securenow 7.8.1 → 8.0.0

package/mcp/server.js

@@ -95,7 +95,7 @@ function localAuthStatus() {
   const apiKey = config.getApiKey();
   const hasBearer = !!(token || apiKey);
   const runtimeFirewallWarning = app && !apiKey
-    ? 'Runtime app is connected, but the firewall key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.'
+    ? 'Runtime app is connected, but the runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.'
     : null;
   return {
     authenticated: hasBearer,

package/nextjs-auto-capture.js

@@ -18,7 +18,6 @@
 
 const { trace } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -56,8 +55,8 @@ async function safeBodyCapture(request, span) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -127,8 +126,7 @@ async function safeBodyCapture(request, span) {
  * Check if body capture is enabled
  */
 function isBodyCaptureEnabled() {
-  // Opt-out default: set config.capture.body=false to disable.
-  return !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
+  return appConfig.boolConfig('capture.body', true);
 }
 
 /**
@@ -195,4 +193,3 @@ module.exports = {
   isBodyCaptureEnabled,
 };
 
-

package/nextjs-middleware.js

@@ -17,7 +17,6 @@
 
 const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -101,8 +100,8 @@ async function middleware(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only capture supported types
@@ -184,4 +183,3 @@ module.exports = {
 };
 
 
-

package/nextjs-wrapper.js

@@ -17,7 +17,6 @@
 
 const { trace } = require('@opentelemetry/api');
 const appConfig = require('./app-config');
-const env = appConfig.env;
 
 // Default sensitive fields to redact
 const DEFAULT_SENSITIVE_FIELDS = [
@@ -51,8 +50,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
  * Capture body from Request object (clone to avoid consuming)
  */
 async function captureRequestBody(request) {
-  // Opt-out default: set config.capture.body=false to disable.
-  const captureBody = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_BODY') ?? ''));
+  const captureBody = appConfig.boolConfig('capture.body', true);
   
   if (!captureBody) return;
   if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
@@ -62,8 +60,8 @@ async function captureRequestBody(request) {
   
   try {
     const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
-    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
     
     // Only for supported types
@@ -155,4 +153,3 @@ module.exports = {
   DEFAULT_SENSITIVE_FIELDS,
 };
 
-

package/nextjs.js

@@ -186,16 +186,6 @@ function registerSecureNow(options = {}) {
     const otelLogLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
     const isDevelopmentRuntime = process.env.NODE_ENV === 'development';
 
-    // @vercel/otel still reads OTel process variables internally. These are
-    // derived from credentials JSON; customers do not set them.
-    if (isVercel) {
-      if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
-      if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-      if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
-      const headerString = appConfig.headersToString(headers);
-      if (headerString && !process.env.OTEL_EXPORTER_OTLP_HEADERS) process.env.OTEL_EXPORTER_OTLP_HEADERS = headerString;
-    }
-
     console.log('[securenow] Next.js App -> service.name=%s', serviceName);
     console.log('[securenow] Environment: %s', deploymentEnvironment);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.8.1",
+  "version": "8.0.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -167,8 +167,7 @@
     "@opentelemetry/sdk-node": "0.218.0",
     "@opentelemetry/sdk-trace-base": "2.7.1",
     "@opentelemetry/sdk-trace-web": "2.7.1",
-    "@opentelemetry/semantic-conventions": "1.41.1",
-    "dotenv": "17.2.1"
+    "@opentelemetry/semantic-conventions": "1.41.1"
   },
   "optionalDependencies": {
     "@vercel/otel": "2.1.2"

package/rate-limits.js

@@ -12,8 +12,6 @@ function authToken(options = {}) {
     options.token ||
     options.apiKey ||
     options.authToken ||
-    process.env.SECURENOW_TOKEN ||
-    process.env.SECURENOW_API_KEY ||
     config.getToken() ||
     config.getApiKey() ||
     undefined

package/register-vite.js

@@ -1,12 +1,5 @@
-// node_modules/securenow/register-vite.js  (CommonJS, for -r)
-'use strict';
-
-try {
-  require('dotenv').config();
-  console.log('[securenow] dotenv loaded for Vite preload');
-} catch {
-  console.log('[securenow] dotenv not available, continuing without .env');
-}
-
-// Trace the Node process (Vite dev/preview server) using your existing Node tracer
-module.exports = require('./web-vite.mjs');
+// node_modules/securenow/register-vite.js  (CommonJS, for -r)
+'use strict';
+
+// Trace the Node process (Vite dev/preview server) using your existing Node tracer
+module.exports = require('./web-vite.mjs');

package/register.js

@@ -4,17 +4,9 @@
 // For ESM apps ("type": "module"), this file auto-registers the
 // OpenTelemetry ESM loader hook via module.register() (Node >=20.6).
 // On older Node versions it falls back to a warning.
-'use strict';
-
-// 1. Load dotenv quietly only for legacy installs. Normal local and production
-// configuration comes from .securenow/credentials.json via app-config.js.
-try {
-  require('dotenv').config({ quiet: true });
-} catch (e) {
-  // dotenv is optional.
-}
-
-// 2. Auto-register the ESM loader hook so customers never need --import
+'use strict';
+
+// 1. Auto-register the ESM loader hook so customers never need --import
 (() => {
   try {
     const fs = require('fs');
@@ -45,5 +37,5 @@ try {
   }
 })();
 
-// 3. Run the OTel SDK setup
-require('./tracing');
+// 2. Run the OTel SDK setup
+require('./tracing');

package/resolve-ip.js

@@ -6,7 +6,7 @@ const appConfig = require('./app-config');
 const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
 const PRIVATE_IP_RE = /^(127\.|::1$|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.|f[cd][0-9a-f]{2}:)/i;
 
-const trustedProxies = appConfig.listEnv('SECURENOW_TRUSTED_PROXIES');
+const trustedProxies = appConfig.listConfig('networking.trustedProxies');
 const trustedProxySet = trustedProxies.length ? new Set(trustedProxies.map(normalizeIp).filter(Boolean)) : null;
 
 let _hostIps = null;

package/tracing.d.ts

@@ -165,7 +165,7 @@ export const loggerProvider: LoggerProvider | null;
  * Configuration:
  *
  * Local development reads .securenow/credentials.json first. Run
- * `npx securenow login` to write app identity/firewall key and
+ * `npx securenow login` to write app identity/runtime API key and
  * `npx securenow init` to ensure secure defaults and explanations.
  *
  * Production uses the same file shape. Run

package/tracing.js

@@ -280,8 +280,8 @@ const endpointBase = resolvedEndpoints.endpointBase;
 const tracesUrl = resolvedEndpoints.tracesUrl;
 const logsUrl = resolvedEndpoints.logsUrl;
 
-// resolveEndpoints() also adds x-api-key from the credentials app key when
-// explicit OTLP headers did not provide one.
+// resolveEndpoints() also adds app routing and runtime auth headers when
+// explicit OTLP headers did not provide them.
 const headers = resolvedEndpoints.headers;
 
 // -------- naming rules --------

package/web-vite.mjs

@@ -12,21 +12,21 @@ import { FetchInstrumentation } from '@opentelemetry/instrumentation-fetch';
 import { XMLHttpRequestInstrumentation } from '@opentelemetry/instrumentation-xml-http-request';
 
 // ---- helpers / browser config ----
-const viteEnv = import.meta.env || {};
-
-const ENV_TO_BROWSER_CONFIG_PATH = Object.freeze({
-  SECURENOW_APPID: 'app.key',
-  SECURENOW_INSTANCE: 'config.otel.endpoint',
-  OTEL_SERVICE_NAME: 'app.name',
-  OTEL_EXPORTER_OTLP_ENDPOINT: 'config.otel.endpoint',
-  OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: 'config.otel.tracesEndpoint',
-  OTEL_EXPORTER_OTLP_HEADERS: 'config.otel.headers',
-  SECURENOW_NO_UUID: 'config.runtime.noUuid',
-  SECURENOW_STRICT: 'config.runtime.strict',
-  SECURENOW_TEST_SPAN: 'config.runtime.testSpan',
-  SECURENOW_HIDE_BANNER: 'config.runtime.hideBanner',
-  SECURENOW_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
-  SECURENOW_DEPLOYMENT_ENVIRONMENT: 'config.runtime.deploymentEnvironment',
+const DEFAULT_BROWSER_CONFIG = Object.freeze({
+  config: {
+    otel: {
+      endpoint: 'https://ingest.securenow.ai',
+      tracesEndpoint: null,
+      headers: {},
+    },
+    runtime: {
+      deploymentEnvironment: 'production',
+      noUuid: null,
+      strict: false,
+      testSpan: false,
+      hideBanner: false,
+    },
+  },
 });
 
 function createResource(attributes) {
@@ -39,15 +39,6 @@ function createResource(attributes) {
   throw new Error('Unsupported @opentelemetry/resources version');
 }
 
-function legacyViteEnvFallbackEnabled() {
-  const raw =
-    viteEnv.SECURENOW_ENABLE_LEGACY_ENV ??
-    viteEnv.VITE_SECURENOW_ENABLE_LEGACY_ENV ??
-    viteEnv.SECURENOW_ALLOW_ENV_CONFIG ??
-    viteEnv.VITE_SECURENOW_ALLOW_ENV_CONFIG;
-  return /^(1|true|yes)$/i.test(String(raw || '').trim());
-}
-
 function getPath(obj, path) {
   if (!obj || !path) return undefined;
   let cur = obj;
@@ -74,28 +65,27 @@ function toConfigString(value) {
   return String(value);
 }
 
-function env(k) {
-  // Browser config should be injected as window.__SECURENOW__ by the app.
-  const w = globalThis.window;
-  const injected = w && w.__SECURENOW__;
-  const mappedPath = ENV_TO_BROWSER_CONFIG_PATH[String(k).toUpperCase()];
-  if (injected) {
-    if (mappedPath) {
-      const mappedValue = getPath(injected, mappedPath);
-      const resolved = toConfigString(mappedValue);
-      if (resolved !== undefined) return resolved;
-    }
-    if (!mappedPath && k in injected) return toConfigString(injected[k]);
-  }
+function browserConfig() {
+  const injected = globalThis.window && globalThis.window.__SECURENOW__;
+  return injected && typeof injected === 'object' ? injected : {};
+}
 
-  // Vite env fallbacks are legacy and disabled by default.
-  if (!legacyViteEnvFallbackEnabled()) return undefined;
-  const direct =
-    viteEnv[k] ??
-    viteEnv[k.toUpperCase()] ??
-    viteEnv[k.toLowerCase()];
-  if (direct != null) return String(direct);
-  return undefined;
+function configValue(path, fallback) {
+  const injected = getPath(browserConfig(), path);
+  if (injected !== undefined && injected !== null && injected !== '') return injected;
+  const defaultValue = getPath(DEFAULT_BROWSER_CONFIG, path);
+  if (defaultValue !== undefined && defaultValue !== null && defaultValue !== '') return defaultValue;
+  return fallback;
+}
+
+function boolConfig(path, fallback = false) {
+  const value = configValue(path, fallback);
+  if (typeof value === 'boolean') return value;
+  if (typeof value === 'number') return value !== 0;
+  const text = String(value || '').trim().toLowerCase();
+  if (['1', 'true', 'yes', 'on', 'enabled'].includes(text)) return true;
+  if (['0', 'false', 'no', 'off', 'disabled'].includes(text)) return false;
+  return fallback;
 }
 
 function parseHeaders(str) {
@@ -139,29 +129,30 @@ function normalizeSignalEndpoint(value, signalType) {
 
 // ---- endpoints (same defaults as tracing.js) ----
 const endpointBase =
-  normalizeEndpointBase(env('SECURENOW_INSTANCE') || env('OTEL_EXPORTER_OTLP_ENDPOINT') || 'https://ingest.securenow.ai');
+  normalizeEndpointBase(configValue('config.otel.endpoint', 'https://ingest.securenow.ai'));
 const tracesUrl =
-  normalizeSignalEndpoint(env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT'), 'traces') || `${endpointBase}/v1/traces`;
-const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
+  normalizeSignalEndpoint(configValue('config.otel.tracesEndpoint'), 'traces') || `${endpointBase}/v1/traces`;
+const headers = parseHeaders(toConfigString(configValue('config.otel.headers', {})));
 const deploymentEnvironment =
-  env('SECURENOW_DEPLOYMENT_ENVIRONMENT') || env('SECURENOW_ENVIRONMENT') || viteEnv.MODE || 'production';
-const browserAppKey = env('SECURENOW_APPID');
-if (browserAppKey && !headers['x-api-key']) headers['x-api-key'] = browserAppKey;
+  String(configValue('config.runtime.deploymentEnvironment', 'production'));
+const browserAppKey = toConfigString(configValue('app.key'));
+if (browserAppKey && !headers['x-securenow-app-key']) headers['x-securenow-app-key'] = browserAppKey;
 if (deploymentEnvironment && !headers['x-securenow-environment']) headers['x-securenow-environment'] = deploymentEnvironment;
 
 // ---- naming rules (mirrors tracing.js) ----
-const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');
+const rawBase = (toConfigString(configValue('app.key')) || toConfigString(configValue('app.name')) || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
 // Default to no suffix whenever a baseName is resolved: the dashboard filters
 // service.name by exact match, and browsers have no PM2 cluster problem
 // (each tab has its own service.instance.id). Explicit config.runtime.noUuid=false
 // still re-enables the suffix if someone really wants it.
-const noUuidEnv = env('SECURENOW_NO_UUID');
+const noUuidEnv = configValue('config.runtime.noUuid');
 const noUuid =
   (noUuidEnv !== undefined && noUuidEnv !== '')
     ? /^(1|true)$/i.test(String(noUuidEnv).trim())
     : !!baseName;
-const strict = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
+const strict = boolConfig('config.runtime.strict', false);
+const hostedSecureNowIngest = /^https:\/\/ingest\.securenow\.ai(?:\/|$)/i.test(tracesUrl);
 
 function uuidv4() {
   if (typeof crypto !== 'undefined' && crypto.randomUUID) {
@@ -195,6 +186,12 @@ if (baseName) {
   }
 }
 
+if (!disabled && hostedSecureNowIngest) {
+  disabled = true;
+  // eslint-disable-next-line no-console
+  console.warn('[securenow/web-vite] Direct browser OTLP ingestion to SecureNow is disabled in v8.0 until browser-safe auth is available. Use the server-side SDK runtime credentials path.');
+}
+
 const instancePrefix = baseName || 'securenow';
 const serviceInstanceId = `${instancePrefix}-${uuidv4()}`;
 
@@ -203,10 +200,10 @@ try {
   // eslint-disable-next-line no-console
   console.log(
     '[securenow] web preload loaded app.key=%s app.name=%s config.runtime.noUuid=%s config.runtime.strict=%s → service.name=%s instance.id=%s',
-    JSON.stringify(env('SECURENOW_APPID')),
-    JSON.stringify(env('OTEL_SERVICE_NAME')),
-    JSON.stringify(env('SECURENOW_NO_UUID')),
-    JSON.stringify(env('SECURENOW_STRICT')),
+    JSON.stringify(configValue('app.key')),
+    JSON.stringify(configValue('app.name')),
+    JSON.stringify(configValue('config.runtime.noUuid')),
+    JSON.stringify(configValue('config.runtime.strict')),
     serviceName,
     serviceInstanceId
   );
@@ -229,7 +226,7 @@ export function startSecurenowWeb() {
       [S.SERVICE_NAME]: serviceName,
       [S.SERVICE_INSTANCE_ID]: serviceInstanceId,
       [S.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
-      [S.SERVICE_VERSION]: viteEnv.VITE_APP_VERSION || undefined,
+      [S.SERVICE_VERSION]: toConfigString(configValue('app.version')) || undefined,
     }),
     spanProcessors: [new BatchSpanProcessor(exporter)],
   });
@@ -250,8 +247,7 @@ export function startSecurenowWeb() {
     ],
   });
 
-  // Optional smoke span (same flag name)
-  if (String(env('SECURENOW_TEST_SPAN')) === '1') {
+  if (boolConfig('config.runtime.testSpan', false)) {
     import('@opentelemetry/api').then(api => {
       const tracer = api.trace.getTracer('securenow-smoke');
       const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
@@ -265,7 +261,7 @@ export function startSecurenowWeb() {
 // ---- Free trial banner (browser DOM injection) ----
 function injectFreeTrialBanner() {
   const FREE_TRIAL_HOSTS = ['ingest.securenow.ai', 'freetrial.securenow.ai'];
-  const hideBanner = String(env('SECURENOW_HIDE_BANNER')) === '1';
+  const hideBanner = boolConfig('config.runtime.hideBanner', false);
   if (hideBanner || !FREE_TRIAL_HOSTS.some(host => endpointBase.includes(host))) return;
   if (typeof document === 'undefined') return;