securenow 7.7.16 → 8.0.0

package/cli/auth.js

@@ -50,9 +50,10 @@ function decodeJwtPayload(token) {
   }
 }
 
-async function loginWithBrowser() {
+async function loginWithBrowser(options = {}) {
   const appUrl = config.getAppUrl();
   const nonce = crypto.randomBytes(24).toString('base64url');
+  const mode = options.mode || null;
 
   return new Promise((resolve, reject) => {
     let pendingToken = null;
@@ -108,7 +109,7 @@ async function loginWithBrowser() {
           const email = payload?.email || 'unknown account';
           const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
           const port = server.address().port;
-          const switchUrl = buildCliAuthUrl(appUrl, port, nonce, { force_login: 1 });
+          const switchUrl = buildCliAuthUrl(appUrl, port, nonce, { force_login: 1, ...(mode ? { mode } : {}) });
 
           res.end([
             '<!DOCTYPE html><html><head><meta charset="utf-8"><title>SecureNow CLI Login</title></head>',
@@ -181,7 +182,7 @@ async function loginWithBrowser() {
 
     server.listen(0, '127.0.0.1', () => {
       const port = server.address().port;
-      const authUrl = buildCliAuthUrl(appUrl, port, nonce);
+      const authUrl = buildCliAuthUrl(appUrl, port, nonce, mode ? { mode } : {});
 
       console.log('');
       ui.info('Opening browser for authentication...');
@@ -200,7 +201,7 @@ async function loginWithBrowser() {
 
       const timeout = setTimeout(() => {
         closeServer();
-        reject(new CLIError('Login timed out after 5 minutes. Try `securenow login --token <TOKEN>` instead.'));
+        reject(new CLIError('Login timed out after 5 minutes. Try `securenow admin login --token <TOKEN>` instead.'));
       }, 5 * 60 * 1000);
 
       server.on('close', () => clearTimeout(timeout));
@@ -235,7 +236,7 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp, { local, enableFirewall: true });
+    config.setAuth(token, email, exp, { local });
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
@@ -253,17 +254,28 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp, { local, app, enableFirewall: true });
-    if (apiKey) config.setApiKey(apiKey, { local });
+    config.setAuth(token, email, exp, { local });
+    if (app && (app.key || app.name)) {
+      config.setRuntime({
+        apiKey: apiKey || config.getApiKey() || null,
+        app: {
+          key: app.key || null,
+          name: app.name || null,
+        },
+      }, { local });
+    }
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
-    ui.info(local ? 'Credentials saved to project .securenow/ (local)' : 'Credentials saved to ~/.securenow/ (global)');
+    ui.info(local ? 'Admin auth saved to project .securenow/admin.json' : 'Admin auth saved to ~/.securenow/admin.json');
     if (app && (app.name || app.key)) {
       ui.info(`Linked to app ${ui.c.bold(app.name || app.key)}${app.key ? ` (${ui.c.dim(app.key)})` : ''}`);
+      ui.info(local ? 'Runtime app config saved to project .securenow/runtime.json' : 'Runtime app config saved to ~/.securenow/runtime.json');
+    } else {
+      ui.info('Runtime app config was not changed.');
     }
     if (apiKey) {
-      ui.info(`Firewall API key saved — the firewall will activate automatically on next start`);
+      ui.info(`Runtime API key saved — telemetry ingestion and firewall sync will authenticate automatically on next start`);
     }
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
@@ -276,7 +288,7 @@ async function login(args, flags) {
       console.log('');
       console.log(`  1. Go to ${ui.c.cyan(config.getAppUrl() + '/dashboard/settings')}`);
       console.log(`  2. Copy your CLI token`);
-      console.log(`  3. Run: ${ui.c.bold('securenow login --token <YOUR_TOKEN>')}`);
+      console.log(`  3. Run: ${ui.c.bold('securenow admin login --token <YOUR_TOKEN>')}`);
       console.log('');
     } else {
       throw err;
@@ -284,48 +296,118 @@ async function login(args, flags) {
   }
 }
 
+async function adminLogin(args, flags) {
+  const local = flags.global ? false : true;
+
+  if (flags.token) {
+    const token = flags.token;
+    await loginWithToken(token);
+    const payload = decodeJwtPayload(token);
+    const email = payload?.email || 'unknown';
+    const exp = payload?.exp ? payload.exp * 1000 : null;
+    config.setAuth(token, email, exp, { local });
+    if (local) config.ensureLocalGitignore();
+    ui.success(`Admin auth connected as ${ui.c.bold(email)}`);
+    ui.info(local ? 'Saved to project .securenow/admin.json' : 'Saved to ~/.securenow/admin.json');
+    return;
+  }
+
+  const { token } = await loginWithBrowser({ mode: 'admin' });
+  const payload = decodeJwtPayload(token);
+  const email = payload?.email || 'unknown';
+  const exp = payload?.exp ? payload.exp * 1000 : null;
+  config.setAuth(token, email, exp, { local });
+  if (local) config.ensureLocalGitignore();
+  ui.success(`Admin auth connected as ${ui.c.bold(email)}`);
+  ui.info(local ? 'Saved to project .securenow/admin.json' : 'Saved to ~/.securenow/admin.json');
+  ui.info('Runtime app config was not changed.');
+}
+
+async function appConnect(args, flags) {
+  const local = flags.global ? false : true;
+  const { app, apiKey } = await loginWithBrowser({ mode: 'runtime' });
+
+  if (!app || !app.key) {
+    throw new CLIError('No app was selected. Runtime app config was not changed.');
+  }
+
+  config.setRuntime({
+    apiKey: apiKey || config.getApiKey() || null,
+    app: {
+      key: app.key,
+      name: app.name || null,
+    },
+  }, { local });
+  if (local) config.ensureLocalGitignore();
+
+  ui.success(`Runtime app connected to ${ui.c.bold(app.name || app.key)}`);
+  ui.info(local ? 'Saved to project .securenow/runtime.json' : 'Saved to ~/.securenow/runtime.json');
+  if (apiKey) {
+    ui.info('Runtime API key saved; SDK telemetry and firewall sync can run without an admin token.');
+  } else {
+    ui.warn('No runtime API key was returned. Run `securenow api-key create` before sending telemetry.');
+  }
+  ui.info('Admin auth was not changed.');
+}
+
 async function logout(args, flags) {
   // Default: clear project-local. --global clears ~/.securenow/.
   const local = !(flags && flags.global);
-  const creds = config.loadCredentials();
+  const creds = config.loadAdminCredentials();
   config.clearCredentials({ local });
   if (creds.email) {
-    ui.success(`Logged out from ${ui.c.bold(creds.email)}`);
+    ui.success(`Admin auth logged out from ${ui.c.bold(creds.email)}`);
   } else {
-    ui.success('Logged out');
+    ui.success('Admin auth logged out');
   }
-  ui.info(local ? 'Cleared project-local credentials (.securenow/)' : 'Cleared global credentials (~/.securenow/)');
+  ui.info(local ? 'Cleared project-local admin auth (.securenow/admin.json)' : 'Cleared global admin auth (~/.securenow/admin.json)');
+  ui.info('Runtime app config was not changed.');
 }
 
 async function whoami() {
-  const creds = config.loadCredentials();
+  const admin = config.loadAdminCredentials();
+  const runtime = config.loadRuntimeCredentials();
   const token = config.getToken();
 
-  if (!token) {
-    ui.error('Not logged in. Run `securenow login` to authenticate.');
-    process.exit(1);
-  }
-
   const payload = decodeJwtPayload(token);
 
-  ui.heading('Current Session');
+  ui.heading('SecureNow Connection Status');
   console.log('');
-  const pairs = [
-    ['Email', creds.email || payload?.email || 'unknown'],
-    ['User ID', payload?.sub || 'unknown'],
-    ['API', config.getApiUrl()],
-    ['Auth Source', config.getAuthSource()],
+  const adminPairs = [
+    ['Status', token ? ui.c.green('connected') : ui.c.red('not connected')],
+    ['Email', token ? (admin.email || payload?.email || 'unknown') : '—'],
+    ['User ID', token ? (payload?.sub || 'unknown') : '—'],
+    ['Auth Source', token ? config.getAuthSource() : '—'],
+    ['System-rule admin', token ? 'server-enforced; use admin tools to verify' : 'no admin token'],
   ];
-  if (creds.expiresAt) {
-    const days = Math.ceil((creds.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
-    pairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
+  if (admin.expiresAt) {
+    const days = Math.ceil((admin.expiresAt - Date.now()) / (1000 * 60 * 60 * 24));
+    adminPairs.push(['Expires', days > 0 ? `in ${days} days` : ui.c.red('expired')]);
   }
+
+  ui.heading('Admin CLI / MCP');
+  ui.keyValue(adminPairs);
+  console.log('');
+
+  const runtimePairs = [
+    ['Status', runtime.app?.key ? ui.c.green('connected') : ui.c.red('no app selected')],
+    ['App', runtime.app?.name || '—'],
+    ['App Key', runtime.app?.key || '—'],
+    ['Runtime API Key', runtime.apiKey ? ui.c.green('present') : ui.c.yellow('missing')],
+    ['Environment', runtime.config?.runtime?.deploymentEnvironment || 'production'],
+    ['Runtime Source', config.getRuntimeSource()],
+    ['API', config.getApiUrl()],
+  ];
   const defaultApp = config.getDefaultApp();
   if (defaultApp) {
-    pairs.push(['Default App', defaultApp]);
+    runtimePairs.push(['CLI Default App', defaultApp]);
   }
-  ui.keyValue(pairs);
+  ui.heading('SDK Runtime');
+  ui.keyValue(runtimePairs);
   console.log('');
+
+  if (!token) ui.info('Run `securenow admin login` for admin/control-plane CLI and MCP tools.');
+  if (!runtime.app?.key) ui.info('Run `securenow app connect` to select an app and write SDK runtime config.');
 }
 
-module.exports = { login, logout, whoami };
+module.exports = { login, logout, whoami, adminLogin, appConnect, loginWithBrowser };

package/cli/client.js

@@ -50,14 +50,15 @@ function request(method, endpoint, { body, query, token, raw } = {}) {
           parsed = data;
         }
 
-        if (res.statusCode === 401) {
-          reject(new CLIError('Session expired. Run `securenow login` to re-authenticate.', 401));
-          return;
-        }
-        if (res.statusCode === 403) {
-          reject(new CLIError('Access denied. You may need to upgrade your plan.', 403));
-          return;
-        }
+        if (res.statusCode === 401) {
+          reject(new CLIError('Admin auth is missing or expired. Run `securenow admin login` to re-authenticate. Runtime app credentials are unrelated.', 401));
+          return;
+        }
+        if (res.statusCode === 403) {
+          const msg = parsed?.error || parsed?.message || 'Access denied';
+          reject(new CLIError(`${msg}. Admin auth is connected, but this user/plan may lack permission for this control-plane operation. Runtime app connection is unrelated.`, 403));
+          return;
+        }
         if (res.statusCode >= 400) {
           const msg = parsed?.error || parsed?.message || `Request failed (HTTP ${res.statusCode})`;
           const details = parsed?.details || parsed?.unauthorizedKeys;
@@ -96,11 +97,11 @@ class CLIError extends Error {
 }
 
 function requireAuth() {
-  const token = config.getToken();
-  if (!token) {
-    ui.error('Not logged in. Run `securenow login` first.');
-    process.exit(1);
-  }
+  const token = config.getToken();
+  if (!token) {
+    ui.error('Admin auth is not connected. Run `securenow admin login` first.');
+    process.exit(1);
+  }
   return token;
 }
 

package/cli/config.js

@@ -8,10 +8,14 @@ const appConfig = require('../app-config');
 const CONFIG_DIR = path.join(os.homedir(), '.securenow');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
 const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
+const ADMIN_CREDENTIALS_FILE = path.join(CONFIG_DIR, 'admin.json');
+const RUNTIME_CREDENTIALS_FILE = path.join(CONFIG_DIR, 'runtime.json');
 
 const LOCAL_CONFIG_DIR = path.join(process.cwd(), '.securenow');
 const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
 const LOCAL_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'credentials.json');
+const LOCAL_ADMIN_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'admin.json');
+const LOCAL_RUNTIME_CREDENTIALS_FILE = path.join(LOCAL_CONFIG_DIR, 'runtime.json');
 
 const DEFAULTS = {
   apiUrl: 'https://api.securenow.ai',
@@ -57,18 +61,89 @@ function credentialsFileForLocal(local) {
   return local ? LOCAL_CREDENTIALS_FILE : CREDENTIALS_FILE;
 }
 
+function adminCredentialsFileForLocal(local) {
+  return local ? LOCAL_ADMIN_CREDENTIALS_FILE : ADMIN_CREDENTIALS_FILE;
+}
+
+function runtimeCredentialsFileForLocal(local) {
+  return local ? LOCAL_RUNTIME_CREDENTIALS_FILE : RUNTIME_CREDENTIALS_FILE;
+}
+
+function normalizeRuntimeCredentials(creds) {
+  const payload = { ...(creds || {}) };
+  delete payload.token;
+  delete payload.email;
+  delete payload.expiresAt;
+  delete payload.admin;
+  return appConfig.withCredentialDefaults(payload) || {};
+}
+
+function normalizeAdminCredentials(creds) {
+  const payload = { ...(creds || {}) };
+  delete payload.apiKey;
+  delete payload.app;
+  delete payload.config;
+  delete payload.runtime;
+  return payload;
+}
+
+function splitCredentialDocument(raw = {}) {
+  const doc = raw && typeof raw === 'object' && !Array.isArray(raw) ? raw : {};
+  const runtime = doc.runtime && typeof doc.runtime === 'object' && !Array.isArray(doc.runtime)
+    ? doc.runtime
+    : doc;
+  const admin = doc.admin && typeof doc.admin === 'object' && !Array.isArray(doc.admin)
+    ? doc.admin
+    : doc;
+  return { runtime, admin };
+}
+
+function pickExistingFile(...files) {
+  for (const file of files) {
+    try {
+      if (file && fs.existsSync(file)) return file;
+    } catch {}
+  }
+  return null;
+}
+
 function hasLocalCredentials() {
-  return !!appConfig.resolveLocalCredentialsFile();
+  return !!(
+    appConfig.resolveLocalCredentialsFile() ||
+    appConfig.resolveLocalAdminCredentialsFile()
+  );
 }
 
 function resolveCredentialsFile() {
   return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || CREDENTIALS_FILE;
 }
 
+function resolveAdminCredentialsFile() {
+  return appConfig.resolveLocalAdminCredentialsFile() || appConfig.resolveGlobalAdminCredentialsFile() || ADMIN_CREDENTIALS_FILE;
+}
+
+function resolveRuntimeCredentialsFile() {
+  return appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile() || RUNTIME_CREDENTIALS_FILE;
+}
+
 function getAuthSource() {
-  if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
-  if (appConfig.resolveLocalCredentialsFile()) return 'project (.securenow/)';
-  return 'global (~/.securenow/)';
+  const file = appConfig.resolveLocalAdminCredentialsFile() || appConfig.resolveGlobalAdminCredentialsFile();
+  if (!file) return 'not configured';
+  if (file.includes(`${path.sep}.securenow${path.sep}`) && file.startsWith(process.cwd())) {
+    return file.endsWith('admin.json') ? 'project admin (.securenow/admin.json)' : 'project legacy (.securenow/credentials.json)';
+  }
+  if (file.endsWith('admin.json')) return 'global admin (~/.securenow/admin.json)';
+  return 'global legacy (~/.securenow/credentials.json)';
+}
+
+function getRuntimeSource() {
+  const file = appConfig.resolveLocalCredentialsFile() || appConfig.resolveGlobalCredentialsFile();
+  if (!file) return 'not configured';
+  if (file.includes(`${path.sep}.securenow${path.sep}`) && file.startsWith(process.cwd())) {
+    return file.endsWith('runtime.json') ? 'project runtime (.securenow/runtime.json)' : 'project legacy (.securenow/credentials.json)';
+  }
+  if (file.endsWith('runtime.json')) return 'global runtime (~/.securenow/runtime.json)';
+  return 'global legacy (~/.securenow/credentials.json)';
 }
 
 function loadConfig() {
@@ -98,14 +173,109 @@ function setConfigValue(key, value) {
 }
 
 function loadCredentials() {
-  const credentialsFile = resolveCredentialsFile();
-  const credentials = loadJSON(credentialsFile);
-  return appConfig.withCredentialDefaults(credentials) || {};
+  const legacy = splitCredentialDocument(loadJSON(resolveCredentialsFile()));
+  const runtime = loadRuntimeCredentials();
+  const admin = loadAdminCredentials();
+  return appConfig.mergeCredentials(
+    normalizeRuntimeCredentials(runtime || legacy.runtime),
+    normalizeAdminCredentials(admin || legacy.admin)
+  ) || {};
 }
 
 function saveCredentials(creds, { local = false } = {}) {
-  const targetFile = credentialsFileForLocal(local);
-  saveJSON(targetFile, appConfig.withCredentialDefaults(creds) || {});
+  saveRuntimeCredentials(creds, { local });
+}
+
+function loadAdminCredentials() {
+  const adminFile = pickExistingFile(
+    appConfig.resolveLocalAdminCredentialsFile(),
+    appConfig.resolveGlobalAdminCredentialsFile()
+  );
+  if (!adminFile) return {};
+  const { admin } = splitCredentialDocument(loadJSON(adminFile));
+  return normalizeAdminCredentials(admin);
+}
+
+function saveAdminCredentials(creds, { local = false } = {}) {
+  const targetFile = adminCredentialsFileForLocal(local);
+  const existing = normalizeAdminCredentials(loadJSON(targetFile));
+  const payload = normalizeAdminCredentials({ ...existing, ...(creds || {}) });
+  payload._securenow = {
+    ...(payload._securenow || {}),
+    schemaVersion: appConfig.CONFIG_SCHEMA_VERSION,
+    note: 'SecureNow admin/control-plane CLI and MCP auth. This file may contain a user session token; do not commit it.',
+    runtimeSeparate: 'SDK runtime app credentials live in runtime.json and are not changed by admin login/logout.',
+  };
+  saveJSON(targetFile, payload);
+}
+
+function stripAdminFromCredentialFile(filepath) {
+  try {
+    if (!filepath || !fs.existsSync(filepath)) return;
+    const doc = loadJSON(filepath);
+    if (!doc || typeof doc !== 'object' || Array.isArray(doc)) return;
+
+    let changed = false;
+    if (doc.admin) {
+      delete doc.admin;
+      changed = true;
+    }
+    for (const field of ['token', 'email', 'expiresAt', 'roles', 'plan', 'user', 'userId']) {
+      if (Object.prototype.hasOwnProperty.call(doc, field)) {
+        delete doc[field];
+        changed = true;
+      }
+    }
+    if (changed) saveJSON(filepath, doc);
+  } catch {}
+}
+
+function clearAdminCredentials({ local } = {}) {
+  try {
+    const useLocal = local === true || (local == null && pickExistingFile(LOCAL_ADMIN_CREDENTIALS_FILE, LOCAL_CREDENTIALS_FILE));
+    if (useLocal) {
+      fs.unlinkSync(LOCAL_ADMIN_CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(ADMIN_CREDENTIALS_FILE);
+    }
+  } catch {}
+  if (local === true) {
+    stripAdminFromCredentialFile(LOCAL_CREDENTIALS_FILE);
+  } else if (local === false) {
+    stripAdminFromCredentialFile(CREDENTIALS_FILE);
+  } else if (pickExistingFile(LOCAL_CREDENTIALS_FILE)) {
+    stripAdminFromCredentialFile(LOCAL_CREDENTIALS_FILE);
+  } else {
+    stripAdminFromCredentialFile(CREDENTIALS_FILE);
+  }
+}
+
+function loadRuntimeCredentials() {
+  const runtimeFile = pickExistingFile(
+    appConfig.resolveLocalCredentialsFile(),
+    appConfig.resolveGlobalCredentialsFile()
+  );
+  if (!runtimeFile) return {};
+  const { runtime } = splitCredentialDocument(loadJSON(runtimeFile));
+  return normalizeRuntimeCredentials(runtime);
+}
+
+function saveRuntimeCredentials(creds, { local = false } = {}) {
+  const targetFile = runtimeCredentialsFileForLocal(local);
+  const existing = normalizeRuntimeCredentials(loadJSON(targetFile));
+  saveJSON(targetFile, normalizeRuntimeCredentials(appConfig.mergeCredentials(existing, creds || {}) || {}));
+}
+
+function clearRuntimeCredentials({ local } = {}) {
+  try {
+    if (local === true) {
+      fs.unlinkSync(LOCAL_RUNTIME_CREDENTIALS_FILE);
+    } else if (local === false || !pickExistingFile(LOCAL_RUNTIME_CREDENTIALS_FILE)) {
+      fs.unlinkSync(RUNTIME_CREDENTIALS_FILE);
+    } else {
+      fs.unlinkSync(LOCAL_RUNTIME_CREDENTIALS_FILE);
+    }
+  } catch {}
 }
 
 function withOnboardingFirewallEnabled(creds) {
@@ -118,8 +288,8 @@ function withOnboardingFirewallEnabled(creds) {
 
 function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
+  const targetFile = runtimeCredentialsFileForLocal(useLocal);
+  const existing = useLocal ? loadRuntimeCredentials() : loadJSON(targetFile);
   const payload = enableFirewall
     ? withOnboardingFirewallEnabled(existing || {})
     : appConfig.withCredentialDefaults(existing || {}) || {};
@@ -127,21 +297,11 @@ function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
 }
 
 function clearCredentials({ local } = {}) {
-  try {
-    if (local === true) {
-      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
-    } else if (local === false || !hasLocalCredentials()) {
-      fs.unlinkSync(CREDENTIALS_FILE);
-    } else {
-      fs.unlinkSync(LOCAL_CREDENTIALS_FILE);
-    }
-  } catch {}
+  clearAdminCredentials({ local });
 }
 
 function getToken() {
-  if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
-
-  const creds = loadCredentials();
+  const creds = loadAdminCredentials();
   if (!creds.token) return null;
 
   if (creds.expiresAt && Date.now() > creds.expiresAt) {
@@ -150,66 +310,62 @@ function getToken() {
   return creds.token;
 }
 
-function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
-  const targetFile = credentialsFileForLocal(local);
-  const payload = { ...loadJSON(targetFile), token, email, expiresAt };
-  if (app && (app.key || app.name)) {
-    payload.app = {
-      key: app.key || null,
-      name: app.name || null,
-    };
-  }
-  saveJSON(
-    targetFile,
-    enableFirewall ? withOnboardingFirewallEnabled(payload) : appConfig.withCredentialDefaults(payload) || {}
-  );
+function setAuth(token, email, expiresAt, { local = false } = {}) {
+  saveAdminCredentials({ token, email, expiresAt }, { local });
 }
 
 function getApp() {
-  const creds = loadCredentials();
+  const creds = loadRuntimeCredentials();
   return creds && creds.app ? creds.app : null;
 }
 
 function setApiKey(apiKey, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
-  saveJSON(targetFile, withOnboardingFirewallEnabled({ ...existing, apiKey }));
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(withOnboardingFirewallEnabled({ ...existing, apiKey }), { local: useLocal });
 }
 
 function clearApiKey({ local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = loadJSON(targetFile);
+  const existing = loadRuntimeCredentials();
   if (!existing || !existing.apiKey) return;
   delete existing.apiKey;
-  saveJSON(targetFile, appConfig.withCredentialDefaults(existing) || existing);
+  saveRuntimeCredentials(appConfig.withCredentialDefaults(existing) || existing, { local: useLocal });
 }
 
 function getApiKey() {
-  const creds = loadCredentials();
+  const creds = loadRuntimeCredentials();
   return creds && creds.apiKey ? creds.apiKey : null;
 }
 
 function setApp(app, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
-  const targetFile = credentialsFileForLocal(useLocal);
-  const existing = useLocal ? credentialsForWrite(targetFile) : loadJSON(targetFile);
-  saveJSON(targetFile, appConfig.withCredentialDefaults({
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(appConfig.withCredentialDefaults({
     ...existing,
     app: {
       key: app.key || null,
       name: app.name || null,
     },
-  }) || {});
+  }) || {}, { local: useLocal });
+}
+
+function setRuntime(runtime, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const existing = loadRuntimeCredentials();
+  saveRuntimeCredentials(withOnboardingFirewallEnabled(appConfig.mergeCredentials(existing, runtime || {}) || {}), { local: useLocal });
 }
 
 function ensureLocalGitignore() {
   const gitignorePath = path.join(process.cwd(), '.gitignore');
   const legacyEntry = '.securenow/';
   const entries = [
+    '.securenow/admin.json',
+    '.securenow/runtime.json',
     '.securenow/credentials.json',
     '.securenow/credentials.*.json',
+    '!.securenow/admin.example.json',
+    '!.securenow/runtime.example.json',
     '!.securenow/credentials.example.json',
     '!.securenow/credentials.*.example.json',
   ];
@@ -250,41 +406,52 @@ function ensureLocalGitignore() {
 }
 
 function getApiUrl() {
-  if (process.env.SECURENOW_API_URL) return process.env.SECURENOW_API_URL;
   const cfg = loadConfig();
   if (cfg.apiUrl && cfg.apiUrl !== DEFAULTS.apiUrl) return cfg.apiUrl;
-  return appConfig.env('SECURENOW_API_URL') || cfg.apiUrl;
+  return cfg.apiUrl;
 }
 
 function getAppUrl() {
-  return process.env.SECURENOW_APP_URL || loadConfig().appUrl;
+  return loadConfig().appUrl;
 }
 
 function getDefaultApp() {
-  return process.env.SECURENOW_APP || loadConfig().defaultApp;
+  return loadConfig().defaultApp;
 }
 
 module.exports = {
   CONFIG_DIR,
   CONFIG_FILE,
   CREDENTIALS_FILE,
+  ADMIN_CREDENTIALS_FILE,
+  RUNTIME_CREDENTIALS_FILE,
   LOCAL_CONFIG_DIR,
   LOCAL_CREDENTIALS_FILE,
+  LOCAL_ADMIN_CREDENTIALS_FILE,
+  LOCAL_RUNTIME_CREDENTIALS_FILE,
   loadConfig,
   saveConfig,
   getConfigValue,
   setConfigValue,
   loadCredentials,
   saveCredentials,
+  loadAdminCredentials,
+  saveAdminCredentials,
+  clearAdminCredentials,
+  loadRuntimeCredentials,
+  saveRuntimeCredentials,
+  clearRuntimeCredentials,
   clearCredentials,
   getToken,
   setAuth,
   getApp,
   setApp,
+  setRuntime,
   setApiKey,
   clearApiKey,
   getApiKey,
   getAuthSource,
+  getRuntimeSource,
   hasLocalCredentials,
   ensureCredentialDefaults,
   withOnboardingFirewallEnabled,