securenow 7.7.16 → 8.0.0

package/app-config.js

@@ -3,13 +3,14 @@
 /**
  * Shared SecureNow configuration resolver.
  *
- * Local development and production are driven by ./.securenow/credentials.json.
+ * Local development is driven by ./.securenow/runtime.json.
+ * Legacy combined ./.securenow/credentials.json files remain readable.
  * Named runtime files such as ./.securenow/credentials.staging.json and
  * ./.securenow/credentials.production.json are also accepted when the
  * canonical file is not present. Filename selection is deterministic and does
  * not read environment variables.
- * Legacy environment fallbacks are disabled by default; every SDK setting has
- * a file-backed equivalent so customers do not need .env files.
+ * Every SDK setting has a file-backed equivalent so customers do not need
+ * .env files.
  */
 
 const fs = require('fs');
@@ -20,7 +21,6 @@ const FREE_TRIAL_INSTANCE = 'https://ingest.securenow.ai';
 const DEFAULT_API_URL = 'https://api.securenow.ai';
 const DEFAULT_FIREWALL_API_URL = FREE_TRIAL_INSTANCE;
 const LEGACY_SECURENOW_GATEWAY = 'https://api.securenow.ai/api/otlp';
-const LEGACY_ENV_FALLBACK_FLAG = 'SECURENOW_ENABLE_LEGACY_ENV';
 const CONFIG_SCHEMA_VERSION = 2;
 const CREDENTIAL_FILE_ENVIRONMENTS = Object.freeze([
   'staging',
@@ -32,6 +32,8 @@ const CREDENTIAL_FILE_ENVIRONMENTS = Object.freeze([
   'dev',
   'prod',
 ]);
+const RUNTIME_CREDENTIALS_FILENAME = 'runtime.json';
+const ADMIN_CREDENTIALS_FILENAME = 'admin.json';
 
 const DEFAULT_CONFIG = Object.freeze({
   logging: {
@@ -90,8 +92,8 @@ const DEFAULT_CONFIG = Object.freeze({
 });
 
 const CONFIG_EXPLANATIONS = Object.freeze({
-  'token': 'CLI session token written by `npx securenow login`. Secret: do not commit.',
-  'apiKey': 'Scoped firewall API key (`snk_live_...`) minted by login or `securenow api-key set`. Secret: do not commit.',
+  'token': 'Legacy CLI session token. New admin/control-plane auth is written to admin.json. Secret: do not commit.',
+  'apiKey': 'Scoped runtime API key (`snk_live_...`) minted by `securenow app connect` or `securenow api-key set`. It authenticates telemetry ingestion and firewall sync. Secret: do not commit.',
   'app.key': 'SecureNow application routing UUID. The SDK uses this as OTel service.name so dashboard queries match exactly.',
   'app.name': 'Human-readable app label shown in CLI output.',
   'app.routing': 'Telemetry uses the default SecureNow ingestion gateway and routes by app.key; runtime credentials do not expose per-instance collector URLs.',
@@ -103,7 +105,7 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.otel.endpoint': 'Optional OTLP base endpoint override for advanced/self-hosted collectors. Leave null for the SecureNow ingestion gateway.',
   'config.otel.tracesEndpoint': 'Optional full traces endpoint override, for split collectors.',
   'config.otel.logsEndpoint': 'Optional full logs endpoint override, for split collectors.',
-  'config.otel.headers': 'Optional OTLP headers. The SDK auto-adds x-api-key from app.key when missing.',
+  'config.otel.headers': 'Optional OTLP headers. The SDK auto-adds x-securenow-app-key from app.key and Authorization from apiKey when missing.',
   'config.otel.logLevel': 'OpenTelemetry diagnostic log level: error, warn, info, debug, or none.',
   'config.otel.disableInstrumentations': 'Optional OTel instrumentation package names to disable.',
   'config.runtime.deploymentEnvironment': 'deployment.environment resource attribute. Set this in the credentials file for production.',
@@ -111,7 +113,7 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.runtime.strict': 'If true, PM2/cluster workers exit when no app identity is resolvable.',
   'config.runtime.testSpan': 'If true, emit a startup smoke span. Prefer `npx securenow test-span` for manual checks.',
   'config.runtime.hideBanner': 'Hide the free-trial response banner when using the managed free-trial collector.',
-  'config.firewall.enabled': 'Secure default: app firewall enforcement starts when apiKey is present and the dashboard toggle is on.',
+  'config.firewall.enabled': 'Deprecated local hint. Runtime firewall enforcement is controlled by the SecureNow dashboard/API app environment toggle; the SDK starts sync whenever apiKey is present.',
   'config.firewall.apiUrl': 'Optional SecureNow firewall control-plane base URL. Leave unset/default so hosted SDKs sync through the SecureNow ingest gateway.',
   'config.firewall.versionCheckInterval': 'Seconds between lightweight firewall version/ETag checks.',
   'config.firewall.syncInterval': 'Seconds between safety-net full firewall blocklist syncs.',
@@ -128,45 +130,6 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.networking.trustedProxies': 'Additional proxy IPs whose X-Forwarded-For headers should be trusted.',
 });
 
-const ENV_TO_CONFIG_PATH = Object.freeze({
-  SECURENOW_LOGGING_ENABLED: 'logging.enabled',
-  SECURENOW_CAPTURE_BODY: 'capture.body',
-  SECURENOW_CAPTURE_MULTIPART: 'capture.multipart',
-  SECURENOW_MAX_BODY_SIZE: 'capture.maxBodySize',
-  SECURENOW_SENSITIVE_FIELDS: 'capture.sensitiveFields',
-  SECURENOW_DISABLE_INSTRUMENTATIONS: 'otel.disableInstrumentations',
-  OTEL_EXPORTER_OTLP_ENDPOINT: 'otel.endpoint',
-  OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: 'otel.tracesEndpoint',
-  OTEL_EXPORTER_OTLP_LOGS_ENDPOINT: 'otel.logsEndpoint',
-  OTEL_EXPORTER_OTLP_HEADERS: 'otel.headers',
-  OTEL_LOG_LEVEL: 'otel.logLevel',
-  SECURENOW_ENVIRONMENT: 'runtime.deploymentEnvironment',
-  SECURENOW_DEPLOYMENT_ENVIRONMENT: 'runtime.deploymentEnvironment',
-  NODE_ENV: 'runtime.deploymentEnvironment',
-  SECURENOW_NO_UUID: 'runtime.noUuid',
-  SECURENOW_STRICT: 'runtime.strict',
-  SECURENOW_TEST_SPAN: 'runtime.testSpan',
-  SECURENOW_HIDE_BANNER: 'runtime.hideBanner',
-  SECURENOW_API_URL: 'firewall.apiUrl',
-  SECURENOW_FIREWALL_VERSION_INTERVAL: 'firewall.versionCheckInterval',
-  SECURENOW_FIREWALL_SYNC_INTERVAL: 'firewall.syncInterval',
-  SECURENOW_FIREWALL_FAIL_MODE: 'firewall.failMode',
-  SECURENOW_FIREWALL_STATUS_CODE: 'firewall.statusCode',
-  SECURENOW_FIREWALL_LOG: 'firewall.log',
-  SECURENOW_FIREWALL_TCP: 'firewall.tcp',
-  SECURENOW_FIREWALL_IPTABLES: 'firewall.iptables',
-  SECURENOW_FIREWALL_CLOUD: 'firewall.cloud',
-  SECURENOW_FIREWALL_CLOUD_DRY_RUN: 'firewall.cloudDryRun',
-  CLOUDFLARE_API_TOKEN: 'firewall.cloudflare.apiToken',
-  CLOUDFLARE_ACCOUNT_ID: 'firewall.cloudflare.accountId',
-  AWS_WAF_IP_SET_ID: 'firewall.aws.wafIpSetId',
-  AWS_WAF_IP_SET_NAME: 'firewall.aws.wafIpSetName',
-  AWS_WAF_SCOPE: 'firewall.aws.wafScope',
-  GCP_PROJECT_ID: 'firewall.gcp.projectId',
-  GCP_SECURITY_POLICY: 'firewall.gcp.securityPolicy',
-  SECURENOW_TRUSTED_PROXIES: 'networking.trustedProxies',
-});
-
 function clone(value) {
   return value == null ? value : JSON.parse(JSON.stringify(value));
 }
@@ -244,7 +207,7 @@ function uniq(values) {
   return out;
 }
 
-function credentialRelativePaths() {
+function legacyCredentialRelativePaths() {
   return uniq([
     path.join('.securenow', 'credentials.json'),
     ...CREDENTIAL_FILE_ENVIRONMENTS.map((envName) =>
@@ -253,7 +216,25 @@ function credentialRelativePaths() {
   ]);
 }
 
-function resolveLocalCredentialsFile() {
+function runtimeCredentialRelativePaths() {
+  return uniq([
+    path.join('.securenow', RUNTIME_CREDENTIALS_FILENAME),
+    ...legacyCredentialRelativePaths(),
+  ]);
+}
+
+function adminCredentialRelativePaths() {
+  return uniq([
+    path.join('.securenow', ADMIN_CREDENTIALS_FILENAME),
+    ...legacyCredentialRelativePaths(),
+  ]);
+}
+
+function credentialRelativePaths() {
+  return runtimeCredentialRelativePaths();
+}
+
+function resolveLocalFileFromRelativePaths(relativePaths) {
   const starts = [];
   try {
     if (typeof process !== 'undefined' && process.cwd) starts.push(process.cwd());
@@ -263,7 +244,7 @@ function resolveLocalCredentialsFile() {
   if (process.argv && process.argv[1]) starts.push(path.dirname(process.argv[1]));
   if (require.main && require.main.filename) starts.push(path.dirname(require.main.filename));
 
-  const candidates = credentialRelativePaths();
+  const candidates = relativePaths;
   for (const start of uniq(starts)) {
     const found = findUpFirstFile(start, candidates);
     if (found) return found;
@@ -272,7 +253,15 @@ function resolveLocalCredentialsFile() {
   return null;
 }
 
-function resolveGlobalCredentialsFile() {
+function resolveLocalCredentialsFile() {
+  return resolveLocalFileFromRelativePaths(runtimeCredentialRelativePaths());
+}
+
+function resolveLocalAdminCredentialsFile() {
+  return resolveLocalFileFromRelativePaths(adminCredentialRelativePaths());
+}
+
+function resolveGlobalFileFromRelativePaths(relativePaths) {
   let home;
   try {
     home = os.homedir();
@@ -280,7 +269,7 @@ function resolveGlobalCredentialsFile() {
     return null;
   }
 
-  for (const relativePath of credentialRelativePaths()) {
+  for (const relativePath of relativePaths) {
     const found = fileIfReadable(path.join(home, relativePath));
     if (found) return found;
   }
@@ -288,6 +277,36 @@ function resolveGlobalCredentialsFile() {
   return null;
 }
 
+function resolveGlobalCredentialsFile() {
+  return resolveGlobalFileFromRelativePaths(runtimeCredentialRelativePaths());
+}
+
+function resolveGlobalAdminCredentialsFile() {
+  return resolveGlobalFileFromRelativePaths(adminCredentialRelativePaths());
+}
+
+function runtimeCredentialsFromDocument(credentials) {
+  if (!credentials || typeof credentials !== 'object' || Array.isArray(credentials)) return null;
+  if (!credentials.runtime || typeof credentials.runtime !== 'object' || Array.isArray(credentials.runtime)) {
+    return credentials;
+  }
+
+  const runtime = clone(credentials.runtime);
+  if (runtime.environment) {
+    runtime.config = runtime.config || {};
+    runtime.config.runtime = runtime.config.runtime || {};
+    runtime.config.runtime.deploymentEnvironment = runtime.environment;
+    delete runtime.environment;
+  }
+  if (runtime.instanceUrl) {
+    runtime.config = runtime.config || {};
+    runtime.config.otel = runtime.config.otel || {};
+    if (!runtime.config.otel.endpoint) runtime.config.otel.endpoint = runtime.instanceUrl;
+    delete runtime.instanceUrl;
+  }
+  return runtime;
+}
+
 function resolvePackageJsonFile() {
   const starts = [];
   try {
@@ -308,7 +327,7 @@ function resolvePackageJsonFile() {
 
 function loadLocalCredentials() {
   try {
-    return withCredentialDefaults(readJsonSafe(resolveLocalCredentialsFile()));
+    return withCredentialDefaults(runtimeCredentialsFromDocument(readJsonSafe(resolveLocalCredentialsFile())));
   } catch {
     return null;
   }
@@ -316,7 +335,7 @@ function loadLocalCredentials() {
 
 function loadGlobalCredentials() {
   try {
-    return withCredentialDefaults(readJsonSafe(resolveGlobalCredentialsFile()));
+    return withCredentialDefaults(runtimeCredentialsFromDocument(readJsonSafe(resolveGlobalCredentialsFile())));
   } catch {
     return null;
   }
@@ -326,7 +345,7 @@ function loadCredentials() {
   try {
     const localFile = resolveLocalCredentialsFile();
     if (localFile) {
-      return withCredentialDefaults(readJsonSafe(localFile));
+      return withCredentialDefaults(runtimeCredentialsFromDocument(readJsonSafe(localFile)));
     }
     return loadGlobalCredentials();
   } catch {
@@ -401,7 +420,7 @@ function withCredentialDefaults(credentials) {
   out._securenow = mergeMissing(out._securenow, {
     schemaVersion: CONFIG_SCHEMA_VERSION,
     note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets; keep .securenow/ in .gitignore.',
-    precedence: `The same credentials file works in local development and production. SDK runtime config is read from credentials JSON. Legacy environment fallbacks are disabled unless ${LEGACY_ENV_FALLBACK_FLAG}=1 is set.`,
+    precedence: 'The same credentials file works in local development and production. SDK runtime config is read from credentials JSON only.',
     explanations: CONFIG_EXPLANATIONS,
   });
   return out;
@@ -417,19 +436,6 @@ function getPath(obj, dotted) {
   return cur;
 }
 
-function legacyEnvFallbackEnabled() {
-  const raw =
-    process.env[LEGACY_ENV_FALLBACK_FLAG] ??
-    process.env.SECURENOW_ALLOW_ENV_CONFIG ??
-    process.env.SECURENOW_LEGACY_ENV;
-  return /^(1|true|yes)$/i.test(String(raw || '').trim());
-}
-
-function rawEnv(key) {
-  if (!legacyEnvFallbackEnabled()) return undefined;
-  return process.env[key] ?? process.env[key.toUpperCase()] ?? process.env[key.toLowerCase()];
-}
-
 function normalizeInstanceEndpoint(value) {
   if (value === undefined || value === null || value === '') return value;
   const endpoint = String(value).trim().replace(/\/$/, '');
@@ -567,24 +573,11 @@ function headersToString(headers) {
     .join(',');
 }
 
-function toEnvString(value) {
-  if (value === undefined || value === null || value === '') return undefined;
-  if (typeof value === 'boolean') return value ? '1' : '0';
-  if (Array.isArray(value)) return value.join(',');
-  if (typeof value === 'object') return headersToString(value);
-  return String(value);
-}
-
-function resolveConfigPath(configPath, envKeys = [], fallback) {
+function resolveConfigPath(configPath, _envKeys = [], fallback) {
   const creds = loadCredentials();
   const fromCreds = pick(getPath(creds && creds.config, configPath));
   if (fromCreds != null) return fromCreds;
 
-  for (const key of envKeys) {
-    const fromEnv = pick(rawEnv(key));
-    if (fromEnv != null) return fromEnv;
-  }
-
   const fromDefault = pick(getPath(DEFAULT_CONFIG, configPath));
   if (fromDefault != null) return fromDefault;
 
@@ -610,28 +603,12 @@ function listConfig(configPath) {
 function resolveAppKey() {
   const creds = loadCredentials();
   if (creds && creds.app && pick(creds.app.key)) return String(pick(creds.app.key));
-
-  const fromEnv = pick(rawEnv('SECURENOW_APPID')) || pick(rawEnv('securenow'));
-  if (fromEnv) return String(fromEnv);
-
-  // Legacy compatibility: older docs sometimes used SECURENOW_API_KEY as the
-  // app routing UUID. Real firewall keys start with snk_live_ and are handled
-  // by resolveApiKey(), not as service.name.
-  const legacyApiKey = pick(rawEnv('SECURENOW_API_KEY'));
-  if (legacyApiKey && !String(legacyApiKey).startsWith('snk_live_')) {
-    return String(legacyApiKey);
-  }
-
   return null;
 }
 
 function resolveAppName() {
   const creds = loadCredentials();
   if (creds && creds.app && pick(creds.app.name)) return String(pick(creds.app.name));
-
-  const fromEnv = pick(rawEnv('OTEL_SERVICE_NAME'));
-  if (fromEnv) return String(fromEnv);
-
   return loadPackageJsonName();
 }
 
@@ -643,23 +620,12 @@ function resolveApiKey() {
   const creds = loadCredentials();
   const fromCreds = creds && pick(creds.apiKey);
   if (fromCreds && String(fromCreds).startsWith('snk_live_')) return String(fromCreds);
-
-  const fromEnv = pick(rawEnv('SECURENOW_API_KEY'));
-  if (fromEnv && String(fromEnv).startsWith('snk_live_')) return String(fromEnv);
-
   return null;
 }
 
 function resolveInstance() {
   const fromConfig = pick(resolveConfigPath('otel.endpoint'));
   if (fromConfig) return normalizeInstanceEndpoint(fromConfig);
-
-  const fromEnv =
-    pick(rawEnv('SECURENOW_INSTANCE')) ||
-    pick(rawEnv('securenow_instance')) ||
-    pick(rawEnv('OTEL_EXPORTER_OTLP_ENDPOINT'));
-  if (fromEnv) return normalizeInstanceEndpoint(fromEnv);
-
   return FREE_TRIAL_INSTANCE;
 }
 
@@ -684,51 +650,18 @@ function resolveNoUuid(opts = {}) {
   const fromConfig = pick(getPath(loadCredentials()?.config, 'runtime.noUuid'));
   if (fromConfig !== null) return parseBool(fromConfig, false);
 
-  const raw = pick(rawEnv('SECURENOW_NO_UUID'));
-  if (raw !== null) return parseBool(raw, false);
-
   return !!resolveAppKey();
 }
 
-function resolveEnvKey(key) {
-  const upper = String(key).toUpperCase();
-
-  if (upper === 'SECURENOW_APPID') return resolveAppKey();
-  if (upper === 'OTEL_SERVICE_NAME') return resolveAppName();
-  if (upper === 'SECURENOW_API_KEY') return resolveApiKey();
-  if (upper === 'SECURENOW_INSTANCE' || upper === 'OTEL_EXPORTER_OTLP_ENDPOINT') return resolveInstance();
-  if (upper === 'SECURENOW_FIREWALL_ENABLED') return resolveFirewallEnabled();
-
-  const configPath = ENV_TO_CONFIG_PATH[upper];
-  if (configPath) return resolveConfigPath(configPath);
-
-  const fromEnv = pick(rawEnv(upper));
-  if (fromEnv != null) return fromEnv;
-
-  return undefined;
-}
-
-function env(key) {
-  return toEnvString(resolveEnvKey(key));
-}
-
-function boolEnv(key, fallback = false) {
-  return parseBool(resolveEnvKey(key), fallback);
-}
-
-function numberEnv(key, fallback, min) {
-  return parseNumber(resolveEnvKey(key), fallback, min);
-}
-
-function listEnv(key) {
-  return parseList(resolveEnvKey(key));
-}
-
 function resolveOtlpHeaders() {
   const headers = parseHeaders(configValue('otel.headers', {}));
   const appKey = resolveAppKey();
-  if (appKey && !headers['x-api-key']) {
-    headers['x-api-key'] = appKey;
+  const apiKey = resolveApiKey();
+  if (appKey && !headers['x-securenow-app-key']) {
+    headers['x-securenow-app-key'] = appKey;
+  }
+  if (apiKey && !headers.authorization) {
+    headers.authorization = `Bearer ${apiKey}`;
   }
   const deploymentEnvironment = resolveDeploymentEnvironment();
   if (deploymentEnvironment && !headers['x-securenow-environment']) {
@@ -754,10 +687,7 @@ function resolveEndpoints(options = {}) {
 }
 
 function resolveFirewallEnabled() {
-  const fromConfig = pick(getPath(loadCredentials()?.config, 'firewall.enabled'));
-  if (fromConfig != null) return parseBool(fromConfig, true);
-
-  return parseBool(getPath(DEFAULT_CONFIG, 'firewall.enabled'), true);
+  return true;
 }
 
 function resolveFirewallOptions() {
@@ -799,12 +729,12 @@ module.exports = {
   DEFAULT_API_URL,
   DEFAULT_FIREWALL_API_URL,
   LEGACY_SECURENOW_GATEWAY,
-  LEGACY_ENV_FALLBACK_FLAG,
   CONFIG_SCHEMA_VERSION,
   CREDENTIAL_FILE_ENVIRONMENTS,
+  RUNTIME_CREDENTIALS_FILENAME,
+  ADMIN_CREDENTIALS_FILENAME,
   DEFAULT_CONFIG,
   CONFIG_EXPLANATIONS,
-  ENV_TO_CONFIG_PATH,
   withCredentialDefaults,
   mergeCredentials,
   resolveConfigPath,
@@ -818,7 +748,6 @@ module.exports = {
   resolveApiKey,
   resolveInstance,
   normalizeDeploymentEnvironment,
-  legacyEnvFallbackEnabled,
   resolveDeploymentEnvironment,
   resolveAll,
   resolveNoUuid,
@@ -830,17 +759,18 @@ module.exports = {
   resolveFirewallApiUrl,
   resolveFirewallApiFallbacks,
   resolveFirewallOptions,
-  env,
-  boolEnv,
-  numberEnv,
-  listEnv,
   parseHeaders,
   normalizeInstanceEndpoint,
   normalizeSignalEndpoint,
   headersToString,
+  legacyCredentialRelativePaths,
+  runtimeCredentialRelativePaths,
+  adminCredentialRelativePaths,
   credentialRelativePaths,
   resolveLocalCredentialsFile,
   resolveGlobalCredentialsFile,
+  resolveLocalAdminCredentialsFile,
+  resolveGlobalAdminCredentialsFile,
   loadCredentials,
   loadLocalCredentials,
   loadGlobalCredentials,

package/cli/apiKey.js

@@ -12,16 +12,24 @@ function maskKey(key) {
 async function create(args, flags) {
   requireAuth();
 
-  const name = flags.name || args.join(' ').trim() || 'CLI firewall';
-  const preset = flags.preset || 'firewall';
+  const name = flags.name || args.join(' ').trim() || 'CLI runtime';
+  const preset = flags.preset || 'runtime_app';
   const local = flags.global ? false : true;
+  const app = config.getApp();
 
   const s = ui.spinner(`Creating ${preset} API key`);
   try {
-    const result = await api.post('/api-keys', { name, preset });
+    const body = { name, preset };
+    if (flags.app) {
+      body.apps = [flags.app];
+    } else if (preset === 'runtime_app' && app?.key) {
+      body.apps = [app.key];
+    }
+
+    const result = await api.post('/api-keys', body);
     const key = result && result.key;
     if (!key || !key.startsWith('snk_live_')) {
-      throw new Error('API did not return a valid firewall key');
+      throw new Error('API did not return a valid runtime key');
     }
 
     config.setApiKey(key, { local });
@@ -34,16 +42,17 @@ async function create(args, flags) {
         name: result.apiKey?.name || name,
         preset,
         key: maskKey(key),
-        savedTo: local ? 'project .securenow/credentials.json' : '~/.securenow/credentials.json',
+        appScope: body.apps || [],
+        savedTo: local ? 'project .securenow/runtime.json' : '~/.securenow/runtime.json',
       });
       return;
     }
 
     ui.success(`API key saved (${maskKey(key)})`);
     ui.info(local
-      ? 'Stored in project .securenow/credentials.json (local)'
-      : 'Stored in ~/.securenow/credentials.json (global)');
-    ui.info('The plaintext key is not printed. The SDK will read it from the credentials file.');
+      ? 'Stored in project .securenow/runtime.json (local)'
+      : 'Stored in ~/.securenow/runtime.json (global)');
+    ui.info('The plaintext key is not printed. The SDK will read it from the runtime credentials file.');
   } catch (err) {
     s.fail('Failed to create API key');
     throw err;
@@ -68,8 +77,8 @@ async function set(args, flags) {
 
   ui.success(`API key saved (${maskKey(key)})`);
   ui.info(local
-    ? 'Stored in project .securenow/credentials.json (local)'
-    : 'Stored in ~/.securenow/credentials.json (global)');
+    ? 'Stored in project .securenow/runtime.json (local)'
+    : 'Stored in ~/.securenow/runtime.json (global)');
   ui.info('The firewall will now pick it up automatically — no SECURENOW_API_KEY env var needed.');
 }
 
@@ -87,11 +96,11 @@ async function clear(args, flags) {
 async function show() {
   const key = config.getApiKey();
   if (!key) {
-    ui.info('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    ui.info('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
     return;
   }
   console.log(maskKey(key));
-  ui.info(`Source: ${config.getAuthSource()}`);
+  ui.info(`Source: ${config.getRuntimeSource()}`);
 }
 
 module.exports = { create, set, clear, show };

package/cli/apps.js

@@ -66,7 +66,7 @@ async function list(args, flags) {
     if (!defaultApp && apps.length > 0) {
       console.log(`  ${ui.c.bold('Use one of these apps in the current project:')}`);
       console.log(`    ${ui.c.bold('securenow apps default <key>')}`);
-      console.log(`  ${ui.c.dim('(or run `securenow login` to pick interactively)')}`);
+      console.log(`  ${ui.c.dim('(or run `securenow app connect` to pick interactively)')}`);
       console.log('');
     }
   } catch (err) {
@@ -127,7 +127,7 @@ async function create(args, flags) {
     console.log('');
     console.log(`  ${ui.c.bold('Use this app in the current project:')}`);
     console.log(`    ${ui.c.bold(`securenow apps default ${app.key}`)}`);
-    console.log(`  ${ui.c.dim('(writes .securenow/credentials.json — no env var needed)')}`);
+    console.log(`  ${ui.c.dim('(writes .securenow/runtime.json - no env var needed)')}`);
     console.log('');
 
     if (flags.json) {
@@ -285,7 +285,7 @@ async function setDefault(args) {
   }
   config.setConfigValue('defaultApp', key);
 
-  // Mirror into credentials.json so the SDK picks this app up with zero env vars.
+  // Mirror into runtime credentials so the SDK picks this app up with zero env vars.
   try {
     requireAuth();
     const appData = await api.get(`/applications/${key}`);