securenow 7.8.1 → 8.0.0

package/NPM_README.md

@@ -17,7 +17,7 @@ OpenTelemetry instrumentation library for Node.js, Next.js, and Nuxt application
 
 ---
 
-> **v7.8 credential model:** admin/control-plane CLI and MCP auth lives in `.securenow/admin.json`; SDK runtime app config and the firewall key live in `.securenow/runtime.json`. `npx securenow login` can run both lanes for onboarding, `npx securenow admin login` refreshes only admin auth, and `npx securenow app connect` refreshes only runtime app config. Legacy combined `.securenow/credentials.json` files are still read, and production runtime exports can still be mounted as `.securenow/credentials.json`.
+> **v8.0 credential model:** admin/control-plane CLI and MCP auth lives in `.securenow/admin.json`; SDK runtime app config and the runtime API key live in `.securenow/runtime.json`. `npx securenow login` can run both lanes for onboarding, `npx securenow admin login` refreshes only admin auth, and `npx securenow app connect` refreshes only runtime app config. Legacy combined `.securenow/credentials.json` files are still read, and production runtime exports can still be mounted as `.securenow/credentials.json`.
 
 ---
 
@@ -92,7 +92,7 @@ This detects your framework and:
 
 #### Configure Locally
 
-Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, firewall key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway and routes by `app.key`, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, runtime API key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway, routes by `app.key`, and authenticates with the runtime API key, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
 
 #### Run Your Application
 
@@ -165,8 +165,8 @@ npx securenow login --global
 # Check who you're logged in as (shows auth source)
 npx securenow whoami
 
-# Need or already have a firewall key? Create or store it without re-running login:
-npx securenow api-key create --name "CLI firewall"
+# Need or already have a runtime API key? Create or store it without re-running login:
+npx securenow api-key create --name "CLI runtime"
 npx securenow api-key set snk_live_abc123...   # --global for ~/.securenow/
 npx securenow api-key show                     # masked key + source
 npx securenow api-key clear                    # remove just the key
@@ -427,9 +427,9 @@ Config files are stored in `~/.securenow/` (global) or `.securenow/` in the proj
 |------|-------------|
 | `~/.securenow/config.json` | API URL, default app, output format |
 | `~/.securenow/admin.json` | Global admin/control-plane CLI and MCP auth |
-| `~/.securenow/runtime.json` | Global SDK runtime app config and firewall key |
+| `~/.securenow/runtime.json` | Global SDK runtime app config and runtime API key |
 | `.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
-| `.securenow/runtime.json` | Project-local SDK runtime app config and firewall key |
+| `.securenow/runtime.json` | Project-local SDK runtime app config and runtime API key |
 | `.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 
@@ -445,17 +445,13 @@ Every command supports these flags:
 | `--help` | | Show help for the command |
 | `--app <key>` | | Override the default application key |
 
-### Legacy CLI Overrides
+### CLI Configuration
 
 Normal SDK runtime setup uses `.securenow/runtime.json`; admin CLI/MCP auth uses `.securenow/admin.json`.
-Old per-terminal CLI overrides still exist for operator troubleshooting, but
-they are not part of the SDK runtime configuration path.
+SecureNow-specific environment overrides are no longer supported by the SDK or CLI.
 
 | Override | Description |
 |----------|-------------|
-| `SECURENOW_TOKEN` | Legacy CLI auth override for a single terminal session |
-| `SECURENOW_API_URL` | Legacy CLI API base override for testing |
-| `SECURENOW_DEBUG` | CLI stack traces while debugging |
 | `NO_COLOR` | Disable colored CLI output |
 
 ### Multi-Project Sessions
@@ -509,8 +505,8 @@ npx securenow logs --json --level error | jq '.logs'
 | | `apps info <id>` | Application details |
 | | `apps delete <id>` | Delete application |
 | | `apps default <key>` | Set default app |
-| **API Key** | `api-key create [--name "CLI firewall"] [--global]` | Mint and save a firewall key with your logged-in session |
-| | `api-key set <snk_live_...> [--global]` | Save firewall key to `.securenow/runtime.json` |
+| **API Key** | `api-key create [--name "CLI runtime"] [--global]` | Mint and save a runtime API key with your logged-in session |
+| | `api-key set <snk_live_...> [--global]` | Save runtime API key to `.securenow/runtime.json` |
 | | `api-key show` | Show masked key + source |
 | | `api-key clear [--global]` | Remove stored key (leaves session/app) |
 | **Observe** | `traces` | List traces |
@@ -1112,7 +1108,7 @@ npx securenow api-key set snk_live_abc123...
 npx securenow credentials runtime --env production
 ```
 
-The SDK resolves the firewall key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
+The SDK resolves the runtime API key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
 
 On startup, you'll see:
 
@@ -1211,7 +1207,7 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 |----------|-------------|---------|
 | `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
 | `app.name` | Human-readable app label. | selected during login |
-| `apiKey` | Scoped firewall key (`snk_live_...`). | minted during login |
+| `apiKey` | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
 | `config.capture.body` | Request body capture with redaction. | `true` |
@@ -1222,8 +1218,7 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 The credentials file is versioned with `_securenow.schemaVersion`. The SDK reads
 all runtime settings from this JSON plus built-in defaults. Production should
 mount a tokenless runtime credentials file at `.securenow/credentials.json`.
-Legacy env fallback is disabled by default and exists only for old deployments
-that explicitly opt in with `SECURENOW_ENABLE_LEGACY_ENV=1`.
+Environment-variable fallback is not supported.
 
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 
@@ -1418,7 +1413,7 @@ All request bodies are automatically scanned and sensitive fields are redacted:
   "config": {
     "runtime": { "noUuid": true, "strict": true, "deploymentEnvironment": "production" },
     "otel": {
-      "headers": { "x-api-key": "your-api-key" },
+      "headers": { "x-securenow-app-key": "my-production-app" },
       "logLevel": "info",
       "disableInstrumentations": ["fs", "dns"]
     },

package/README.md

@@ -189,7 +189,7 @@ Resolution order:
 6. Global named runtime credentials in the same fixed order
 7. `package.json#name` (label only)
 
-SDK runtime config is credentials-json based. Legacy environment fallbacks are disabled by default and only work when `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set for an old deployment.
+SDK runtime config is credentials-json based. Environment-variable fallbacks are no longer supported.
 
 ---
 
@@ -203,8 +203,8 @@ npx securenow app connect           # app/runtime SDK connection only
 npx securenow admin login --token <TOKEN> # headless admin auth (CI)
 npx securenow init --env local      # scaffold framework files + local env scope
 npx securenow credentials runtime --env production # write tokenless production credentials file
-npx securenow api-key create --name "CLI firewall" # mint + store firewall key
-npx securenow api-key set snk_live_... # store firewall key in .securenow/runtime.json
+npx securenow api-key create --name "CLI runtime" # mint + store runtime API key
+npx securenow api-key set snk_live_... # store runtime API key in .securenow/runtime.json
 
 # Apps
 npx securenow apps                  # list all apps
@@ -240,7 +240,7 @@ SecureNow ships a local stdio MCP server for agent clients:
 ```bash
 npx securenow login
 npx securenow admin login      # admin/control-plane only
-npx securenow app connect      # runtime app/firewall key only
+npx securenow app connect      # runtime app/API key only
 codex mcp add securenow -- npx securenow mcp
 # or run directly:
 npx -p securenow securenow-mcp
@@ -258,7 +258,7 @@ Use `.securenow/runtime.json` fields for new local SDK/runtime setups. Productio
 |---|---|---|
 | `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
 | `app.name` | selected during login | Human-readable label for CLI and dashboard output |
-| `apiKey` | minted during login | Scoped firewall key (`snk_live_...`) |
+| `apiKey` | minted during login | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
 | `config.capture.body` | `true` | Capture JSON / form request bodies with redaction |
@@ -280,8 +280,8 @@ Mount or copy that JSON as `.securenow/credentials.json` in the deployed app.
 New runtime credentials do not include a per-instance collector URL; the SDK
 uses `https://ingest.securenow.ai` by default and the gateway routes by
 `app.key`.
-Legacy env fallback exists only for old deployments that explicitly opt in with
-`SECURENOW_ENABLE_LEGACY_ENV=1`; new installs should not use it.
+Environment-variable fallback is not supported; use runtime credentials files
+for local, staging, preview, and production.
 
 ---
 
@@ -330,8 +330,8 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `securenow logout` | Clear admin auth only; runtime app config stays intact |
 | `securenow logout --global` | Clear ~/.securenow/ instead |
 | `securenow whoami` | Show admin auth and runtime app status separately |
-| `securenow api-key create [--name "CLI firewall"]` | Mint and store a firewall key using your session token |
-| `securenow api-key set <snk_live_...>` | Store firewall key in `.securenow/runtime.json` (`--global` for `~/.securenow/`) |
+| `securenow api-key create [--name "CLI runtime"]` | Mint and store a runtime API key using your session token |
+| `securenow api-key set <snk_live_...>` | Store runtime API key in `.securenow/runtime.json` (`--global` for `~/.securenow/`) |
 | `securenow api-key show` | Print masked key + source file |
 | `securenow api-key clear` | Remove stored key (`--global` for `~/.securenow/`) |
 
@@ -435,7 +435,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | File | Purpose |
 |---|---|
 | `./.securenow/admin.json` | Project-local admin/control-plane CLI and MCP auth |
-| `./.securenow/runtime.json` | Project-local SDK runtime app config and firewall key |
+| `./.securenow/runtime.json` | Project-local SDK runtime app config and runtime API key |
 | `./.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `./.securenow/credentials.<environment>.json` | Tokenless runtime file generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 | `~/.securenow/admin.json` | Global admin/control-plane auth |
@@ -444,7 +444,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `~/.securenow/credentials.<environment>.json` | Global environment-specific runtime credentials |
 | `~/.securenow/config.json` | API URL, default app, preferences |
 
-Runtime resolution order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials -> package name fallback. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set, and they never choose the credentials filename.
+Runtime resolution order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in fixed staging/production/preview/local/test/development/dev/prod order -> global `~/.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials -> package name fallback. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Runtime config is never read from environment variables.
 
 Override the dashboard API with `securenow config set apiUrl <url>`.
 

package/SKILL-API.md

@@ -4,7 +4,7 @@ Instrument any Node.js application with OpenTelemetry tracing, structured loggin
 
 **CLI parity:** every capability exposed below (redaction, CIDR matching, log/span emission, firewall preload, config inspection) has an equivalent `securenow` CLI command. See [SKILL-CLI.md](./SKILL-CLI.md) for the terminal surface.
 
-**MCP parity (v7.8+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reads admin/control-plane auth from `.securenow/admin.json` and SDK runtime app credentials from `.securenow/runtime.json`, with legacy `.securenow/credentials.json` still supported. Alert-rule operators can inspect notifications, read exact `metadata.matchedSubdetectors`, dry-run candidate SQL with `securenow_alert_rule_candidate_test`, and apply global system-rule query fixes with `securenow_alert_rule_query_update` only when the admin user/plan permits it.
+**MCP parity (v8.0+):** `npx securenow mcp` starts a local stdio MCP server for Codex, Claude, and other MCP clients. It reads admin/control-plane auth from `.securenow/admin.json` and SDK runtime app credentials from `.securenow/runtime.json`, with legacy `.securenow/credentials.json` still supported. Alert-rule operators can inspect notifications, read exact `metadata.matchedSubdetectors`, dry-run candidate SQL with `securenow_alert_rule_candidate_test`, and apply global system-rule query fixes with `securenow_alert_rule_query_update` only when the admin user/plan permits it.
 
 **Noisy alert-rule reviews:** prefer fixing a generic system-rule detector over creating customer-specific false positives. Dry-run candidate SQL first, preserve tenant scoping with `__USER_APP_KEYS__`, keep exploit-specific indicators, then save the shared query mapping only with an audit reason and explicit confirmation.
 
@@ -28,7 +28,7 @@ node -p "require('./node_modules/securenow/package.json').version"
 npx securenow version
 npx securenow login
 npx securenow admin login     # admin/control-plane CLI + MCP auth only
-npx securenow app connect     # SDK runtime app + firewall key only
+npx securenow app connect     # SDK runtime app + runtime API key only
 npx securenow init
 ```
 
@@ -60,12 +60,12 @@ Metrics export is off by default. SecureNow sets `OTEL_METRICS_EXPORTER=none` on
 
 ### 3. Firewall Is Enabled by Default
 
-Since v7.8, the app runtime flow connects the firewall automatically after
-the user picks or creates an app. The firewall key lives in `.securenow/runtime.json`
+Since v8.0, the app runtime flow connects the firewall automatically after
+the user picks or creates an app. The runtime API key lives in `.securenow/runtime.json`
 so admin CLI/MCP login cannot overwrite it:
 
 ```bash
-npx securenow app connect        # pick/create app; firewall key is minted automatically
+npx securenow app connect        # pick/create app; runtime API key is minted automatically
 # or, if you already have one:
 npx securenow api-key set snk_live_abc123...
 ```
@@ -107,7 +107,7 @@ operator needs to ensure those defaults immediately.
 | `securenow/nuxt` | Nuxt 3 module (add to `modules` array) | ESM |
 | `securenow/firewall` | Standalone firewall; exports `init()`, `shutdown()`, `getStats()`, `getMatcher()`, `getAllowlistMatcher()` | CJS |
 | `securenow/rate-limits` | Rate-limit remediation API helper; exports `parseRateLimitText()`, `createRateLimitFromText()`, `createRateLimit()`, `listRateLimits()` | CJS |
-| `securenow/firewall-only` | Preload: dotenv + firewall only, no tracing | Preload (`-r`) |
+| `securenow/firewall-only` | Preload: credentials-file firewall only, no tracing | Preload (`-r`) |
 | `securenow/cidr` | CIDR utilities; exports `createMatcher()`, `ipToInt()`, `parseCidr()`, `matchesCidr()` | CJS |
 | `securenow/resolve-ip` | IP resolution; exports `resolveClientIp()`, `resolveSocketIp()`, `isFromTrustedProxy()` | CJS |
 | `securenow/console-instrumentation` | Console→OTLP bridge; exports `originalConsole`, `restoreConsole()` | CJS |
@@ -262,7 +262,7 @@ npx securenow app connect
 npx securenow init
 ```
 
-Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and reuses the app, instance, firewall key, and secure defaults in `.securenow/runtime.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
+Auto-detects Next.js, creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, and reuses the app, instance, runtime API key, and secure defaults in `.securenow/runtime.json`. If files already exist, it prints an agent-ready prompt with the exact edits to propose.
 
 ---
 
@@ -279,7 +279,7 @@ export default defineNuxtConfig({
 });
 ```
 
-The Nuxt module auto-configures Nitro externals, runtime config, and a server plugin that sets up OTel tracing + logging + firewall. Local app identity, firewall key, and secure defaults come from `.securenow/runtime.json`; production can use tokenless `.securenow/credentials.<env>.json`.
+The Nuxt module auto-configures Nitro externals, runtime config, and a server plugin that sets up OTel tracing + logging + firewall. Local app identity, runtime API key, and secure defaults come from `.securenow/runtime.json`; production can use tokenless `.securenow/credentials.<env>.json`.
 
 ---
 
@@ -300,7 +300,7 @@ Instruments document load, fetch, XMLHttpRequest, and user interactions with bro
 
 ## Firewall — Multi-Layer IP Blocking
 
-The firewall auto-activates once an API key is resolvable and the app firewall toggle is on. Since **v7.8**, `npx securenow app connect` enables the selected app firewall by default and writes the scoped key to `.securenow/runtime.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Runtime resolution order is project `./.securenow/runtime.json` -> legacy project credentials -> project named runtime credentials -> global runtime/legacy/named runtime credentials. Admin auth lives separately in `admin.json`.
+The firewall auto-activates once a runtime API key is resolvable and the app firewall toggle is on. Since **v8.0**, `npx securenow app connect` enables the selected app firewall by default and writes the scoped runtime key to `.securenow/runtime.json`; `securenow api-key set` can still write/rotate the key later. Production should use the tokenless file generated by `securenow credentials runtime --env production`. Runtime resolution order is project `./.securenow/runtime.json` -> legacy project credentials -> project named runtime credentials -> global runtime/legacy/named runtime credentials. Admin auth lives separately in `admin.json`.
 
 ```
 Layer 4: Cloud/Edge WAF    →  blocked at CDN (Cloudflare, AWS WAF, GCP Cloud Armor)
@@ -350,7 +350,7 @@ node -r securenow/firewall-only app.js
 securenow run --firewall-only app.js
 ```
 
-Loads only dotenv + firewall. No OpenTelemetry, no tracing, no external packages needed.
+Loads only the firewall using SecureNow runtime credentials. No OpenTelemetry, no tracing, no external packages needed.
 
 ### Programmatic Firewall API
 
@@ -537,13 +537,13 @@ securenow redact @request.json --fields internal_id,sessionHash
 
 ## Credentials Configuration
 
-Local development uses `.securenow/runtime.json`; legacy `.securenow/credentials.json` is still read. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Legacy env fallback is disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is explicitly set.
+Local development uses `.securenow/runtime.json`; legacy `.securenow/credentials.json` is still read. Every setting below lives under `app` or `config`; `npx securenow credentials runtime --env production` creates a tokenless production file with the same structure. Since v7.7.2, the SDK also accepts named runtime files such as `.securenow/credentials.production.json` when the canonical `credentials.json` file is absent. Filename lookup is deterministic and does not read environment variables. Environment-variable fallbacks are not supported.
 
 | Credentials path | Purpose |
 |---|---|
 | `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key |
 | `app.name` | Human-readable app label |
-| `apiKey` | Scoped firewall key (`snk_live_...`) |
+| `apiKey` | Scoped runtime API key (`snk_live_...`) |
 | `config.otel.endpoint` | Optional OTLP base endpoint override |
 | `config.otel.tracesEndpoint` | Optional full traces endpoint |
 | `config.otel.logsEndpoint` | Optional full logs endpoint |
@@ -589,7 +589,7 @@ npm install securenow@latest
 npx securenow login
 ```
 
-No `.env` is needed. `npx securenow app connect` writes app identity, firewall key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key`. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
+No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
 
 Update `package.json`:
 ```json
@@ -602,10 +602,10 @@ No code changes to the application needed.
 
 ```bash
 npm install securenow@latest
-npx securenow app connect        # pick/create app; firewall key is minted automatically
+npx securenow app connect        # pick/create app; runtime API key is minted automatically
 ```
 
-`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the firewall key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
+`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
 
 ### Enable Firewall With Zero Tracing Overhead
 

package/SKILL-CLI.md

@@ -24,7 +24,7 @@ codex mcp add securenow -- npx securenow mcp
 npx -p securenow securenow-mcp
 ```
 
-The MCP server reads admin/control-plane auth from `.securenow/admin.json` and SDK runtime app credentials from `.securenow/runtime.json`, with legacy `.securenow/credentials.json` still supported. Admin/global tools use admin auth; runtime-scoped read tools can use the runtime firewall key where its scopes allow it. Write tools require `confirm:true` plus a reason.
+The MCP server reads admin/control-plane auth from `.securenow/admin.json` and SDK runtime app credentials from `.securenow/runtime.json`, with legacy `.securenow/credentials.json` still supported. Admin/global tools use admin auth; runtime-scoped read tools can use the runtime API key where its scopes allow it. Write tools require `confirm:true` plus a reason.
 
 ### Authenticate
 
@@ -36,13 +36,13 @@ securenow admin login --token <JWT>   # headless / CI admin auth
 securenow whoami            # verify both admin auth and runtime app status
 ```
 
-**Two-lane credentials (v7.8+):** admin/control-plane auth lives in `.securenow/admin.json`; SDK runtime app config and the firewall API key live in `.securenow/runtime.json`. `securenow login` can run both lanes for onboarding, but `securenow admin login` never replaces runtime app config and `securenow app connect` never replaces admin auth. Legacy combined `.securenow/credentials.json` files are still read.
+**Two-lane credentials (v8.0+):** admin/control-plane auth lives in `.securenow/admin.json`; SDK runtime app config and the runtime API key live in `.securenow/runtime.json`. `securenow login` can run both lanes for onboarding, but `securenow admin login` never replaces runtime app config and `securenow app connect` never replaces admin auth. Legacy combined `.securenow/credentials.json` files are still read.
 
 **Zero-config runtime flow:** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)** and **name** in `.securenow/runtime.json`. The SDK sends traces/logs to the default SecureNow ingestion gateway, which routes by app key, so no env vars or per-instance collector URLs are required for local dev or production.
 
 **Default-on security (v7.5.1+):** after picking or creating the app, `securenow app connect` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/runtime.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running app connect, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 
-Runtime credentials resolve in order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Runtime config is credentials-json based; legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set and never choose the credentials filename.
+Runtime credentials resolve in order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Runtime config is credentials-json based; environment-variable fallbacks are not supported.
 
 The **firewall API key** should live in runtime credentials as `apiKey`.
 
@@ -69,7 +69,7 @@ securenow login
 securenow init
 ```
 
-This auto-detects your framework, creates the necessary `instrumentation.ts` and `next.config.js` changes, and reuses the app, instance, and firewall key written by login or `app connect` to `.securenow/runtime.json`.
+This auto-detects your framework, creates the necessary `instrumentation.ts` and `next.config.js` changes, and reuses the app, instance, and runtime API key written by login or `app connect` to `.securenow/runtime.json`.
 
 ### Install This Skill in Cursor
 
@@ -89,9 +89,9 @@ Config lives in `~/.securenow/` (global) and optionally `.securenow/` (per-proje
 | `.securenow/credentials.json` | Legacy combined credentials; still read for backward compatibility |
 | `.securenow/credentials.<environment>.json` | Tokenless runtime credentials generated by `securenow credentials runtime --env <environment>`; read in a fixed order, not selected from env vars |
 
-**Credential resolution order:** runtime config resolves from project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Legacy env fallbacks are disabled unless `SECURENOW_ENABLE_LEGACY_ENV=1` is set.
+**Credential resolution order:** runtime config resolves from project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Environment-variable fallbacks are not supported.
 
-**Firewall API key resolution (v7.8+):** project `.securenow/runtime.json` -> legacy project credentials -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global runtime credentials -> legacy global credentials -> global named runtime credentials. Use `securenow app connect` for runtime setup or `securenow api-key set` to rotate a key without touching admin auth or env vars.
+**Runtime API key resolution (v8.0+):** project `.securenow/runtime.json` -> legacy project credentials -> project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order -> global runtime credentials -> legacy global credentials -> global named runtime credentials. Use `securenow app connect` for runtime setup or `securenow api-key set` to rotate a key without touching admin auth or env vars.
 
 ```bash
 securenow config set apiUrl https://api.securenow.ai
@@ -113,7 +113,7 @@ Legacy CLI overrides still exist for operator automation, but runtime SDK config
 | `--force` | `-f` | Skip confirmations |
 | `--yes` | `-y` | Auto-confirm prompts |
 
-Debug mode: `SECURENOW_DEBUG=1 securenow <cmd>` prints stack traces on errors.
+SecureNow-specific environment overrides are not supported; use `.securenow/runtime.json`, `.securenow/admin.json`, or `securenow config set`.
 
 ---
 
@@ -129,7 +129,7 @@ securenow run --firewall-only app.js         # preload firewall only (no tracing
 securenow src/index.js                       # shorthand — auto-detected as "run"
 ```
 
-Spawns `node --require securenow/register [--import otel/hook.mjs] <script>`. ESM detection uses nearest `package.json` `"type"` field or `.mjs`/`.cjs` extension. With `--firewall-only`, uses `securenow/firewall-only` instead (dotenv + firewall, no OpenTelemetry).
+Spawns `node --require securenow/register [--import otel/hook.mjs] <script>`. ESM detection uses nearest `package.json` `"type"` field or `.mjs`/`.cjs` extension. With `--firewall-only`, uses `securenow/firewall-only` instead (credentials-file firewall, no OpenTelemetry).
 
 ### Authentication
 
@@ -158,10 +158,10 @@ securenow apps scan [--yes]                  # scan all app domains for new subd
 
 ### API Key Management
 
-Manage the firewall API key stored in runtime credentials. Since v7.8 the app runtime flow writes `snk_live_...` keys to `.securenow/runtime.json` by default, so no env var is required for local dev.
+Manage the runtime API key stored in runtime credentials. Since v8.0 the app runtime flow writes app-scoped `snk_live_...` keys to `.securenow/runtime.json` by default, so no env var is required for local dev.
 
 ```bash
-securenow api-key create --name "CLI firewall" # mint + save a firewall key with your logged-in session
+securenow api-key create --name "CLI runtime" # mint + save a runtime API key with your logged-in session
 securenow api-key set snk_live_xxxxxxxxxx    # save to project ./.securenow/ (default)
 securenow api-key set snk_live_xxx --global  # save to ~/.securenow/ instead
 securenow api-key show                       # print the masked current key + its source
@@ -271,9 +271,10 @@ MCP parity for noisy alert-rule reviews:
 - `securenow_alert_rule_candidate_test` dry-runs a full candidate SQL query without saving it.
 - `securenow_alert_rule_test_result` polls the dry-run.
 - `securenow_alert_rule_query_update` updates the shared public query mapping behind a system rule for all customer copies. It is admin-only, requires `confirm:true`, `applyGlobally:true`, `reason`, and SQL that keeps `__USER_APP_KEYS__` tenant scoping.
+- `securenow_alert_rule_instant_update` patches Instant rule conditions/config with stale-write guards. Fetch the rule first, pass `expectedRuleVersion` plus `expectedCurrentInstantHash`, use operations such as `remove_condition` / `add_condition` / `update_condition`, and set `applyGlobally:true` for system rules. The API runs seeded before/after checks and returns benign samples removed plus attack samples still matching. If global tuning is denied, it returns a structured admin handoff with the exact patch and missing permission.
 - `securenow_alert_rule_exclusion_add` remains the last-resort customer-specific path; it supports restrictive conditions plus `matchMode` and should not be used to hide a generic system-rule bug.
 
-For system-rule tuning, dry-run the candidate SQL first, then save with `tune-query`/`securenow_alert_rule_query_update` only when the guard preserves attack detection. Good guards add exact exploit tokens, dangerous schemes, matched subdetectors, sensitive path/status evidence, malicious user agents, or repeat thresholds; bad guards simply suppress a noisy path.
+For system-rule tuning, dry-run the candidate SQL first for scheduled rules, or use `dryRun:true` on `securenow_alert_rule_instant_update` for Instant rules. Save only when the guard preserves attack detection. Good guards add exact exploit tokens, dangerous schemes, matched subdetectors, sensitive path/status evidence, malicious user agents, or repeat thresholds; bad guards simply suppress a noisy path.
 
 ---
 
@@ -608,4 +609,4 @@ All commands support `--json` for structured output. When piping to other tools
 | `Cannot connect` | API unreachable | Check `securenow config get apiUrl` or network |
 | `Unknown command` | Typo or unrecognized command | `securenow help` |
 
-Set `SECURENOW_DEBUG=1` for full stack traces on any error.
+SecureNow-specific environment overrides are intentionally unsupported for troubleshooting; use explicit CLI config files and normal terminal logs.