securenow 7.7.4 → 7.7.5

package/NPM_README.md

@@ -1261,7 +1261,7 @@ Use `npx securenow help firewall` for complete details on all layers.
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `OTEL_LOG_LEVEL` | OpenTelemetry SDK log level. Options: `debug`, `info`, `warn`, `error` | `none` |
+| `OTEL_LOG_LEVEL` | OpenTelemetry diagnostic override. Options: `debug`, `info`, `warn`, `error`, `none`. Overrides `config.otel.logLevel` for emergency debugging. | `error` |
 | `SECURENOW_TEST_SPAN` | Set to `1` to emit a test span on startup. | `0` |
 
 #### Environment
@@ -1600,7 +1600,16 @@ curl http://localhost:4318/v1/traces
 # Should return 200 or 405 (method not allowed)
 ```
 
-**Check 3: Enable debug logging in credentials**
+**Check 3: Run doctor and enable debug diagnostics**
+
+```bash
+npx securenow doctor --json
+OTEL_LOG_LEVEL=debug node -r securenow/register app.js
+```
+
+Doctor checks OTLP reachability and flags duplicate `@opentelemetry/api` versions that can silently leave tracing on the OpenTelemetry noop provider.
+
+For a persistent setting, update credentials:
 
 ```json
 {

package/SKILL-API.md

@@ -495,7 +495,7 @@ Local development and production use `.securenow/credentials.json`. Every settin
 | `SECURENOW_DISABLE_INSTRUMENTATIONS` | Comma-separated packages to skip (e.g. `fs,dns`) | — |
 | `SECURENOW_TEST_SPAN` | `1` to emit a test span on startup | `0` |
 | `SECURENOW_HIDE_BANNER` | `1` to suppress free-trial upgrade banner | `0` |
-| `OTEL_LOG_LEVEL` | SDK log level: `none`, `error`, `warn`, `info`, `debug` | `none` |
+| `OTEL_LOG_LEVEL` | SDK diagnostic override: `error`, `warn`, `info`, `debug`, or `none` | `error` |
 | `SECURENOW_ENVIRONMENT` / `SECURENOW_DEPLOYMENT_ENVIRONMENT` / `NODE_ENV` | Legacy fallback for `config.runtime.deploymentEnvironment` | `production` |
 
 ### Firewall
@@ -634,7 +634,7 @@ On startup, securenow logs its configuration:
 [securenow] Firewall: synced 142 blocked IPs
 ```
 
-Set `config.otel.logLevel` to `debug` in `.securenow/credentials.json` or run `securenow test-span --env <env>` to troubleshoot connectivity issues.
+Set `config.otel.logLevel` to `debug`, or temporarily run with `OTEL_LOG_LEVEL=debug`, and run `securenow doctor --json` to troubleshoot connectivity, duplicate OpenTelemetry API packages, and provider registration issues.
 
 **CLI equivalent** (works without booting the SDK — useful when the app won't start):
 

package/app-config.js

@@ -46,7 +46,7 @@ const DEFAULT_CONFIG = Object.freeze({
     tracesEndpoint: null,
     logsEndpoint: null,
     headers: {},
-    logLevel: 'none',
+    logLevel: 'error',
     disableInstrumentations: [],
   },
   runtime: {
@@ -102,7 +102,7 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.otel.tracesEndpoint': 'Optional full traces endpoint override, for split collectors.',
   'config.otel.logsEndpoint': 'Optional full logs endpoint override, for split collectors.',
   'config.otel.headers': 'Optional OTLP headers. The SDK auto-adds x-api-key from app.key when missing.',
-  'config.otel.logLevel': 'OpenTelemetry diagnostic log level: none, error, warn, info, or debug.',
+  'config.otel.logLevel': 'OpenTelemetry diagnostic log level: error, warn, info, debug, or none.',
   'config.otel.disableInstrumentations': 'Optional OTel instrumentation package names to disable.',
   'config.runtime.deploymentEnvironment': 'deployment.environment resource attribute. Set this in the credentials file for production.',
   'config.runtime.noUuid': 'null means auto: true when app.key is present. Set true/false only for advanced routing needs.',

package/cli/diagnostics.js

@@ -1,6 +1,8 @@
 'use strict';
 
 const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
 const url = require('url');
 const ui = require('./ui');
 const config = require('./config');
@@ -37,6 +39,7 @@ function resolvedConfig(options = {}) {
     loggingEnabled: appConfig.boolEnv('SECURENOW_LOGGING_ENABLED', true),
     captureBody: appConfig.boolEnv('SECURENOW_CAPTURE_BODY', true),
     captureMultipart: appConfig.boolEnv('SECURENOW_CAPTURE_MULTIPART', true),
+    otelLogLevel: (process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : appConfig.env('OTEL_LOG_LEVEL')) || 'error',
     firewallEnabled,
     firewallLayers: {
       http: firewallEnabled,
@@ -47,6 +50,68 @@ function resolvedConfig(options = {}) {
   };
 }
 
+function readPackageVersion(packageJsonPath, label) {
+  try {
+    if (!packageJsonPath || !fs.existsSync(packageJsonPath)) return null;
+    const realPath = fs.realpathSync(packageJsonPath);
+    const pkg = JSON.parse(fs.readFileSync(realPath, 'utf8').replace(/^\uFEFF/, ''));
+    return { label, path: realPath, version: pkg.version || null };
+  } catch {
+    return null;
+  }
+}
+
+function resolvePackageJson(pkgName, paths, label) {
+  try {
+    let current = path.dirname(require.resolve(pkgName, { paths }));
+    while (current && current !== path.dirname(current)) {
+      const candidate = path.join(current, 'package.json');
+      const pkg = readPackageVersion(candidate, label);
+      if (pkg) return pkg;
+      current = path.dirname(current);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+function collectOtelApiPackages() {
+  const cwd = process.cwd();
+  const packageName = '@opentelemetry/api';
+  const candidates = [
+    readPackageVersion(path.join(cwd, 'node_modules', '@opentelemetry', 'api', 'package.json'), 'project node_modules'),
+    readPackageVersion(path.join(cwd, 'node_modules', 'securenow', 'node_modules', '@opentelemetry', 'api', 'package.json'), 'nested under securenow'),
+    resolvePackageJson(packageName, [cwd], 'resolved from project'),
+    resolvePackageJson(packageName, [path.resolve(__dirname, '..')], 'resolved from securenow CLI'),
+  ].filter(Boolean);
+
+  const byPath = new Map();
+  for (const item of candidates) {
+    if (!byPath.has(item.path)) byPath.set(item.path, { ...item, labels: [item.label] });
+    else byPath.get(item.path).labels.push(item.label);
+  }
+
+  return [...byPath.values()].map(({ label, labels, ...rest }) => ({
+    ...rest,
+    label: labels.join(', '),
+  }));
+}
+
+function otelApiSingletonCheck() {
+  const packages = collectOtelApiPackages();
+  const versions = [...new Set(packages.map((p) => p.version).filter(Boolean))];
+  return {
+    name: 'otel-api-singleton',
+    ok: versions.length <= 1,
+    versions,
+    packages,
+    ...(versions.length > 1 ? {
+      error: `Multiple @opentelemetry/api versions detected (${versions.join(', ')}). This can leave tracing on the NoopTracerProvider.`,
+    } : {}),
+  };
+}
+
 function maskSecret(value) {
   if (!value) return '';
   const text = String(value);
@@ -308,6 +373,7 @@ function env(_args, flags) {
     firewallApiKey: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
     apiUrl: cfg.apiUrl,
     loggingEnabled: cfg.loggingEnabled,
+    otelLogLevel: cfg.otelLogLevel,
     captureBody: cfg.captureBody,
     captureMultipart: cfg.captureMultipart,
     noUuid: appConfig.resolveNoUuid(),
@@ -326,6 +392,7 @@ function env(_args, flags) {
     ['Environment', cfg.deploymentEnvironment],
     ['Traces endpoint', cfg.tracesEndpoint],
     ['Logs endpoint', cfg.logsEndpoint],
+    ['OTel diagnostics', cfg.otelLogLevel],
     ['Logging', cfg.loggingEnabled ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
@@ -342,6 +409,8 @@ function env(_args, flags) {
 async function doctor(_args, flags) {
   const cfg = resolvedConfig();
   const checks = [];
+  const otelApiCheck = otelApiSingletonCheck();
+  checks.push(otelApiCheck);
 
   const jsonHeaders = { 'Content-Type': 'application/json', ...cfg.headers };
 
@@ -386,6 +455,15 @@ async function doctor(_args, flags) {
   }
 
   const warnings = [];
+  const singletonOkMessage = otelApiCheck.ok && otelApiCheck.packages.length
+    ? `OpenTelemetry API singleton OK (${otelApiCheck.versions[0] || 'unknown'})`
+    : null;
+  if (!otelApiCheck.ok) {
+    warnings.push(`${otelApiCheck.error} Align the app and SecureNow to one 1.9.x copy, then reinstall.`);
+  }
+  if (String(cfg.otelLogLevel || '').toLowerCase() === 'none') {
+    warnings.push('OpenTelemetry diagnostic log level is `none`; provider registration/export errors are hidden. Set config.otel.logLevel to `error`/`warn`, or temporarily run with OTEL_LOG_LEVEL=debug.');
+  }
   if (!cfg.appKey) {
     warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
   }
@@ -410,6 +488,8 @@ async function doctor(_args, flags) {
     for (const w of warnings) ui.warn(w);
   }
 
+  if (singletonOkMessage) ui.success(singletonOkMessage);
+
   console.log('');
   if (ok) ui.success('All checks passed.');
   else ui.error('One or more checks failed. Run with --json for details.');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.4",
+  "version": "7.7.5",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -141,7 +141,7 @@
     "SKILL-API.md"
   ],
   "dependencies": {
-    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/api": ">=1.9.0 <1.10.0",
     "@opentelemetry/api-logs": "0.218.0",
     "@opentelemetry/auto-instrumentations-node": "0.76.0",
     "@opentelemetry/core": "2.7.1",

package/tracing.js

@@ -21,7 +21,7 @@
  *   OTEL_EXPORTER_OTLP_HEADERS="k=v,k2=v2"
  *   SECURENOW_DISABLE_INSTRUMENTATIONS="pkg1,pkg2"
  *   SECURENOW_CAPTURE_MULTIPART=1                # capture multipart/form-data fields & file metadata (streaming, no file content buffered)
- *   OTEL_LOG_LEVEL=info|debug
+ *   OTEL_LOG_LEVEL=error|warn|info|debug|none
  *   SECURENOW_TEST_SPAN=1
  *
  * Safety:
@@ -264,7 +264,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
 })();
 
 // -------- diagnostics --------
-const diagLevel = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
+const diagLevel = ((process.env.OTEL_LOG_LEVEL != null ? process.env.OTEL_LOG_LEVEL : env('OTEL_LOG_LEVEL')) || '').toLowerCase();
 (() => {
   const level = diagLevel === 'debug' ? DiagLogLevel.DEBUG :
                 diagLevel === 'info'  ? DiagLogLevel.INFO  :