securenow 7.7.16 → 8.0.0

package/mcp/server.js

@@ -43,29 +43,83 @@ function fail(id, code, message, data) {
   });
 }
 
-function bearerToken() {
-  return config.getToken() || config.getApiKey();
+const RUNTIME_READ_SCOPES = new Set(['firewall:read', 'blocklist:read', 'allowlist:read']);
+
+function toolCanUseRuntimeApiKey(tool) {
+  return tool && tool.readOnly !== false && RUNTIME_READ_SCOPES.has(tool.scope);
+}
+
+function withRuntimeAppDefaults(tool, args = {}) {
+  const runtimeApp = config.getApp();
+  if (!runtimeApp?.key) return args;
+  const next = { ...args };
+  const fields = new Set([
+    ...(tool.queryFields || []),
+    ...(tool.bodyFields || []),
+    ...(tool.pathParams || []),
+  ]);
+
+  if (fields.has('appKey') && !next.appKey) next.appKey = runtimeApp.key;
+  if (fields.has('applicationKey') && !next.applicationKey) next.applicationKey = runtimeApp.key;
+  if (fields.has('appKeys') && !next.appKeys) next.appKeys = runtimeApp.key;
+  return next;
+}
+
+function requiresExplicitOrRuntimeApp(tool) {
+  const required = new Set(tool?.inputSchema?.required || []);
+  return required.has('appKey') || required.has('appKeys') || required.has('applicationKey');
+}
+
+function hasAppScopeArg(args = {}) {
+  return !!(args.appKey || args.appKeys || args.applicationKey);
+}
+
+function bearerForTool(tool) {
+  const adminToken = config.getToken();
+  if (adminToken) return { token: adminToken, plane: 'admin' };
+
+  const runtimeKey = config.getApiKey();
+  if (runtimeKey && toolCanUseRuntimeApiKey(tool)) {
+    return { token: runtimeKey, plane: 'runtime' };
+  }
+
+  return { token: null, plane: toolCanUseRuntimeApiKey(tool) ? 'runtime' : 'admin' };
 }
 
 function localAuthStatus() {
   const cfg = config.loadConfig();
   const app = config.getApp();
+  const admin = config.loadAdminCredentials();
+  const runtime = config.loadRuntimeCredentials();
   const token = config.getToken();
   const apiKey = config.getApiKey();
   const hasBearer = !!(token || apiKey);
-  const runtimeFirewallWarning = token && !apiKey
-    ? 'MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.'
+  const runtimeFirewallWarning = app && !apiKey
+    ? 'Runtime app is connected, but the runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.'
     : null;
   return {
     authenticated: hasBearer,
+    adminAuthenticated: !!token,
+    runtimeConnected: !!app?.key,
     sessionTokenAvailable: !!token,
     apiKeyAvailable: !!apiKey,
     runtimeFirewallKeyAvailable: !!apiKey,
-    authSource: config.getAuthSource(),
+    adminAuthSource: token ? config.getAuthSource() : null,
+    runtimeSource: config.getRuntimeSource(),
     apiUrl: config.getApiUrl(),
     appUrl: config.getAppUrl(),
     defaultApp: config.getDefaultApp(),
     app: app || null,
+    admin: token ? {
+      email: admin.email || null,
+      expiresAt: admin.expiresAt || null,
+      systemRuleAdmin: 'server-enforced',
+    } : null,
+    runtime: {
+      app: runtime.app || null,
+      environment: runtime.config?.runtime?.deploymentEnvironment || null,
+      apiKeyAvailable: !!apiKey,
+    },
     token: token ? maskSecret(token) : null,
     apiKey: apiKey ? maskSecret(apiKey) : null,
     config: {
@@ -76,10 +130,10 @@ function localAuthStatus() {
     },
     warnings: runtimeFirewallWarning ? [runtimeFirewallWarning] : [],
     nextStep: token
-      ? runtimeFirewallWarning
+      ? (runtimeFirewallWarning || (!app?.key ? 'Run `npx securenow app connect` to connect SDK runtime to an app.' : null))
       : apiKey
-        ? 'Using a scoped API key. Run `npx securenow login` for account-wide MCP tools.'
-        : 'Run `npx securenow login` from the project root.',
+        ? 'Using runtime API key for limited runtime read tools. Run `npx securenow admin login` for account-wide MCP tools.'
+        : 'Run `npx securenow admin login` for control-plane tools and `npx securenow app connect` for SDK runtime.',
   };
 }
 
@@ -94,12 +148,19 @@ async function callApiTool(tool, args) {
     throw new Error(`${tool.name} is only available in the local MCP server.`);
   }
 
-  const token = bearerToken();
+  const finalArgs = withRuntimeAppDefaults(tool, args);
+  if (requiresExplicitOrRuntimeApp(tool) && !hasAppScopeArg(finalArgs)) {
+    throw new Error(`${tool.name} requires an app scope. Pass applicationKey/appKey/appKeys explicitly or run \`npx securenow app connect\` to configure runtime app credentials.`);
+  }
+  const { token, plane } = bearerForTool(tool);
   if (!token) {
-    throw new Error('Not authenticated. Run `npx securenow login` from the project root, then retry.');
+    if (plane === 'runtime') {
+      throw new Error('Runtime credentials are missing. Run `npx securenow app connect` or pass an explicit app key, then retry.');
+    }
+    throw new Error('Admin auth is missing. Run `npx securenow admin login` from the project root, then retry. Runtime app credentials cannot grant admin/control-plane permissions.');
   }
 
-  const request = buildApiRequest(tool, args);
+  const request = buildApiRequest(tool, finalArgs);
   const options = {
     token,
     ...(Object.keys(request.query || {}).length > 0 ? { query: request.query } : {}),
@@ -197,7 +258,7 @@ async function handleRequest(message) {
       const result = await callApiTool(tool, args);
       return ok(id, asToolResult({
         tool: name,
-        arguments: sanitizeArgs(args),
+        arguments: sanitizeArgs(withRuntimeAppDefaults(tool, args)),
         result,
       }));
     }

package/nextjs-auto-capture.js

@@ -18,7 +18,6 @@
 
 const { trace } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -56,8 +55,8 @@ async function safeBodyCapture(request, span) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -127,8 +126,7 @@ async function safeBodyCapture(request, span) {
  * Check if body capture is enabled
  */
 function isBodyCaptureEnabled() {
-  // Opt-out default: set config.capture.body=false to disable.
-  return !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
+  return appConfig.boolConfig('capture.body', true);
 }
 
 /**
@@ -195,4 +193,3 @@ module.exports = {
   isBodyCaptureEnabled,
 };
 
-

package/nextjs-middleware.js

@@ -17,7 +17,6 @@
 
 const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -101,8 +100,8 @@ async function middleware(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only capture supported types
@@ -184,4 +183,3 @@ module.exports = {
 };
 
 
-

package/nextjs-wrapper.js

@@ -17,7 +17,6 @@
 
 const { trace } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -51,8 +50,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
  * Capture body from Request object (clone to avoid consuming)
  */
 async function captureRequestBody(request) {
-  // Opt-out default: set config.capture.body=false to disable.
-  const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
+  const captureBody = appConfig.boolConfig('capture.body', true);
   
   if (!captureBody) return;
   if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
@@ -62,8 +60,8 @@ async function captureRequestBody(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -155,4 +153,3 @@ module.exports = {
   DEFAULT_SENSITIVE_FIELDS,
 };
 
-

package/nextjs.js

@@ -31,10 +31,13 @@
  */
 
 const { randomUUID } = require('crypto');
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
 const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
 
+defaultMetricsExporterToNone();
+
 let isRegistered = false;
 
 function requireRuntimeModule(name) {
@@ -183,16 +186,6 @@ function registerSecureNow(options = {}) {
     const otelLogLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
     const isDevelopmentRuntime = process.env.NODE_ENV === 'development';
 
-    // @vercel/otel still reads OTel process variables internally. These are
-    // derived from credentials JSON; customers do not set them.
-    if (isVercel) {
-      if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
-      if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-      if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
-      const headerString = appConfig.headersToString(headers);
-      if (headerString && !process.env.OTEL_EXPORTER_OTLP_HEADERS) process.env.OTEL_EXPORTER_OTLP_HEADERS = headerString;
-    }
-
     console.log('[securenow] Next.js App -> service.name=%s', serviceName);
     console.log('[securenow] Environment: %s', deploymentEnvironment);
 
@@ -659,7 +652,7 @@ function registerSecureNow(options = {}) {
   // Key and environment come from .securenow/credentials.json (written by
   // login/init or credentials runtime), so no .env entry is needed.
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       requireRuntimeModule('./firewall').init({
         apiKey: firewallOptions.apiKey,

package/nuxt-server-plugin.mjs

@@ -7,11 +7,8 @@
  * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
  */
 
-import { NodeSDK } from '@opentelemetry/sdk-node';
-import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
 import * as otelResources from '@opentelemetry/resources';
 import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
-import { HttpInstrumentation } from '@opentelemetry/instrumentation-http';
 import {
   context as otelContext,
   trace as otelTrace,
@@ -23,6 +20,12 @@ import { randomUUID } from 'node:crypto';
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
 const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
+const { defaultMetricsExporterToNone } = nodeRequire('./otel-defaults');
+defaultMetricsExporterToNone();
+
+const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
+const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
+const { HttpInstrumentation } = nodeRequire('@opentelemetry/instrumentation-http');
 
 // ── Helpers ──
 
@@ -318,7 +321,7 @@ export default defineNitroPlugin(async (nitroApp) => {
 
   // ── Firewall — runs independently from OTel ──
   const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey && firewallOptions.enabled) {
+  if (firewallOptions.apiKey) {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({

package/otel-defaults.js

@@ -0,0 +1,11 @@
+'use strict';
+
+function defaultMetricsExporterToNone(env = process.env) {
+  if (!env) return false;
+  const current = env.OTEL_METRICS_EXPORTER;
+  if (current != null && String(current).trim() !== '') return false;
+  env.OTEL_METRICS_EXPORTER = 'none';
+  return true;
+}
+
+module.exports = { defaultMetricsExporterToNone };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.16",
+  "version": "8.0.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -132,6 +132,7 @@
     "resolve-ip.js",
     "cidr.js",
     "firewall.js",
+    "otel-defaults.js",
     "rate-limits.js",
     "rate-limits.d.ts",
     "firewall-only.js",
@@ -166,8 +167,7 @@
     "@opentelemetry/sdk-node": "0.218.0",
     "@opentelemetry/sdk-trace-base": "2.7.1",
     "@opentelemetry/sdk-trace-web": "2.7.1",
-    "@opentelemetry/semantic-conventions": "1.41.1",
-    "dotenv": "17.2.1"
+    "@opentelemetry/semantic-conventions": "1.41.1"
   },
   "optionalDependencies": {
     "@vercel/otel": "2.1.2"

package/rate-limits.js

@@ -12,8 +12,6 @@ function authToken(options = {}) {
     options.token ||
     options.apiKey ||
     options.authToken ||
-    process.env.SECURENOW_TOKEN ||
-    process.env.SECURENOW_API_KEY ||
     config.getToken() ||
     config.getApiKey() ||
     undefined

package/register-vite.js

@@ -1,12 +1,5 @@
-// node_modules/securenow/register-vite.js  (CommonJS, for -r)
-'use strict';
-
-try {
-  require('dotenv').config();
-  console.log('[securenow] dotenv loaded for Vite preload');
-} catch {
-  console.log('[securenow] dotenv not available, continuing without .env');
-}
-
-// Trace the Node process (Vite dev/preview server) using your existing Node tracer
-module.exports = require('./web-vite.mjs');
+// node_modules/securenow/register-vite.js  (CommonJS, for -r)
+'use strict';
+
+// Trace the Node process (Vite dev/preview server) using your existing Node tracer
+module.exports = require('./web-vite.mjs');

package/register.js

@@ -4,17 +4,9 @@
 // For ESM apps ("type": "module"), this file auto-registers the
 // OpenTelemetry ESM loader hook via module.register() (Node >=20.6).
 // On older Node versions it falls back to a warning.
-'use strict';
-
-// 1. Load dotenv quietly only for legacy installs. Normal local and production
-// configuration comes from .securenow/credentials.json via app-config.js.
-try {
-  require('dotenv').config({ quiet: true });
-} catch (e) {
-  // dotenv is optional.
-}
-
-// 2. Auto-register the ESM loader hook so customers never need --import
+'use strict';
+
+// 1. Auto-register the ESM loader hook so customers never need --import
 (() => {
   try {
     const fs = require('fs');
@@ -45,5 +37,5 @@ try {
   }
 })();
 
-// 3. Run the OTel SDK setup
-require('./tracing');
+// 2. Run the OTel SDK setup
+require('./tracing');

package/resolve-ip.js

@@ -6,7 +6,7 @@ const appConfig = require('./app-config');
 const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
 const PRIVATE_IP_RE = /^(127\.|::1$|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.|f[cd][0-9a-f]{2}:)/i;
 
-const trustedProxies = appConfig.listEnv('SECURENOW_TRUSTED_PROXIES');
+const trustedProxies = appConfig.listConfig('networking.trustedProxies');
 const trustedProxySet = trustedProxies.length ? new Set(trustedProxies.map(normalizeIp).filter(Boolean)) : null;
 
 let _hostIps = null;

package/tracing.d.ts

@@ -165,7 +165,7 @@ export const loggerProvider: LoggerProvider | null;
  * Configuration:
  *
  * Local development reads .securenow/credentials.json first. Run
- * `npx securenow login` to write app identity/firewall key and
+ * `npx securenow login` to write app identity/runtime API key and
  * `npx securenow init` to ensure secure defaults and explanations.
  *
  * Production uses the same file shape. Run

package/tracing.js

@@ -14,6 +14,9 @@
  *   Production should mount/copy tokenless runtime credentials to the same path.
  */
 
+const { defaultMetricsExporterToNone } = require('./otel-defaults');
+defaultMetricsExporterToNone();
+
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
@@ -277,8 +280,8 @@ const endpointBase = resolvedEndpoints.endpointBase;
 const tracesUrl = resolvedEndpoints.tracesUrl;
 const logsUrl = resolvedEndpoints.logsUrl;
 
-// resolveEndpoints() also adds x-api-key from the credentials app key when
-// explicit OTLP headers did not provide one.
+// resolveEndpoints() also adds app routing and runtime auth headers when
+// explicit OTLP headers did not provide them.
 const headers = resolvedEndpoints.headers;
 
 // -------- naming rules --------
@@ -696,7 +699,7 @@ const sdk = new NodeSDK({
     // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
     // only an app-routing UUID (or nothing at all) — no 401 polling loops.
     const firewallOptions = appConfig.resolveFirewallOptions();
-    if (firewallOptions.apiKey && firewallOptions.enabled) {
+    if (firewallOptions.apiKey) {
       require('./firewall').init({
         apiKey: firewallOptions.apiKey,
         appKey: firewallOptions.appKey,

package/web-vite.mjs

@@ -12,21 +12,21 @@ import { FetchInstrumentation } from '@opentelemetry/instrumentation-fetch';
 import { XMLHttpRequestInstrumentation } from '@opentelemetry/instrumentation-xml-http-request';
 
 // ---- helpers / browser config ----
-const viteEnv = import.meta.env || {};
-
-const ENV_TO_BROWSER_CONFIG_PATH = Object.freeze({
-  SECURENOW_APPID: 'app.key',
-  SECURENOW_INSTANCE: 'config.otel.endpoint',
-  OTEL_SERVICE_NAME: 'app.name',
-  OTEL_EXPORTER_OTLP_ENDPOINT: 'config.otel.endpoint',
-  OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: 'config.otel.tracesEndpoint',
-  OTEL_EXPORTER_OTLP_HEADERS: 'config.otel.headers',
-  SECURENOW_NO_UUID: 'config.runtime.noUuid',
-  SECURENOW_STRICT: 'config.runtime.strict',
-  SECURENOW_TEST_SPAN: 'config.runtime.testSpan',
-  SECURENOW_HIDE_BANNER: 'config.runtime.hideBanner',
-  SECURENOW_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
-  SECURENOW_DEPLOYMENT_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
+const DEFAULT_BROWSER_CONFIG = Object.freeze({
+  config: {
+    otel: {
+      endpoint: 'https://ingest.securenow.ai',
+      tracesEndpoint: null,
+      headers: {},
+    },
+    runtime: {
+      deploymentEnvironment: 'production',
+      noUuid: null,
+      strict: false,
+      testSpan: false,
+      hideBanner: false,
+    },
+  },
 });
 
 function createResource(attributes) {
@@ -39,15 +39,6 @@ function createResource(attributes) {
   throw new Error('Unsupported @opentelemetry/resources version');
 }
 
-function legacyViteEnvFallbackEnabled() {
-  const raw =
-    viteEnv.SECURENOW_ENABLE_LEGACY_ENV ??
-    viteEnv.VITE_SECURENOW_ENABLE_LEGACY_ENV ??
-    viteEnv.SECURENOW_ALLOW_ENV_CONFIG ??
-    viteEnv.VITE_SECURENOW_ALLOW_ENV_CONFIG;
-  return /^(1|true|yes)$/i.test(String(raw || '').trim());
-}
-
 function getPath(obj, path) {
   if (!obj || !path) return undefined;
   let cur = obj;
@@ -74,28 +65,27 @@ function toConfigString(value) {
   return String(value);
 }
 
-function env(k) {
-  // Browser config should be injected as window.__SECURENOW__ by the app.
-  const w = globalThis.window;
-  const injected = w && w.__SECURENOW__;
-  const mappedPath = ENV_TO_BROWSER_CONFIG_PATH[String(k).toUpperCase()];
-  if (injected) {
-    if (mappedPath) {
-      const mappedValue = getPath(injected, mappedPath);
-      const resolved = toConfigString(mappedValue);
-      if (resolved !== undefined) return resolved;
-    }
-    if (!mappedPath && k in injected) return toConfigString(injected[k]);
-  }
+function browserConfig() {
+  const injected = globalThis.window && globalThis.window.__SECURENOW__;
+  return injected && typeof injected === 'object' ? injected : {};
+}
 
-  // Vite env fallbacks are legacy and disabled by default.
-  if (!legacyViteEnvFallbackEnabled()) return undefined;
-  const direct =
-    viteEnv[k] ??
-    viteEnv[k.toUpperCase()] ??
-    viteEnv[k.toLowerCase()];
-  if (direct != null) return String(direct);
-  return undefined;
+function configValue(path, fallback) {
+  const injected = getPath(browserConfig(), path);
+  if (injected !== undefined && injected !== null && injected !== '') return injected;
+  const defaultValue = getPath(DEFAULT_BROWSER_CONFIG, path);
+  if (defaultValue !== undefined && defaultValue !== null && defaultValue !== '') return defaultValue;
+  return fallback;
+}
+
+function boolConfig(path, fallback = false) {
+  const value = configValue(path, fallback);
+  if (typeof value === 'boolean') return value;
+  if (typeof value === 'number') return value !== 0;
+  const text = String(value || '').trim().toLowerCase();
+  if (['1', 'true', 'yes', 'on', 'enabled'].includes(text)) return true;
+  if (['0', 'false', 'no', 'off', 'disabled'].includes(text)) return false;
+  return fallback;
 }
 
 function parseHeaders(str) {
@@ -139,29 +129,30 @@ function normalizeSignalEndpoint(value, signalType) {
 
 // ---- endpoints (same defaults as tracing.js) ----
 const endpointBase =
-  normalizeEndpointBase(env('SECURENOW_INSTANCE') || env('OTEL_EXPORTER_OTLP_ENDPOINT') || 'https://ingest.securenow.ai');
+  normalizeEndpointBase(configValue('config.otel.endpoint', 'https://ingest.securenow.ai'));
 const tracesUrl =
-  normalizeSignalEndpoint(env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT'), 'traces') || `${endpointBase}/v1/traces`;
-const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+  normalizeSignalEndpoint(configValue('config.otel.tracesEndpoint'), 'traces') || `${endpointBase}/v1/traces`;
+const headers = parseHeaders(toConfigString(configValue('config.otel.headers', {})));
 const deploymentEnvironment =
-  env('SECURENOW_DEPLOYMENT_ENVIRONMENT') || env('SECURENOW_ENVIRONMENT') || viteEnv.MODE || 'production';
-const browserAppKey = env('SECURENOW_APPID');
-if (browserAppKey && !headers['x-api-key']) headers['x-api-key'] = browserAppKey;
+  String(configValue('config.runtime.deploymentEnvironment', 'production'));
+const browserAppKey = toConfigString(configValue('app.key'));
+if (browserAppKey && !headers['x-securenow-app-key']) headers['x-securenow-app-key'] = browserAppKey;
 if (deploymentEnvironment && !headers['x-securenow-environment']) headers['x-securenow-environment'] = deploymentEnvironment;
 
 // ---- naming rules (mirrors tracing.js) ----
-const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');
+const rawBase = (toConfigString(configValue('app.key')) || toConfigString(configValue('app.name')) || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 // Default to no suffix whenever a baseName is resolved: the dashboard filters
 // service.name by exact match, and browsers have no PM2 cluster problem
 // (each tab has its own service.instance.id). Explicit config.runtime.noUuid=false
 // still re-enables the suffix if someone really wants it.
-const noUuidEnv = env('SECURENOW_NO_UUID');
+const noUuidEnv = configValue('config.runtime.noUuid');
 const noUuid =
   (noUuidEnv !== undefined && noUuidEnv !== '')
     ? /^(1|true)$/i.test(String(noUuidEnv).trim())
     : !!baseName;
-const strict = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
+const strict = boolConfig('config.runtime.strict', false);
+const hostedSecureNowIngest = /^https:\/\/ingest\.securenow\.ai(?:\/|$)/i.test(tracesUrl);
 
 function uuidv4() {
   if (typeof crypto !== 'undefined' && crypto.randomUUID) {
@@ -195,6 +186,12 @@ if (baseName) {
   }
 }
 
+if (!disabled && hostedSecureNowIngest) {
+  disabled = true;
+  // eslint-disable-next-line no-console
+  console.warn('[securenow/web-vite] Direct browser OTLP ingestion to SecureNow is disabled in v8.0 until browser-safe auth is available. Use the server-side SDK runtime credentials path.');
+}
+
 const instancePrefix = baseName || 'securenow';
 const serviceInstanceId = `${instancePrefix}-${uuidv4()}`;
 
@@ -203,10 +200,10 @@ try {
   // eslint-disable-next-line no-console
   console.log(
     '[securenow] web preload loaded app.key=%s app.name=%s config.runtime.noUuid=%s config.runtime.strict=%s → service.name=%s instance.id=%s',
-    JSON.stringify(env('SECURENOW_APPID')),
-    JSON.stringify(env('OTEL_SERVICE_NAME')),
-    JSON.stringify(env('SECURENOW_NO_UUID')),
-    JSON.stringify(env('SECURENOW_STRICT')),
+    JSON.stringify(configValue('app.key')),
+    JSON.stringify(configValue('app.name')),
+    JSON.stringify(configValue('config.runtime.noUuid')),
+    JSON.stringify(configValue('config.runtime.strict')),
     serviceName,
     serviceInstanceId
   );
@@ -229,7 +226,7 @@ export function startSecurenowWeb() {
       [S.SERVICE_NAME]: serviceName,
       [S.SERVICE_INSTANCE_ID]: serviceInstanceId,
       [S.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
-      [S.SERVICE_VERSION]: viteEnv.VITE_APP_VERSION || undefined,
+      [S.SERVICE_VERSION]: toConfigString(configValue('app.version')) || undefined,
     }),
     spanProcessors: [new BatchSpanProcessor(exporter)],
   });
@@ -250,8 +247,7 @@ export function startSecurenowWeb() {
     ],
   });
 
-  // Optional smoke span (same flag name)
-  if (String(env('SECURENOW_TEST_SPAN')) === '1') {
+  if (boolConfig('config.runtime.testSpan', false)) {
     import('@opentelemetry/api').then(api => {
       const tracer = api.trace.getTracer('securenow-smoke');
       const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
@@ -265,7 +261,7 @@ export function startSecurenowWeb() {
 // ---- Free trial banner (browser DOM injection) ----
 function injectFreeTrialBanner() {
   const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
-  const hideBanner = String(env('SECURENOW_HIDE_BANNER')) === '1';
+  const hideBanner = boolConfig('config.runtime.hideBanner', false);
   if (hideBanner || !FREE_TRIAL_HOSTS.some(host => endpointBase.includes(host))) return;
   if (typeof document === 'undefined') return;