securenow 7.8.1 → 8.0.1

package/app-config.js

@@ -9,8 +9,8 @@
  * ./.securenow/credentials.production.json are also accepted when the
  * canonical file is not present. Filename selection is deterministic and does
  * not read environment variables.
- * Legacy environment fallbacks are disabled by default; every SDK setting has
- * a file-backed equivalent so customers do not need .env files.
+ * Every SDK setting has a file-backed equivalent so customers do not need
+ * .env files.
  */
 
 const fs = require('fs');
@@ -21,7 +21,6 @@ const FREE_TRIAL_INSTANCE = 'https://ingest.securenow.ai';
 const DEFAULT_API_URL = 'https://api.securenow.ai';
 const DEFAULT_FIREWALL_API_URL = FREE_TRIAL_INSTANCE;
 const LEGACY_SECURENOW_GATEWAY = 'https://api.securenow.ai/api/otlp';
-const LEGACY_ENV_FALLBACK_FLAG = 'SECURENOW_ENABLE_LEGACY_ENV';
 const CONFIG_SCHEMA_VERSION = 2;
 const CREDENTIAL_FILE_ENVIRONMENTS = Object.freeze([
   'staging',
@@ -94,7 +93,7 @@ const DEFAULT_CONFIG = Object.freeze({
 
 const CONFIG_EXPLANATIONS = Object.freeze({
   'token': 'Legacy CLI session token. New admin/control-plane auth is written to admin.json. Secret: do not commit.',
-  'apiKey': 'Scoped firewall API key (`snk_live_...`) minted by `securenow app connect` or `securenow api-key set`. Secret: do not commit.',
+  'apiKey': 'Scoped runtime API key (`snk_live_...`) minted by `securenow app connect` or `securenow api-key set`. It authenticates telemetry ingestion and firewall sync. Secret: do not commit.',
   'app.key': 'SecureNow application routing UUID. The SDK uses this as OTel service.name so dashboard queries match exactly.',
   'app.name': 'Human-readable app label shown in CLI output.',
   'app.routing': 'Telemetry uses the default SecureNow ingestion gateway and routes by app.key; runtime credentials do not expose per-instance collector URLs.',
@@ -106,7 +105,7 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.otel.endpoint': 'Optional OTLP base endpoint override for advanced/self-hosted collectors. Leave null for the SecureNow ingestion gateway.',
   'config.otel.tracesEndpoint': 'Optional full traces endpoint override, for split collectors.',
   'config.otel.logsEndpoint': 'Optional full logs endpoint override, for split collectors.',
-  'config.otel.headers': 'Optional OTLP headers. The SDK auto-adds x-api-key from app.key when missing.',
+  'config.otel.headers': 'Optional OTLP headers. The SDK auto-adds x-securenow-app-key from app.key and Authorization from apiKey when missing.',
   'config.otel.logLevel': 'OpenTelemetry diagnostic log level: error, warn, info, debug, or none.',
   'config.otel.disableInstrumentations': 'Optional OTel instrumentation package names to disable.',
   'config.runtime.deploymentEnvironment': 'deployment.environment resource attribute. Set this in the credentials file for production.',
@@ -131,45 +130,6 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.networking.trustedProxies': 'Additional proxy IPs whose X-Forwarded-For headers should be trusted.',
 });
 
-const ENV_TO_CONFIG_PATH = Object.freeze({
-  SECURENOW_LOGGING_ENABLED: 'logging.enabled',
-  SECURENOW_CAPTURE_BODY: 'capture.body',
-  SECURENOW_CAPTURE_MULTIPART: 'capture.multipart',
-  SECURENOW_MAX_BODY_SIZE: 'capture.maxBodySize',
-  SECURENOW_SENSITIVE_FIELDS: 'capture.sensitiveFields',
-  SECURENOW_DISABLE_INSTRUMENTATIONS: 'otel.disableInstrumentations',
-  OTEL_EXPORTER_OTLP_ENDPOINT: 'otel.endpoint',
-  OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: 'otel.tracesEndpoint',
-  OTEL_EXPORTER_OTLP_LOGS_ENDPOINT: 'otel.logsEndpoint',
-  OTEL_EXPORTER_OTLP_HEADERS: 'otel.headers',
-  OTEL_LOG_LEVEL: 'otel.logLevel',
-  SECURENOW_ENVIRONMENT: 'runtime.deploymentEnvironment',
-  SECURENOW_DEPLOYMENT_ENVIRONMENT: 'runtime.deploymentEnvironment',
-  NODE_ENV: 'runtime.deploymentEnvironment',
-  SECURENOW_NO_UUID: 'runtime.noUuid',
-  SECURENOW_STRICT: 'runtime.strict',
-  SECURENOW_TEST_SPAN: 'runtime.testSpan',
-  SECURENOW_HIDE_BANNER: 'runtime.hideBanner',
-  SECURENOW_API_URL: 'firewall.apiUrl',
-  SECURENOW_FIREWALL_VERSION_INTERVAL: 'firewall.versionCheckInterval',
-  SECURENOW_FIREWALL_SYNC_INTERVAL: 'firewall.syncInterval',
-  SECURENOW_FIREWALL_FAIL_MODE: 'firewall.failMode',
-  SECURENOW_FIREWALL_STATUS_CODE: 'firewall.statusCode',
-  SECURENOW_FIREWALL_LOG: 'firewall.log',
-  SECURENOW_FIREWALL_TCP: 'firewall.tcp',
-  SECURENOW_FIREWALL_IPTABLES: 'firewall.iptables',
-  SECURENOW_FIREWALL_CLOUD: 'firewall.cloud',
-  SECURENOW_FIREWALL_CLOUD_DRY_RUN: 'firewall.cloudDryRun',
-  CLOUDFLARE_API_TOKEN: 'firewall.cloudflare.apiToken',
-  CLOUDFLARE_ACCOUNT_ID: 'firewall.cloudflare.accountId',
-  AWS_WAF_IP_SET_ID: 'firewall.aws.wafIpSetId',
-  AWS_WAF_IP_SET_NAME: 'firewall.aws.wafIpSetName',
-  AWS_WAF_SCOPE: 'firewall.aws.wafScope',
-  GCP_PROJECT_ID: 'firewall.gcp.projectId',
-  GCP_SECURITY_POLICY: 'firewall.gcp.securityPolicy',
-  SECURENOW_TRUSTED_PROXIES: 'networking.trustedProxies',
-});
-
 function clone(value) {
   return value == null ? value : JSON.parse(JSON.stringify(value));
 }
@@ -460,7 +420,7 @@ function withCredentialDefaults(credentials) {
   out._securenow = mergeMissing(out._securenow, {
     schemaVersion: CONFIG_SCHEMA_VERSION,
     note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets; keep .securenow/ in .gitignore.',
-    precedence: `The same credentials file works in local development and production. SDK runtime config is read from credentials JSON. Legacy environment fallbacks are disabled unless ${LEGACY_ENV_FALLBACK_FLAG}=1 is set.`,
+    precedence: 'The same credentials file works in local development and production. SDK runtime config is read from credentials JSON only.',
     explanations: CONFIG_EXPLANATIONS,
   });
   return out;
@@ -476,19 +436,6 @@ function getPath(obj, dotted) {
   return cur;
 }
 
-function legacyEnvFallbackEnabled() {
-  const raw =
-    process.env[LEGACY_ENV_FALLBACK_FLAG] ??
-    process.env.SECURENOW_ALLOW_ENV_CONFIG ??
-    process.env.SECURENOW_LEGACY_ENV;
-  return /^(1|true|yes)$/i.test(String(raw || '').trim());
-}
-
-function rawEnv(key) {
-  if (!legacyEnvFallbackEnabled()) return undefined;
-  return process.env[key] ?? process.env[key.toUpperCase()] ?? process.env[key.toLowerCase()];
-}
-
 function normalizeInstanceEndpoint(value) {
   if (value === undefined || value === null || value === '') return value;
   const endpoint = String(value).trim().replace(/\/$/, '');
@@ -626,24 +573,11 @@ function headersToString(headers) {
     .join(',');
 }
 
-function toEnvString(value) {
-  if (value === undefined || value === null || value === '') return undefined;
-  if (typeof value === 'boolean') return value ? '1' : '0';
-  if (Array.isArray(value)) return value.join(',');
-  if (typeof value === 'object') return headersToString(value);
-  return String(value);
-}
-
-function resolveConfigPath(configPath, envKeys = [], fallback) {
+function resolveConfigPath(configPath, _envKeys = [], fallback) {
   const creds = loadCredentials();
   const fromCreds = pick(getPath(creds && creds.config, configPath));
   if (fromCreds != null) return fromCreds;
 
-  for (const key of envKeys) {
-    const fromEnv = pick(rawEnv(key));
-    if (fromEnv != null) return fromEnv;
-  }
-
   const fromDefault = pick(getPath(DEFAULT_CONFIG, configPath));
   if (fromDefault != null) return fromDefault;
 
@@ -669,28 +603,12 @@ function listConfig(configPath) {
 function resolveAppKey() {
   const creds = loadCredentials();
   if (creds && creds.app && pick(creds.app.key)) return String(pick(creds.app.key));
-
-  const fromEnv = pick(rawEnv('SECURENOW_APPID')) || pick(rawEnv('securenow'));
-  if (fromEnv) return String(fromEnv);
-
-  // Legacy compatibility: older docs sometimes used SECURENOW_API_KEY as the
-  // app routing UUID. Real firewall keys start with snk_live_ and are handled
-  // by resolveApiKey(), not as service.name.
-  const legacyApiKey = pick(rawEnv('SECURENOW_API_KEY'));
-  if (legacyApiKey && !String(legacyApiKey).startsWith('snk_live_')) {
-    return String(legacyApiKey);
-  }
-
   return null;
 }
 
 function resolveAppName() {
   const creds = loadCredentials();
   if (creds && creds.app && pick(creds.app.name)) return String(pick(creds.app.name));
-
-  const fromEnv = pick(rawEnv('OTEL_SERVICE_NAME'));
-  if (fromEnv) return String(fromEnv);
-
   return loadPackageJsonName();
 }
 
@@ -702,23 +620,12 @@ function resolveApiKey() {
   const creds = loadCredentials();
   const fromCreds = creds && pick(creds.apiKey);
   if (fromCreds && String(fromCreds).startsWith('snk_live_')) return String(fromCreds);
-
-  const fromEnv = pick(rawEnv('SECURENOW_API_KEY'));
-  if (fromEnv && String(fromEnv).startsWith('snk_live_')) return String(fromEnv);
-
   return null;
 }
 
 function resolveInstance() {
   const fromConfig = pick(resolveConfigPath('otel.endpoint'));
   if (fromConfig) return normalizeInstanceEndpoint(fromConfig);
-
-  const fromEnv =
-    pick(rawEnv('SECURENOW_INSTANCE')) ||
-    pick(rawEnv('securenow_instance')) ||
-    pick(rawEnv('OTEL_EXPORTER_OTLP_ENDPOINT'));
-  if (fromEnv) return normalizeInstanceEndpoint(fromEnv);
-
   return FREE_TRIAL_INSTANCE;
 }
 
@@ -743,51 +650,18 @@ function resolveNoUuid(opts = {}) {
   const fromConfig = pick(getPath(loadCredentials()?.config, 'runtime.noUuid'));
   if (fromConfig !== null) return parseBool(fromConfig, false);
 
-  const raw = pick(rawEnv('SECURENOW_NO_UUID'));
-  if (raw !== null) return parseBool(raw, false);
-
   return !!resolveAppKey();
 }
 
-function resolveEnvKey(key) {
-  const upper = String(key).toUpperCase();
-
-  if (upper === 'SECURENOW_APPID') return resolveAppKey();
-  if (upper === 'OTEL_SERVICE_NAME') return resolveAppName();
-  if (upper === 'SECURENOW_API_KEY') return resolveApiKey();
-  if (upper === 'SECURENOW_INSTANCE' || upper === 'OTEL_EXPORTER_OTLP_ENDPOINT') return resolveInstance();
-  if (upper === 'SECURENOW_FIREWALL_ENABLED') return resolveFirewallEnabled();
-
-  const configPath = ENV_TO_CONFIG_PATH[upper];
-  if (configPath) return resolveConfigPath(configPath);
-
-  const fromEnv = pick(rawEnv(upper));
-  if (fromEnv != null) return fromEnv;
-
-  return undefined;
-}
-
-function env(key) {
-  return toEnvString(resolveEnvKey(key));
-}
-
-function boolEnv(key, fallback = false) {
-  return parseBool(resolveEnvKey(key), fallback);
-}
-
-function numberEnv(key, fallback, min) {
-  return parseNumber(resolveEnvKey(key), fallback, min);
-}
-
-function listEnv(key) {
-  return parseList(resolveEnvKey(key));
-}
-
 function resolveOtlpHeaders() {
   const headers = parseHeaders(configValue('otel.headers', {}));
   const appKey = resolveAppKey();
-  if (appKey && !headers['x-api-key']) {
-    headers['x-api-key'] = appKey;
+  const apiKey = resolveApiKey();
+  if (appKey && !headers['x-securenow-app-key']) {
+    headers['x-securenow-app-key'] = appKey;
+  }
+  if (apiKey && !headers.authorization) {
+    headers.authorization = `Bearer ${apiKey}`;
   }
   const deploymentEnvironment = resolveDeploymentEnvironment();
   if (deploymentEnvironment && !headers['x-securenow-environment']) {
@@ -855,14 +729,12 @@ module.exports = {
   DEFAULT_API_URL,
   DEFAULT_FIREWALL_API_URL,
   LEGACY_SECURENOW_GATEWAY,
-  LEGACY_ENV_FALLBACK_FLAG,
   CONFIG_SCHEMA_VERSION,
   CREDENTIAL_FILE_ENVIRONMENTS,
   RUNTIME_CREDENTIALS_FILENAME,
   ADMIN_CREDENTIALS_FILENAME,
   DEFAULT_CONFIG,
   CONFIG_EXPLANATIONS,
-  ENV_TO_CONFIG_PATH,
   withCredentialDefaults,
   mergeCredentials,
   resolveConfigPath,
@@ -876,7 +748,6 @@ module.exports = {
   resolveApiKey,
   resolveInstance,
   normalizeDeploymentEnvironment,
-  legacyEnvFallbackEnabled,
   resolveDeploymentEnvironment,
   resolveAll,
   resolveNoUuid,
@@ -888,10 +759,6 @@ module.exports = {
   resolveFirewallApiUrl,
   resolveFirewallApiFallbacks,
   resolveFirewallOptions,
-  env,
-  boolEnv,
-  numberEnv,
-  listEnv,
   parseHeaders,
   normalizeInstanceEndpoint,
   normalizeSignalEndpoint,

package/cli/apiKey.js

@@ -4,6 +4,10 @@ const { api, requireAuth } = require('./client');
 const config = require('./config');
 const ui = require('./ui');
 
+const PRESET_SCOPES = {
+  runtime_app: ['traces:write', 'logs:write', 'firewall:read', 'blocklist:read', 'allowlist:read'],
+};
+
 function maskKey(key) {
   if (!key || key.length < 16) return key || '';
   return `${key.slice(0, 12)}••••••${key.slice(-4)}`;
@@ -12,16 +16,27 @@ function maskKey(key) {
 async function create(args, flags) {
   requireAuth();
 
-  const name = flags.name || args.join(' ').trim() || 'CLI firewall';
-  const preset = flags.preset || 'firewall';
+  const name = flags.name || args.join(' ').trim() || 'CLI runtime';
+  const preset = flags.preset || 'runtime_app';
   const local = flags.global ? false : true;
+  const app = config.getApp();
 
   const s = ui.spinner(`Creating ${preset} API key`);
   try {
-    const result = await api.post('/api-keys', { name, preset });
+    const body = { name, preset };
+    if (PRESET_SCOPES[preset]) {
+      body.scopes = PRESET_SCOPES[preset];
+    }
+    if (flags.app) {
+      body.apps = [flags.app];
+    } else if (preset === 'runtime_app' && app?.key) {
+      body.apps = [app.key];
+    }
+
+    const result = await api.post('/api-keys', body);
     const key = result && result.key;
     if (!key || !key.startsWith('snk_live_')) {
-      throw new Error('API did not return a valid firewall key');
+      throw new Error('API did not return a valid runtime key');
     }
 
     config.setApiKey(key, { local });
@@ -34,6 +49,7 @@ async function create(args, flags) {
         name: result.apiKey?.name || name,
         preset,
         key: maskKey(key),
+        appScope: body.apps || [],
         savedTo: local ? 'project .securenow/runtime.json' : '~/.securenow/runtime.json',
       });
       return;
@@ -43,7 +59,7 @@ async function create(args, flags) {
     ui.info(local
       ? 'Stored in project .securenow/runtime.json (local)'
       : 'Stored in ~/.securenow/runtime.json (global)');
-    ui.info('The plaintext key is not printed. The SDK will read it from the credentials file.');
+    ui.info('The plaintext key is not printed. The SDK will read it from the runtime credentials file.');
   } catch (err) {
     s.fail('Failed to create API key');
     throw err;
@@ -87,7 +103,7 @@ async function clear(args, flags) {
 async function show() {
   const key = config.getApiKey();
   if (!key) {
-    ui.info('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
+    ui.info('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
     return;
   }
   console.log(maskKey(key));

package/cli/auth.js

@@ -275,7 +275,7 @@ async function login(args, flags) {
       ui.info('Runtime app config was not changed.');
     }
     if (apiKey) {
-      ui.info(`Firewall API key saved — the firewall will activate automatically on next start`);
+      ui.info(`Runtime API key saved — telemetry ingestion and firewall sync will authenticate automatically on next start`);
     }
     if (exp) {
       const days = Math.ceil((exp - Date.now()) / (1000 * 60 * 60 * 24));
@@ -343,9 +343,9 @@ async function appConnect(args, flags) {
   ui.success(`Runtime app connected to ${ui.c.bold(app.name || app.key)}`);
   ui.info(local ? 'Saved to project .securenow/runtime.json' : 'Saved to ~/.securenow/runtime.json');
   if (apiKey) {
-    ui.info('Firewall API key saved; SDK runtime can enforce firewall without an admin token.');
+    ui.info('Runtime API key saved; SDK telemetry and firewall sync can run without an admin token.');
   } else {
-    ui.warn('No firewall API key was returned. Run `securenow api-key create` if firewall sync needs a key.');
+    ui.warn('No runtime API key was returned. Run `securenow api-key create` before sending telemetry.');
   }
   ui.info('Admin auth was not changed.');
 }
@@ -393,7 +393,7 @@ async function whoami() {
     ['Status', runtime.app?.key ? ui.c.green('connected') : ui.c.red('no app selected')],
     ['App', runtime.app?.name || '—'],
     ['App Key', runtime.app?.key || '—'],
-    ['Firewall Key', runtime.apiKey ? ui.c.green('present') : ui.c.yellow('missing')],
+    ['Runtime API Key', runtime.apiKey ? ui.c.green('present') : ui.c.yellow('missing')],
     ['Environment', runtime.config?.runtime?.deploymentEnvironment || 'production'],
     ['Runtime Source', config.getRuntimeSource()],
     ['API', config.getApiUrl()],

package/cli/config.js

@@ -127,7 +127,6 @@ function resolveRuntimeCredentialsFile() {
 }
 
 function getAuthSource() {
-  if (process.env.SECURENOW_TOKEN) return 'env (SECURENOW_TOKEN)';
   const file = appConfig.resolveLocalAdminCredentialsFile() || appConfig.resolveGlobalAdminCredentialsFile();
   if (!file) return 'not configured';
   if (file.includes(`${path.sep}.securenow${path.sep}`) && file.startsWith(process.cwd())) {
@@ -188,9 +187,6 @@ function saveCredentials(creds, { local = false } = {}) {
 }
 
 function loadAdminCredentials() {
-  if (process.env.SECURENOW_TOKEN) {
-    return { token: process.env.SECURENOW_TOKEN, source: 'env' };
-  }
   const adminFile = pickExistingFile(
     appConfig.resolveLocalAdminCredentialsFile(),
     appConfig.resolveGlobalAdminCredentialsFile()
@@ -305,8 +301,6 @@ function clearCredentials({ local } = {}) {
 }
 
 function getToken() {
-  if (process.env.SECURENOW_TOKEN) return process.env.SECURENOW_TOKEN;
-
   const creds = loadAdminCredentials();
   if (!creds.token) return null;
 
@@ -412,18 +406,17 @@ function ensureLocalGitignore() {
 }
 
 function getApiUrl() {
-  if (process.env.SECURENOW_API_URL) return process.env.SECURENOW_API_URL;
   const cfg = loadConfig();
   if (cfg.apiUrl && cfg.apiUrl !== DEFAULTS.apiUrl) return cfg.apiUrl;
-  return appConfig.env('SECURENOW_API_URL') || cfg.apiUrl;
+  return cfg.apiUrl;
 }
 
 function getAppUrl() {
-  return process.env.SECURENOW_APP_URL || loadConfig().appUrl;
+  return loadConfig().appUrl;
 }
 
 function getDefaultApp() {
-  return process.env.SECURENOW_APP || loadConfig().defaultApp;
+  return loadConfig().defaultApp;
 }
 
 module.exports = {

package/cli/credentials.js

@@ -70,7 +70,7 @@ async function runtime(_args, flags) {
     warn('No app key found. Run `npx securenow app connect` first so telemetry routes to the selected app.');
   }
   if (!creds.apiKey) {
-    warn('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` before generating production runtime credentials.');
+    warn('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` before generating production runtime credentials.');
   }
 
   if (flags.stdout) {
@@ -87,7 +87,7 @@ async function runtime(_args, flags) {
   ui.info('Credential filename lookup is fixed-order and does not depend on NODE_ENV.');
   ui.info(`Environment: ${envName}`);
   ui.info(`App: ${creds.app?.name || '(unnamed)'} ${creds.app?.key ? `(${creds.app.key})` : ''}`);
-  ui.info(`Firewall key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);
+  ui.info(`Runtime API key: ${creds.apiKey ? maskSecret(creds.apiKey) : '(missing)'}`);
   ui.info('OAuth token/email were not included.');
 }
 

package/cli/diagnostics.js

@@ -500,9 +500,9 @@ async function doctor(_args, flags) {
     warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
-    warnings.push('Admin CLI/MCP auth is connected, but runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
+    warnings.push('Admin CLI/MCP auth is connected, but the runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
   } else if (!cfg.apiKey) {
-    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
+    warnings.push('Runtime API key is missing. Run `npx securenow app connect` or `npx securenow api-key create` to refresh .securenow/runtime.json.');
   }
 
   const ok = checks.every((c) => c.ok);

package/cli/human.js

@@ -533,18 +533,23 @@ function mcpPromptText(ref, flags = {}) {
       : '2. For each task, call securenow_notifications_get and securenow_human_action_report for the notificationId and IP.',
     '3. Read the AI report, finalDecision, investigation steps, findings, proofs, metadata paths/user agents/status codes, and trace IDs.',
     '4. Open/inspect trace evidence with securenow_traces_show and securenow_logs_for_trace when trace IDs are available.',
-    '5. Decide one outcome: block the IP, mark a scoped false positive, recommend alert-rule tuning, or skip if evidence is ambiguous.',
-    '6. For block decisions, call securenow_human_action_block with confirm:true, a precise reason, and a decisionReport with summary/evidence/reviewedHistory/traceIds.',
-    '7. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, a precise reason, and a decisionReport.',
-    '8. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
-    '9. For skipped/ambiguous/rule-tuning-needed rows that should be auditable without changing status, call securenow_human_action_decision_report_add or securenow_human_case_decision_report_add with the missing proof.',
-    '10. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
-    '11. Summarize each row handled, skipped, rule tuning needed, and still waiting. Do not globally trust an IP by default.',
+    '5. Decide one outcome: block the IP, rate limit, mark a scoped false positive, apply/prepare alert-rule tuning, create/prepare a new rule, approve/reject a case action, or mark ambiguous/skipped with exact missing proof.',
+    '6. Finished does not always mean enforcement changed. If no write is safe, record or prepare a structured no-write decision report with the exact proof gap, missing permission, or vague guard.',
+    '7. For mixed evidence, split the decision by IP/cluster. Block only proven malicious IPs, false-positive only exact benign shapes, rate-limit only route-specific volume abuse, and leave ambiguous members with missing proof.',
+    '8. If the right fix is global/system rule tuning and MCP returns access denied, do not create customer-specific false positives. Prepare the exact attack-preserving guard/SQL, dry-run it if possible, and record outcome=rule_tuning with missingProof naming the missing permission.',
+    '9. Reject vague AI proposed actions. If "shared benign shape" or similar lacks concrete rule id, path, method, status, user-agent/body/header guard, benign samples, and attack examples that still match, do not execute it.',
+    '10. For block decisions, call securenow_human_action_block with confirm:true, a precise reason, and a decisionReport with summary/evidence/reviewedHistory/traceIds.',
+    '11. For rate-limit decisions, call securenow_rate_limit_create_from_text with confirm:true, then add securenow_human_action_decision_report_add with outcome=rate_limited.',
+    '12. For false positives, call securenow_human_action_false_positive with confirm:true, the narrowest available conditions, a precise reason, and a decisionReport.',
+    '13. For case-level tune_rule/create_exclusion rows, inspect the notification case and use securenow_human_case_action_update only when the proposed action is safe.',
+    '14. For skipped/ambiguous/rule-tuning-needed/new-rule-needed rows that should be auditable without changing enforcement status, call securenow_human_action_decision_report_add or securenow_human_case_decision_report_add with the missing proof.',
+    '15. If many IPs share the same benign path/status/user-agent pattern, recommend tightening the alert rule with a precise guard instead of reviewing each IP as malicious.',
+    '16. Summarize handled count, writes executed, verification result, rule tuning/admin permission blockers, partial resolutions, skipped proof gaps, and still waiting. Do not globally trust an IP by default.',
     '',
     'Safety:',
     '- Do not call write tools without confirm:true and a reason.',
     '- Do not use broad false-positive scopes if the evidence only supports one alert rule/path/method/status/user-agent/body pattern.',
-    '- Prefer no action over a weak action.',
+    '- Prefer an auditable no-write decision report over a weak substitute action.',
   ].join('\n');
 }
 

package/cli/run.js

@@ -152,11 +152,7 @@ function run(rawArgs) {
 
   const nodeExe = process.execPath;
 
-  if (process.env.SECURENOW_DEBUG) {
-    console.log(`[securenow] ${ui.c.dim('exec:')} ${nodeExe} ${finalArgs.join(' ')}`);
-  }
-
-  const child = spawn(nodeExe, finalArgs, {
+  const child = spawn(nodeExe, finalArgs, {
     stdio: 'inherit',
     env: process.env,
     cwd: process.cwd(),

package/cli/utils.js

@@ -39,9 +39,8 @@ function redact(args, flags) {
   const extra = flags.fields
     ? String(flags.fields).split(',').map((s) => s.trim()).filter(Boolean)
     : [];
-  const envExtra = (appConfig.env('SECURENOW_SENSITIVE_FIELDS') || '')
-    .split(',').map((s) => s.trim()).filter(Boolean);
-  const fields = [...DEFAULT_SENSITIVE_FIELDS, ...envExtra, ...extra];
+  const configExtra = appConfig.listConfig('capture.sensitiveFields');
+  const fields = [...DEFAULT_SENSITIVE_FIELDS, ...configExtra, ...extra];
 
   const result = redactSensitiveData(parsed, fields);
 

package/cli.js

@@ -91,7 +91,7 @@ const COMMANDS = {
     usage: 'securenow app <subcommand> [options]',
     sub: {
       connect: {
-        desc: 'Select/create app, mint firewall key, and write SDK runtime config',
+        desc: 'Select/create app, mint runtime API key, and write SDK runtime config',
         usage: 'securenow app connect [--global]',
         flags: { global: 'Save runtime config to ~/.securenow/runtime.json' },
         run: (a, f) => require('./cli/auth').appConnect(a, f),
@@ -109,17 +109,18 @@ const COMMANDS = {
     desc: 'Show admin auth and SDK runtime status',
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
-  },
+  },
   'api-key': {
-    desc: 'Manage the firewall API key stored in runtime credentials',
+    desc: 'Manage the runtime API key stored in runtime credentials',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
       create: {
-        desc: 'Create a firewall API key with your session token and save it',
-        usage: 'securenow api-key create [name] [--name <name>] [--preset firewall] [--global]',
+        desc: 'Create a runtime API key with your session token and save it',
+        usage: 'securenow api-key create [name] [--name <name>] [--preset runtime_app] [--app <appKey>] [--global]',
         flags: {
           name: 'Human-readable key name',
-          preset: 'API key preset to create (default: firewall)',
+          preset: 'API key preset to create (default: runtime_app)',
+          app: 'Application key/id to scope this key to',
           global: 'Save to ~/.securenow/ instead of project-local',
         },
         run: (a, f) => require('./cli/apiKey').create(a, f),
@@ -771,12 +772,9 @@ async function main() {
   }
 }
 
-main().catch((err) => {
-  if (err.name !== 'CLIError') {
-    ui.error(err.message || 'An unexpected error occurred');
-  }
-  if (process.env.SECURENOW_DEBUG) {
-    console.error(err.stack || err);
-  }
-  process.exit(1);
-});
+main().catch((err) => {
+  if (err.name !== 'CLIError') {
+    ui.error(err.message || 'An unexpected error occurred');
+  }
+  process.exit(1);
+});

package/console-instrumentation.js

@@ -24,7 +24,7 @@
 const tracing = require('./tracing');
 
 if (!tracing.isLoggingEnabled()) {
-  console.warn('[securenow] Console instrumentation loaded but logging is disabled (SECURENOW_LOGGING_ENABLED=0).');
+  console.warn('[securenow] Console instrumentation loaded but logging is disabled (config.logging.enabled=false).');
 }
 
 // Get a logger instance

package/firewall-only.js

@@ -7,13 +7,10 @@
  *   node -r securenow/firewall-only app.js
  *   NODE_OPTIONS='-r securenow/firewall-only' next start
  *
- * Reads .securenow/credentials.json first, with legacy env vars supported only
- * as fallbacks. Initialises the HTTP-level firewall when a snk_live_ API key
- * is resolvable.
- */
-
-try { require('dotenv').config({ quiet: true }); } catch (_) {}
-
+ * Reads SecureNow runtime credentials from .securenow/*.json. Initialises the
+ * HTTP-level firewall when a snk_live_ API key is resolvable.
+ */
+
 const appConfig = require('./app-config');
 const firewallOptions = appConfig.resolveFirewallOptions();