13 @@ Every command supports these flags:
 | `--help` | | Show help for the command |
 | `--app <key>` | | Override the default application key |
-### Legacy CLI Overrides
+### CLI Configuration
-Normal CLI, SDK, and production runtime setup uses `.securenow/credentials.json`.
-Old per-terminal CLI overrides still exist for operator troubleshooting, but
-they are not part of the SDK runtime configuration path.
+Normal SDK runtime setup uses `.securenow/runtime.json`; admin CLI/MCP auth uses `.securenow/admin.json`.
+SecureNow-specific environment overrides are no longer supported by the SDK or CLI.
 | Override | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | Legacy CLI auth override for a single terminal session |
-| `SECURENOW_API_URL` | Legacy CLI API base override for testing |
-| `SECURENOW_DEBUG` | CLI stack traces while debugging |
 | `NO_COLOR` | Disable colored CLI output |
 ### Multi-Project Sessions
@@ -488,16 +495,18 @@ npx securenow logs --json --level error | jq '.logs'
 | Category | Command | Description |
 |----------|---------|-------------|
 | **Setup** | `init` | Auto-scaffold instrumentation for your framework |
-| **Auth** | `login` | Authenticate via browser, `--token`, or `--local` |
-| | `logout` | Clear credentials (`--local` for project only) |
-| | `whoami` | Show session info and auth source |
+| **Auth** | `login` | Friendly onboarding: admin auth + app runtime connection |
+| | `admin login` | Authenticate admin/control-plane CLI and MCP tools |
+| | `app connect` | Select/create app and write SDK runtime config |
+| | `logout` | Clear admin auth; runtime app config remains |
+| | `whoami` | Show admin auth and runtime app status separately |
 | **Apps** | `apps` | List applications |
 | | `apps create <name>` | Create application |
 | | `apps info <id>` | Application details |
 | | `apps delete <id>` | Delete application |
 | | `apps default <key>` | Set default app |
-| **API Key** | `api-key create [--name "CLI firewall"] [--global]` | Mint and save a firewall key with your logged-in session |
-| | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/credentials.json` |
+| **API Key** | `api-key create [--name "CLI runtime"] [--global]` | Mint and save a runtime API key with your logged-in session |
+| | `api-key set <snk_live_...> [--global]` | Save runtime API key to `.securenow/runtime.json` |
 | | `api-key show` | Show masked key + source |
 | | `api-key clear [--global]` | Remove stored key (leaves session/app) |
 | **Observe** | `traces` | List traces |
@@ -1099,7 +1108,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
+The SDK resolves the runtime API key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
 On startup, you'll see:
@@ -1198,19 +1207,18 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 |----------|-------------|---------|
 | `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
 | `app.name` | Human-readable app label. | selected during login |
-| `apiKey` | Scoped firewall key (`snk_live_...`). | minted during login |
+| `apiKey` | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
 | `config.capture.body` | Request body capture with redaction. | `true` |
 | `config.capture.multipart` | Multipart metadata capture, never file content. | `true` |
-| `config.firewall.enabled` | Local SDK firewall switch; dashboard toggle is per environment. | `true` |
+| `config.firewall.enabled` | Deprecated local hint. Runtime enable/disable uses the dashboard/API environment toggle. | ignored |
 | `config.otel.*` | Optional custom endpoints, headers, and log level. | empty |
 The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads
 all runtime settings from this JSON plus built-in defaults. Production should
 mount a tokenless runtime credentials file at `.securenow/credentials.json`.
-Legacy env fallback is disabled by default and exists only for old deployments
-that explicitly opt in with `SECURENOW_ENABLE_LEGACY_ENV=1`.
+Environment-variable fallback is not supported.
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
@@ -1405,7 +1413,7 @@ All request bodies are automatically scanned and sensitive fields are redacted:
   "config": {
     "runtime": { "noUuid": true, "strict": true, "deploymentEnvironment": "production" },
     "otel": {
-      "headers": { "x-api-key": "your-api-key" },
+      "headers": { "x-securenow-app-key": "my-production-app" },
       "logLevel": "info",
       "disableInstrumentations": ["fs", "dns"]
     },

package/README.md CHANGED Viewed

@@ -12,9 +12,8 @@ Zero-config OpenTelemetry for Node.js, Next.js, and Nuxt: traces, logs, body cap
 # 1. Install
 npm install securenow
-# 2. Pick (or create) your app in the browser - writes .securenow/ locally.
-#    Since v7.4.0, the browser step enables the app firewall and stores
-#    a scoped firewall API key in the same file - no env vars.
+# 2. Pick (or create) your app in the browser - writes .securenow/runtime.json.
+#    The friendly login flow can also refresh admin CLI/MCP auth in .securenow/admin.json.
 npx securenow login
 # 3. Start your app - one flag is all it takes
@@ -35,12 +34,17 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 ## How it works
-`npx securenow login` opens a browser, lets you pick (or create) an application, and writes a **project-local** credentials file to `.securenow/credentials.json`:
+`npx securenow login` opens a browser and runs both lanes for onboarding:
+- admin/control-plane CLI and MCP auth goes to `.securenow/admin.json`
+- app/runtime SDK config and the firewall API key go to `.securenow/runtime.json`
+Use `npx securenow admin login` to refresh only admin auth, or `npx securenow app connect` to refresh only runtime app config. Legacy combined `.securenow/credentials.json` files are still read for old installs.
+Runtime credentials look like:
 ```json
 {
-  "token": "...",
-  "email": "you@example.com",
   "apiKey": "snk_live_...",
   "app": {
     "key": "<uuid>",
@@ -56,7 +60,7 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 }
 ```
-The SDK reads this file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. The file is auto-added to `.gitignore` so it never lands in git.
+The SDK reads the runtime file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. Local credential files are auto-added to `.gitignore` so they never land in git.
 ---
@@ -71,7 +75,7 @@ npx securenow login
 Then ask your coding agent to wire each app with this prompt:
 ```text
-I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/credentials.json plus tokenless .securenow/credentials.production.json, gitignore .securenow, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json, gitignore only SecureNow credential files, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
 ```
 For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
@@ -151,7 +155,9 @@ Run `npx securenow init` after installing so the credentials file and secure def
 - Multipart upload metadata (field names, file names, sizes, content-types; never file content)
 - Firewall protection from the selected app's SecureNow blocklist and IPDB sync - activates as soon as you've logged in
-All of these are **on by default**. Tune them in `.securenow/credentials.json` under the `config` block.
+All of these are **on by default**. Tune them in `.securenow/runtime.json` under the `config` block.
+SecureNow does not export metrics by default. The preload sets `OTEL_METRICS_EXPORTER=none` when the app has not explicitly configured a metrics exporter, which prevents OpenTelemetry's default metrics reader from falling back to `localhost:4318`.
 ---
@@ -175,13 +181,15 @@ Starting in v7.7.2, the SDK also accepts generated runtime filenames directly wi
 Resolution order:
-1. Project-local `.securenow/credentials.json`
-2. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
-3. Global `~/.securenow/credentials.json`
-4. Global named runtime credentials in the same fixed order
-5. `package.json#name` (label only)
+1. Project-local `.securenow/runtime.json`
+2. Legacy project-local `.securenow/credentials.json`
+3. Project-local named runtime credentials: `.securenow/credentials.staging.json`, then `.securenow/credentials.production.json`, then preview/local/test/development/dev/prod variants
+4. Global `~/.securenow/runtime.json`
+5. Legacy global `~/.securenow/credentials.json`
+6. Global named runtime credentials in the same fixed order
+7. `package.json#name` (label only)
-SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
+SDK runtime config is credentials-json based. Environment-variable fallbacks are no longer supported.
 ---
@@ -189,13 +197,14 @@ SDK runtime config is credentials-json based. Legacy environment fallbacks are d
 ```bash
 # Setup
-npx securenow login                 # browser auth + app picker + firewall enabled by default
-npx securenow login --global        # save to ~/.securenow/ instead
-npx securenow login --token <TOKEN> # headless (CI)
+npx securenow login                 # friendly flow: admin auth + app runtime connection
+npx securenow admin login           # admin/control-plane CLI + MCP auth only
+npx securenow app connect           # app/runtime SDK connection only
+npx securenow admin login --token <TOKEN> # headless admin auth (CI)
 npx securenow init --env local      # scaffold framework files + local env scope
 npx securenow credentials runtime --env production # write tokenless production credentials file
-npx securenow api-key create --name "CLI firewall" # mint + store firewall key
-npx securenow api-key set snk_live_... # store firewall key in .securenow/credentials.json
+npx securenow api-key create --name "CLI runtime" # mint + store runtime API key
+npx securenow api-key set snk_live_... # store runtime API key in .securenow/runtime.json
 # Apps
 npx securenow apps                  # list all apps
@@ -211,6 +220,7 @@ npx securenow doctor                # diagnose config + connectivity
 # Security
 npx securenow firewall status --env production
 npx securenow blocklist add 1.2.3.4 --reason "scanner"
+npx securenow blocklist add 1.2.3.4 --route /admin* --mode prefix --method ALL --reason "admin probing"
 npx securenow blocklist unblock <id> --reason "reviewed safe"
 npx securenow fp ai-fill --description "Stripe webhook POST /api/stripe/webhook"
@@ -229,31 +239,33 @@ SecureNow ships a local stdio MCP server for agent clients:
 ```bash
 npx securenow login
+npx securenow admin login      # admin/control-plane only
+npx securenow app connect      # runtime app/API key only
 codex mcp add securenow -- npx securenow mcp
 # or run directly:
 npx -p securenow securenow-mcp
 ```
-The MCP server reuses the same project-local `.securenow/credentials.json` as the CLI and SDK. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, rate-limit remediation, plus resources for the bundled SecureNow docs and setup prompts.
+The MCP server resolves credentials by operation type: admin/global tools use `.securenow/admin.json`, while app-scoped runtime reads can use `.securenow/runtime.json` or an explicit app key. Legacy combined `.securenow/credentials.json` remains a fallback. It exposes tools for apps, traces, logs, firewall, IP intelligence, forensics, blocklist/allowlist/trusted IPs, rate-limit remediation, plus resources for the bundled SecureNow docs and setup prompts.
 ---
 ## Credentials Config
-Use `.securenow/credentials.json` fields for new local, CI, Docker, and production setups. The credentials file is the product path.
+Use `.securenow/runtime.json` fields for new local SDK/runtime setups. Production exports still use tokenless `.securenow/credentials.<environment>.json` files that can be mounted as `.securenow/credentials.json`.
 | Field | Default | Purpose |
 |---|---|---|
 | `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
 | `app.name` | selected during login | Human-readable label for CLI and dashboard output |
-| `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
+| `apiKey` | minted during login | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
 | `config.capture.body` | `true` | Capture JSON / form request bodies with redaction |
 | `config.capture.multipart` | `true` | Capture multipart metadata, never file content |
 | `config.capture.maxBodySize` | `10240` | Max bytes captured per body |
 | `config.capture.sensitiveFields` | `[]` | Extra field-name fragments to redact |
-| `config.firewall.enabled` | `true` | Local SDK firewall switch; dashboard firewall toggle is scoped per environment |
+| `config.firewall.enabled` | Deprecated | Ignored as a local kill switch; dashboard/API firewall toggle is scoped per environment |
 | `config.otel.*` | empty | Optional custom OTLP endpoints, headers, and log level |
 The credentials file is versioned with `_securenow.schemaVersion`, so future SDK
@@ -268,8 +280,8 @@ Mount or copy that JSON as `.securenow/credentials.json` in the deployed app.
 New runtime credentials do not include a per-instance collector URL; the SDK
 uses `https://ingest.securenow.ai` by default and the gateway routes by
 `app.key`.
-Legacy env fallback exists only for old deployments that explicitly opt in with
-`SECURENOW_ENABLE_LEGACY_ENV=1`; new installs should not use it.
+Environment-variable fallback is not supported; use runtime credentials files
+for local, staging, preview, and production.
 ---
@@ -284,7 +296,7 @@ PostgreSQL, MySQL / MySQL2, MongoDB, Redis
 ### Other
 HTTP/HTTPS, GraphQL, gRPC, and many more via [@opentelemetry/auto-instrumentations-node](https://www.npmjs.com/package/@opentelemetry/auto-instrumentations-node).
-> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/credentials.json`.
+> MongoDB instrumentation is included in the current SDK. To disable it for a service, add `@opentelemetry/instrumentation-mongodb` to `config.otel.disableInstrumentations` in `.securenow/runtime.json`.
 ---
@@ -310,14 +322,16 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | Command | Description |
 |---|---|
-| `securenow login` | Browser auth + pick app; firewall key is minted automatically (writes ./.securenow/ by default) |
+| `securenow login` | Friendly onboarding: admin auth + runtime app connection |
+| `securenow admin login` | Admin/control-plane CLI and MCP auth only |
+| `securenow app connect` | App/runtime SDK connection only |
 | `securenow login --global` | Save to ~/.securenow/ instead |
-| `securenow login --token <TOKEN>` | Headless (CI/servers) |
-| `securenow logout` | Clear project-local credentials |
+| `securenow admin login --token <TOKEN>` | Headless admin auth (CI/servers) |
+| `securenow logout` | Clear admin auth only; runtime app config stays intact |
 | `securenow logout --global` | Clear ~/.securenow/ instead |
-| `securenow whoami` | Show current session (email, app, expiry) |
-| `securenow api-key create [--name "CLI firewall"]` | Mint and store a firewall key using your session token |
-| `securenow api-key set <snk_live_...>` | Store firewall key in `.securenow/credentials.json` (`--global` for `~/.securenow/`) |
+| `securenow whoami` | Show admin auth and runtime app status separately |
+| `securenow api-key create [--name "CLI runtime"]` | Mint and store a runtime API key using your session token |
+| `securenow api-key set <snk_live_...>` | Store runtime API key in `.securenow/runtime.json` (`--global` for `~/.securenow/`) |
 | `securenow api-key show` | Print masked key + source file |
 | `securenow api-key clear` | Remove stored key (`--global` for `~/.securenow/`) |
@@ -368,14 +382,14 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | Command | Description |
 |---|---|
 | `securenow firewall status` | Firewall layers + key info |
-| `securenow firewall test-ip <ip>` | Would this IP be blocked? |
+| `securenow firewall test-ip <ip> [--path /admin/users]` | Would this IP be blocked? |
 ### Remediation
 | Command | Description |
 |---|---|
 | `securenow blocklist` | List blocked IPs |
-| `securenow blocklist add <ip> [--reason ...]` | Block an IP |
+| `securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--reason ...]` | Block an IP globally or only for matching routes |
 | `securenow blocklist unblock <id> [--reason ...]` | Stop enforcement and keep block history |
 | `securenow ratelimit parse "<request>"` | Fill a rate-limit rule draft from natural language |
 | `securenow ratelimit from-text "<request>" --yes` | Create a soft rate-limit rule from natural language |
@@ -420,13 +434,17 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | File | Purpose |
 |---|---|
-| `./.securenow/credentials.json` | Project-local or production runtime credentials |
+| `./.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
+| `./.securenow/runtime.json` | Project-local SDK runtime app config and runtime API key |
+| `./.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
-| `~/.securenow/credentials.json` | Global (with `login --global`) |
+| `~/.securenow/admin.json` | Global admin/control-plane auth |
+| `~/.securenow/runtime.json` | Global SDK runtime app config |
+| `~/.securenow/credentials.json` | Legacy global combined credentials |
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
-Resolution order: project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/credentials.json` -> global named runtime credentials in the same fixed order -> package name fallback. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
+Runtime resolution order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials -> package name fallback. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Runtime config is never read from environment variables.
 Override the dashboard API with `securenow config set apiUrl <url>`.