npm - securenow - Versions diffs - 8.0.1 → 8.0.3 - Mend

securenow 8.0.1 → 8.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/NPM_README.md CHANGED Viewed

@@ -69,7 +69,7 @@ Run login - it is a browser flow that picks or creates an app and connects the f
 npx securenow login
 ```
-During the browser step, the dashboard enables the selected app's firewall toggle, mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and the CLI writes runtime config into `.securenow/runtime.json`. Admin auth, when part of the flow, is saved separately to `.securenow/admin.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
+During the browser step, the dashboard enables the selected app's firewall toggle, mints a one-time plaintext runtime API key scoped to that app only (scopes: `traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, `allowlist:read`), and the CLI writes it as `apiKey` in `.securenow/runtime.json`. Admin auth, when part of the flow, is saved separately to `.securenow/admin.json`. Traces, logs, POST body capture, multipart metadata capture, and firewall protection are enabled by default. No env vars, no copy-pasting keys.
 Metrics export is intentionally off by default. SecureNow sets `OTEL_METRICS_EXPORTER=none` when the app has not explicitly configured metrics, preventing the OpenTelemetry SDK from creating a default metrics reader that retries `localhost:4318`.
@@ -77,7 +77,7 @@ For framework scaffolding (Next.js `instrumentation.ts`, `next.config.*`, etc.)
 ```bash
 npx securenow init
-# Optional, when you already have a key and did not use browser login:
+# Optional, when you already have a runtime API key and did not use browser login:
 npx securenow init --key snk_live_abc123...
 ```
@@ -86,13 +86,13 @@ This detects your framework and:
 - **Next.js**: Creates `instrumentation.ts`, adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when safe, or prints a Codex/Claude-ready merge prompt for existing files
 - **Nuxt 3**: Suggests adding `securenow/nuxt` to modules
 - **Express / Node.js**: Shows how to add `-r securenow/register` to your start script
-- **All**: Stores `--key` in `.securenow/runtime.json`; no local `.env` file is needed
+- **All**: Stores an optional `--key` in `.securenow/runtime.json`; no local `.env` file is needed. If the runtime API key is missing, run `npx securenow app connect` or `npx securenow api-key create` before sending telemetry.
 ### 2. Manual Setup
 #### Configure Locally
-Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, runtime API key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway, routes by `app.key`, and authenticates with the runtime API key, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`.
+Run `npx securenow app connect` to write `.securenow/runtime.json`. The SDK reads app identity, runtime API key, logging/body-capture defaults, and firewall defaults from that file at boot. Telemetry uses the default SecureNow ingestion gateway, routes by `app.key`, and authenticates with the runtime API key, so customer credentials do not expose per-instance collector URLs. Production uses the same file shape via `npx securenow credentials runtime --env production`. When rotating later with `npx securenow api-key create`, the CLI defaults to the current app in runtime credentials, resolves its app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into `.securenow/runtime.json`.
 #### Run Your Application
@@ -144,7 +144,7 @@ You'll see confirmation in the console:
 The `securenow` CLI gives you full access to the SecureNow platform from the terminal -- no browser required for day-to-day workflows. Zero additional dependencies.
-**Full CLI/SDK parity (v6.1.0+):** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, startup smoke spans -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
+**Full CLI/SDK parity:** every SDK export has a matching CLI command. `redactSensitiveData` -> `securenow redact`, `createMatcher` -> `securenow cidr match`, `getLogger().emit()` -> `securenow log send`, startup smoke spans -> `securenow test-span`, `node -r securenow/firewall-only` -> `securenow run --firewall-only`. False-positive triage (`fp create`, `fp ai-fill`, `fp mark`) works from the terminal without the web dashboard.
 ### Getting Started
@@ -178,7 +178,7 @@ npx securenow api-key clear                    # remove just the key
 # Auto-detect framework and scaffold instrumentation files
 npx securenow init
-# Pass your API key to store it in .securenow/runtime.json
+# Optional: pass an existing runtime API key to store it in .securenow/runtime.json
 npx securenow init --key snk_live_abc123...
 ```
@@ -505,7 +505,7 @@ npx securenow logs --json --level error | jq '.logs'
 | | `apps info <id>` | Application details |
 | | `apps delete <id>` | Delete application |
 | | `apps default <key>` | Set default app |
-| **API Key** | `api-key create [--name "CLI runtime"] [--global]` | Mint and save a runtime API key with your logged-in session |
+| **API Key** | `api-key create [--name "CLI runtime"] [--app <key-or-id>] [--global]` | Mint and save a one-app `runtime_app` key with your logged-in session. Defaults to the current runtime app |
 | | `api-key set <snk_live_...> [--global]` | Save runtime API key to `.securenow/runtime.json` |
 | | `api-key show` | Show masked key + source |
 | | `api-key clear [--global]` | Remove stored key (leaves session/app) |
@@ -623,7 +623,7 @@ module.exports = {
 };
 ```
-> **Important:** Put `.securenow/credentials.json` in the PM2 app root and keep `node_args: '-r securenow/register'`. PM2 restarts will then load the SDK, traces/logs, body capture, and firewall without any SecureNow env vars.
+> **Important:** Put `.securenow/runtime.json` in the PM2 app root for local/dev deployments, or mount the production runtime export as `.securenow/credentials.json`. Keep `node_args: '-r securenow/register'`. PM2 restarts will then load the SDK, traces/logs, body capture, and firewall without any SecureNow env vars.
 ---
@@ -1003,7 +1003,7 @@ const nextConfig = {
 export default nextConfig;
 ```
-No `.env.local` is needed locally or in production. Use `npx securenow credentials runtime --env production` and mount/copy the resulting JSON as `.securenow/credentials.json`.
+No `.env.local` is needed locally or in production. Local setup reads `.securenow/runtime.json`; production should use `npx securenow credentials runtime --env production` and mount/copy the resulting JSON as `.securenow/credentials.json`.
 #### Option B: Manual configuration
@@ -1050,7 +1050,7 @@ export default defineNuxtConfig({
 });
 ```
-Local and production app identity and secure defaults come from `.securenow/credentials.json`.
+Local app identity, runtime API key, and secure defaults come from `.securenow/runtime.json`; production can mount the generated tokenless runtime file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
 That's it -- the Nuxt module handles OTel SDK initialization, Nitro externalization, firewall activation, and request tracing automatically. Optional config:
@@ -1097,18 +1097,18 @@ SecureNow can automatically block IPs from your blocklist at the application lay
 Pick whichever fits your environment:
 ```bash
-# (a) Zero-config (v7.4+): login picks/creates an app and connects the firewall.
-# Key is minted and written to .securenow/credentials.json automatically.
+# (a) Zero-config (v8+): login picks/creates an app and connects the firewall.
+# Runtime API key is minted and written to .securenow/runtime.json automatically.
 npx securenow login
-# (b) Already have a key? Write it to the creds file directly:
+# (b) Already have a runtime API key? Write it to runtime credentials directly:
 npx securenow api-key set snk_live_abc123...
 # (c) Production? Generate a tokenless runtime credentials file:
 npx securenow credentials runtime --env production
 ```
-The SDK resolves the runtime API key from project `./.securenow/credentials.json`, then project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, then global `~/.securenow/credentials.json`, then global named runtime credentials in the same fixed order.
+The SDK resolves the runtime API key from project `./.securenow/runtime.json`, legacy project `./.securenow/credentials.json`, project named runtime credentials in the fixed staging/production/preview/local/test/development/dev/prod order, global `~/.securenow/runtime.json`, legacy global credentials, then global named runtime credentials in the same fixed order.
 On startup, you'll see:
@@ -1139,7 +1139,7 @@ If you only need IP blocking without OpenTelemetry tracing overhead, use the sta
 # Manual preload flag
 node -r securenow/firewall-only app.js
-# Or via the CLI (v6.1.0+) - same effect, clearer intent
+# Or via the CLI - same effect, clearer intent
 securenow run --firewall-only app.js
 ```
@@ -1157,7 +1157,7 @@ This is useful when:
 - You're adding the firewall to a project that uses a different tracing solution
 - For non-Next Node apps, this avoids framework-specific tracing setup entirely
-Firewall-only mode uses the same `.securenow/credentials.json` key written by `login`, `api-key set`, or mounted from a runtime credentials file:
+Firewall-only mode uses the same runtime API key written by `login`, `app connect`, `api-key create`, `api-key set`, or mounted from a runtime credentials file:
 ```bash
 npx securenow credentials runtime --env production
@@ -1197,9 +1197,9 @@ Use `npx securenow firewall status`, `npx securenow firewall apps`, and `npx sec
 ## Credentials Configuration
-Local development and production use `.securenow/credentials.json`. Run `npx securenow login` and `npx securenow init`; for production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json`.
+Local development uses `.securenow/runtime.json`. Run `npx securenow login` or `npx securenow app connect`, then `npx securenow init`; for production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
-Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env --json` to inspect resolved settings without exposing secrets.
+Use `.securenow/runtime.json` as the local source of truth. Run `npx securenow env --json` to inspect resolved settings without exposing secrets.
 ### Credentials Fields
@@ -1207,7 +1207,7 @@ Use `.securenow/credentials.json` as the source of truth. Run `npx securenow env
 |----------|-------------|---------|
 | `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key. | selected during login |
 | `app.name` | Human-readable app label. | selected during login |
-| `apiKey` | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. | minted during login |
+| `apiKey` | One-app scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. Runtime scopes are `traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, and `allowlist:read`. | minted during login |
 | `config.runtime.deploymentEnvironment` | `deployment.environment` trace/log scope. | `local` from init, `production` from runtime credentials |
 | `config.logging.enabled` | Automatic console log export. | `true` |
 | `config.capture.body` | Request body capture with redaction. | `true` |
@@ -1223,7 +1223,8 @@ Environment-variable fallback is not supported.
 **Default sensitive fields (auto-redacted):** `password`, `passwd`, `pwd`, `secret`, `token`, `api_key`, `apikey`, `access_token`, `auth`, `credentials`, `mysql_pwd`, `stripeToken`, `card`, `cardnumber`, `ccv`, `cvc`, `cvv`, `ssn`, `pin`
 For instrumentation, firewall layers, debugging, trusted proxies, and deployment
-environment, edit the matching `config.*` keys in `.securenow/credentials.json`.
+environment, edit the matching `config.*` keys in `.securenow/runtime.json`
+locally or in the mounted production runtime credentials file.
 Use `npx securenow env --json` to inspect the resolved values and
 `npx securenow help firewall` for the firewall command reference.
@@ -1273,7 +1274,7 @@ console.debug('Debug info');
 - `console.error()` -> ERROR
 - `console.debug()` -> DEBUG
-Logging is controlled by `config.logging.enabled` in `.securenow/credentials.json`.
+Logging is controlled by `config.logging.enabled` in `.securenow/runtime.json` locally or the mounted production runtime credentials file.
 ### Direct Logger API
@@ -1316,7 +1317,7 @@ node -r securenow/register app.js
 ## Request Body Capture
-SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `config.capture.body=false` in `.securenow/credentials.json` only when you need a local opt-out.
+SecureNow captures HTTP request bodies in traces by default, with sensitive fields automatically redacted. Set `config.capture.body=false` in `.securenow/runtime.json` locally or the mounted production runtime credentials file only when you need an opt-out.
 ### Body Capture Defaults
@@ -1470,10 +1471,10 @@ if (isLoggingEnabled()) {
 ### Programmatic Configuration
-Use `.securenow/credentials.json` for local development, tests, CI, and production:
+Use `.securenow/runtime.json` for local development and tests; CI/production should mount the generated runtime credentials file:
 ```javascript
-// Reads .securenow/credentials.json from the project root.
+// Reads .securenow/runtime.json first, with legacy/generated runtime credentials as fallbacks.
 require('securenow/register');
 ```
@@ -1565,7 +1566,7 @@ npx securenow env
 npx securenow status --env local
 ```
-The output should show an app key, collector endpoint, and deployment environment from `.securenow/credentials.json`.
+The output should show an app key, runtime API key source, collector endpoint, and deployment environment from `.securenow/runtime.json` or the mounted runtime credentials file.
 **Check 2: Verify OTLP collector is running**
@@ -1614,7 +1615,7 @@ require('securenow/register');
 ### Firewall Not Blocking IPs
-**Check 1: Is an API key in `.securenow/credentials.json`?**
+**Check 1: Is a runtime API key in `.securenow/runtime.json` or the mounted runtime credentials file?**
 ```bash
 npx securenow api-key show
@@ -1651,7 +1652,7 @@ proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-Proto $scheme;
 ```
-SecureNow trusts private, loopback, and same-host proxy peers automatically. For external load balancers or public proxy IPs, add them to `config.networking.trustedProxies` in `.securenow/credentials.json`. If no forwarded header reaches the app, SecureNow can detect the attack shape but cannot recover the real visitor IP from traces.
+SecureNow trusts private, loopback, and same-host proxy peers automatically. For external load balancers or public proxy IPs, add them to `config.networking.trustedProxies` in `.securenow/runtime.json` or the mounted runtime credentials file. If no forwarded header reaches the app, SecureNow can detect the attack shape but cannot recover the real visitor IP from traces.
 **Check 6: Using PM2?**
@@ -1822,14 +1823,14 @@ Without `node_args`, PM2 starts your script directly without the securenow prelo
 ### 1. Use the Credentials File
-Do not hardcode configuration in code or deployment dashboards. Use `.securenow/credentials.json` locally and mount the tokenless runtime file in production:
+Do not hardcode configuration in code or deployment dashboards. Use `.securenow/runtime.json` locally and mount the tokenless runtime file in production:
 ```javascript
 // Bad
 const appKey = 'hardcoded-value';
-// Good: use .securenow/credentials.json
-// { "app": { "key": "my-app", "instance": "https://ingest.securenow.ai" } }
+// Good: use .securenow/runtime.json
+// { "app": { "key": "<uuid>", "instance": "https://ingest.securenow.ai" }, "apiKey": "snk_live_..." }
 ```
 ### 2. Use Structured Logging

package/README.md CHANGED Viewed

@@ -37,7 +37,13 @@ That's it. No `.env` edits, no API keys to paste, no peer-dep warnings. Your tra
 `npx securenow login` opens a browser and runs both lanes for onboarding:
 - admin/control-plane CLI and MCP auth goes to `.securenow/admin.json`
-- app/runtime SDK config and the firewall API key go to `.securenow/runtime.json`
+- app/runtime SDK config and the runtime API key go to `.securenow/runtime.json`
+During app runtime onboarding, the browser flow returns a one-time plaintext
+`snk_live_...` key scoped to the selected app only. The CLI writes that key as
+`apiKey` in `.securenow/runtime.json`. Its `runtime_app` scopes are
+`traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, and
+`allowlist:read`.
 Use `npx securenow admin login` to refresh only admin auth, or `npx securenow app connect` to refresh only runtime app config. Legacy combined `.securenow/credentials.json` files are still read for old installs.
@@ -60,7 +66,7 @@ Runtime credentials look like:
 }
 ```
-The SDK reads the runtime file at boot and sends traces/logs directly to the right app bucket. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. Local credential files are auto-added to `.gitignore` so they never land in git.
+The SDK reads the runtime file at boot, sends traces/logs through the SecureNow ingest gateway, routes by `app.key`, and authenticates with the runtime API key. When you rotate with `npx securenow api-key create`, the CLI defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into runtime credentials. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does.
 ---
@@ -75,7 +81,7 @@ npx securenow login
 Then ask your coding agent to wire each app with this prompt:
 ```text
-I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json, gitignore only SecureNow credential files, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json for secret-file deployment, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
 ```
 For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
@@ -163,7 +169,7 @@ SecureNow does not export metrics by default. The preload sets `OTEL_METRICS_EXP
 ## Production Without Env Vars
-Production uses the same file structure. Do not commit `.securenow/`; instead deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
+Production uses the same file structure. Deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
 ```text
 <app-root>/.securenow/credentials.json
@@ -177,7 +183,7 @@ npx securenow credentials runtime --env production
 It writes `.securenow/credentials.production.json`, with the same `app`, `apiKey`, `config`, and `_securenow.explanations` shape, but without the CLI OAuth `token`, `email`, or `expiresAt`. Store that JSON in your deployment secret manager and materialize it as `.securenow/credentials.json` at runtime.
-Starting in v7.7.2, the SDK also accepts generated runtime filenames directly without reading environment variables to choose the file. If `.securenow/credentials.json` is missing, it checks named files in a deterministic order: staging, production, preview, local, test, development, dev, then prod.
+The v8 SDK also accepts generated runtime filenames directly without reading environment variables to choose the file. If `.securenow/credentials.json` is missing, it checks named files in a deterministic order: staging, production, preview, local, test, development, dev, then prod.
 Resolution order:
@@ -258,7 +264,7 @@ Use `.securenow/runtime.json` fields for new local SDK/runtime setups. Productio
 |---|---|---|
 | `app.key` | selected during login | App routing UUID; the gateway routes telemetry by this key |
 | `app.name` | selected during login | Human-readable label for CLI and dashboard output |
-| `apiKey` | minted during login | Scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync |
+| `apiKey` | minted during login | One-app scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. Runtime scopes: `traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, `allowlist:read` |
 | `config.runtime.deploymentEnvironment` | `local` from `init`, `production` from runtime credentials | Sent as OTel `deployment.environment` |
 | `config.logging.enabled` | `true` | Forward `console.*` as OTLP logs |
 | `config.capture.body` | `true` | Capture JSON / form request bodies with redaction |
@@ -330,7 +336,7 @@ After install, the `securenow` CLI is available via `npx securenow` or globally
 | `securenow logout` | Clear admin auth only; runtime app config stays intact |
 | `securenow logout --global` | Clear ~/.securenow/ instead |
 | `securenow whoami` | Show admin auth and runtime app status separately |
-| `securenow api-key create [--name "CLI runtime"]` | Mint and store a runtime API key using your session token |
+| `securenow api-key create [--name "CLI runtime"] [--app <key-or-id>]` | Mint and store a one-app `runtime_app` key. Defaults to the current app in `.securenow/runtime.json` |
 | `securenow api-key set <snk_live_...>` | Store runtime API key in `.securenow/runtime.json` (`--global` for `~/.securenow/`) |
 | `securenow api-key show` | Print masked key + source file |
 | `securenow api-key clear` | Remove stored key (`--global` for `~/.securenow/`) |

package/SKILL-API.md CHANGED Viewed

@@ -32,7 +32,7 @@ npx securenow app connect     # SDK runtime app + runtime API key only
 npx securenow init
 ```
-Use `securenow@7.8.0` or newer for split admin/runtime credentials. Start authentication with `npx securenow login`; do not manually open auth URLs, because the CLI generates the callback/state values. The friendly login flow can connect both lanes, while `npx securenow admin login` only writes `.securenow/admin.json` and `npx securenow app connect` only writes `.securenow/runtime.json`. `init` scaffolds the framework integration.
+Use `securenow@8.0.0` or newer for split admin/runtime credentials and runtime-authenticated ingestion. Start authentication with `npx securenow login`; do not manually open auth URLs, because the CLI generates the callback/state values. The friendly login flow can connect both lanes, while `npx securenow admin login` only writes `.securenow/admin.json` and `npx securenow app connect` only writes `.securenow/runtime.json`. `init` scaffolds the framework integration.
 ### 2. Run With Instrumentation
@@ -70,7 +70,13 @@ npx securenow app connect        # pick/create app; runtime API key is minted au
 npx securenow api-key set snk_live_abc123...
 ```
-Both paths write the key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
+Both paths write the key to `.securenow/runtime.json` and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
+The automatically created key is scoped to the selected app only. Its
+`runtime_app` scopes are `traces:write`, `logs:write`, `firewall:read`,
+`blocklist:read`, and `allowlist:read`. `securenow api-key create` uses the
+current app from `.securenow/runtime.json` by default, resolves that app UUID to
+the server app id, and stores the new one-time plaintext key back as `apiKey`.
 The firewall syncs your blocklist and enforces it on every request â€” zero code changes.
@@ -218,7 +224,7 @@ On Vercel it uses `@vercel/otel`; self-hosted uses vanilla `@opentelemetry/sdk-n
 }
 ```
-Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled and gitignored. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
+Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled with runtime credentials and secure defaults. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
 #### Next.js Body Capture
@@ -543,7 +549,7 @@ Local development uses `.securenow/runtime.json`; legacy `.securenow/credentials
 |---|---|
 | `app.key` | App routing UUID. The SecureNow ingestion gateway routes telemetry by this key |
 | `app.name` | Human-readable app label |
-| `apiKey` | Scoped runtime API key (`snk_live_...`) |
+| `apiKey` | One-app scoped runtime API key (`snk_live_...`) for telemetry ingestion and firewall sync. Runtime scopes: `traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, `allowlist:read` |
 | `config.otel.endpoint` | Optional OTLP base endpoint override |
 | `config.otel.tracesEndpoint` | Optional full traces endpoint |
 | `config.otel.logsEndpoint` | Optional full logs endpoint |
@@ -589,7 +595,7 @@ npm install securenow@latest
 npx securenow login
 ```
-No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
+No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and secure SDK defaults.
 Update `package.json`:
 ```json
@@ -605,7 +611,7 @@ npm install securenow@latest
 npx securenow app connect        # pick/create app; runtime API key is minted automatically
 ```
-`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
+`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json`. Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
 ### Enable Firewall With Zero Tracing Overhead

package/SKILL-CLI.md CHANGED Viewed

@@ -15,7 +15,7 @@ npx securenow <command>
 **Full parity with the SDK:** every capability the `securenow` Node SDK exposes has a CLI counterpart — redaction, CIDR matching, log/span emission, firewall preload, config inspection. If you can do it in code, you can do it from the terminal.
-**MCP parity (v7.5+):** the same package also ships a local stdio MCP server for Codex, Claude, and other MCP clients:
+**MCP parity (v8.0+):** the same package also ships a local stdio MCP server for Codex, Claude, and other MCP clients:
 ```bash
 npx securenow login
@@ -40,11 +40,11 @@ securenow whoami            # verify both admin auth and runtime app status
 **Zero-config runtime flow:** the browser step lets the user pick (or create) an app. The CLI stores the app's **key (UUID)** and **name** in `.securenow/runtime.json`. The SDK sends traces/logs to the default SecureNow ingestion gateway, which routes by app key, so no env vars or per-instance collector URLs are required for local dev or production.
-**Default-on security (v7.5.1+):** after picking or creating the app, `securenow app connect` turns on that app's firewall toggle, mints an API key with `firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/runtime.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running app connect, use `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
+**Default-on security (v8.0+):** after picking or creating the app, `securenow app connect` turns on that app's firewall toggle, mints a runtime API key with `traces:write + logs:write + firewall:read + blocklist:read + allowlist:read` scopes, and writes it into `.securenow/runtime.json`. Traces, logs, POST body capture, multipart metadata capture, and the firewall are enabled by default. No `SECURENOW_API_KEY` env var is needed. To add or rotate a key later without re-running app connect, use `securenow api-key create` or `securenow api-key set snk_live_...` (see [API Key Management](#api-key-management) below).
 Runtime credentials resolve in order: project `.securenow/runtime.json` -> legacy project `.securenow/credentials.json` -> project named runtime credentials -> global `.securenow/runtime.json` -> legacy global credentials -> global named runtime credentials. Admin auth resolves from `admin.json` first, then legacy `credentials.json`. Runtime config is credentials-json based; environment-variable fallbacks are not supported.
-The **firewall API key** should live in runtime credentials as `apiKey`.
+The **runtime API key** should live in runtime credentials as `apiKey`; it authenticates telemetry ingestion and firewall sync.
 For CI / Docker / production, use `securenow credentials runtime --env production` to generate a tokenless runtime file, then mount/copy it as `.securenow/credentials.json`. Since v7.7.2, mounting the generated `.securenow/credentials.production.json` filename directly also works when `credentials.json` is absent.
@@ -161,7 +161,8 @@ securenow apps scan [--yes]                  # scan all app domains for new subd
 Manage the runtime API key stored in runtime credentials. Since v8.0 the app runtime flow writes app-scoped `snk_live_...` keys to `.securenow/runtime.json` by default, so no env var is required for local dev.
 ```bash
-securenow api-key create --name "CLI runtime" # mint + save a runtime API key with your logged-in session
+securenow api-key create --name "CLI runtime" # mint + save a current-app runtime key
+securenow api-key create --app <key-or-id>    # mint + save a runtime key scoped to another app
 securenow api-key set snk_live_xxxxxxxxxx    # save to project ./.securenow/ (default)
 securenow api-key set snk_live_xxx --global  # save to ~/.securenow/ instead
 securenow api-key show                       # print the masked current key + its source
@@ -170,7 +171,7 @@ securenow api-key clear --global             # same, but from the global file
 securenow credentials runtime --env production # write .securenow/credentials.production.json for production secret-file deploys
 ```
-The key must start with `snk_live_`. `securenow app connect` writes the key automatically; use `api-key create` when you have admin auth but no runtime key yet, or `api-key set` when you already have a key from the dashboard.
+The key must start with `snk_live_`. `securenow app connect` writes the key automatically; use `api-key create` when you have admin auth but no runtime key yet, or `api-key set` when you already have a key from the dashboard. `api-key create` defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key with `traces:write`, `logs:write`, `firewall:read`, `blocklist:read`, and `allowlist:read`, then stores the one-time plaintext key as `apiKey`.
 ### Init — Project Setup
@@ -179,7 +180,7 @@ securenow init [--env local] [--key <API_KEY>]
 ```
 Auto-detects framework (Next.js, Nuxt, Express, Fastify, Koa, Hapi, Node) from `package.json`. Then:
-- **Credentials**: ensures `.securenow/runtime.json` exists, has secure defaults/explanations, and local credential JSON files are gitignored without ignoring the whole `.securenow/` directory
+- **Credentials**: ensures `.securenow/runtime.json` exists with secure defaults and explanations
 - **Next.js**: creates `instrumentation.ts/js` with `securenow/nextjs` + `securenow/nextjs-auto-capture`, and adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when the config can be patched safely
 - **Existing Next.js files**: prints a Codex/Claude-ready merge prompt when instrumentation or config already exists or is too custom to safely patch
 - **Nuxt**: tells you to add `securenow/nuxt` to modules
@@ -313,7 +314,7 @@ securenow firewall status --app <key> --env production   # app/env toggle, sync
 securenow firewall test-ip <ip> --app <key> --env local  # check if IP would be blocked
 ```
-**Zero-config setup:** running `securenow app connect` enables the selected app's firewall toggle, auto-mints an API key (scoped `firewall:read + blocklist:read + allowlist:read`), and writes it to `.securenow/runtime.json` after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
+**Zero-config setup:** running `securenow app connect` enables the selected app's firewall toggle, auto-mints a runtime API key (scoped `traces:write + logs:write + firewall:read + blocklist:read + allowlist:read`), and writes it to `.securenow/runtime.json` after the app is selected. No `SECURENOW_API_KEY` env var needed. If the user already has a key, `securenow api-key set snk_live_...` achieves the same thing; if they only have admin auth, `securenow api-key create` mints and saves a fresh runtime key. See [the landing firewall page](https://securenow.ai/firewall) for an overview.
 ### Blocklist — Block Malicious IPs

package/app-config.js CHANGED Viewed

@@ -419,7 +419,7 @@ function withCredentialDefaults(credentials) {
   out.config = mergeMissing(out.config, DEFAULT_CONFIG);
   out._securenow = mergeMissing(out._securenow, {
     schemaVersion: CONFIG_SCHEMA_VERSION,
-    note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets; keep .securenow/ in .gitignore.',
+    note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets.',
     precedence: 'The same credentials file works in local development and production. SDK runtime config is read from credentials JSON only.',
     explanations: CONFIG_EXPLANATIONS,
   });

package/cli/apiKey.js CHANGED Viewed

@@ -8,11 +8,31 @@ const PRESET_SCOPES = {
   runtime_app: ['traces:write', 'logs:write', 'firewall:read', 'blocklist:read', 'allowlist:read'],
 };
+const OBJECT_ID_RE = /^[a-f0-9]{24}$/i;
 function maskKey(key) {
   if (!key || key.length < 16) return key || '';
   return `${key.slice(0, 12)}••••••${key.slice(-4)}`;
 }
+async function resolveAppScopeForApi(appIdentifier) {
+  const raw = String(appIdentifier || '').trim();
+  if (!raw || OBJECT_ID_RE.test(raw)) return raw || null;
+  const data = await api.get('/applications');
+  const app = (data.applications || []).find((candidate) =>
+    candidate.key === raw ||
+    candidate._id === raw ||
+    candidate.id === raw
+  );
+  if (!app) {
+    throw new Error(`Could not find application for --app ${raw}`);
+  }
+  return app._id || app.id || raw;
+}
 async function create(args, flags) {
   requireAuth();
@@ -27,10 +47,9 @@ async function create(args, flags) {
     if (PRESET_SCOPES[preset]) {
       body.scopes = PRESET_SCOPES[preset];
     }
-    if (flags.app) {
-      body.apps = [flags.app];
-    } else if (preset === 'runtime_app' && app?.key) {
-      body.apps = [app.key];
+    const appScope = flags.app || (preset === 'runtime_app' && app?.key ? app.key : null);
+    if (appScope) {
+      body.apps = [await resolveAppScopeForApi(appScope)];
     }
     const result = await api.post('/api-keys', body);

package/cli/credentials.js CHANGED Viewed

@@ -39,7 +39,7 @@ function buildRuntimeCredentials(options = {}) {
     },
     _securenow: {
       ...(creds._securenow || {}),
-      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
+      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production.',
       routing: 'Telemetry is sent to the default SecureNow ingestion gateway. The gateway routes by app.key, so runtime credentials do not expose per-instance collector URLs.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',

package/cli.js CHANGED Viewed

@@ -116,11 +116,11 @@ const COMMANDS = {
     sub: {
       create: {
         desc: 'Create a runtime API key with your session token and save it',
-        usage: 'securenow api-key create [name] [--name <name>] [--preset runtime_app] [--app <appKey>] [--global]',
+        usage: 'securenow api-key create [name] [--name <name>] [--preset runtime_app] [--app <appKeyOrId>] [--global]',
         flags: {
           name: 'Human-readable key name',
           preset: 'API key preset to create (default: runtime_app)',
-          app: 'Application key/id to scope this key to',
+          app: 'Application key or id to scope this key to (defaults to current runtime app)',
           global: 'Save to ~/.securenow/ instead of project-local',
         },
         run: (a, f) => require('./cli/apiKey').create(a, f),

package/mcp/catalog.js CHANGED Viewed

@@ -10,7 +10,7 @@ const MARKDOWN = 'text/markdown';
 const UNIVERSAL_SECURENOW_SETUP_PROMPT = `You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
 Primary goals:
-- Use the latest published SecureNow npm package. Require securenow@7.8.0 or newer for split admin/runtime credentials.
+- Use the latest published SecureNow npm package. Require securenow@8.0.0 or newer for split admin/runtime credentials and runtime-authenticated ingestion.
 - By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
 - If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
 - The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow AI IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
@@ -18,7 +18,7 @@ Primary goals:
 Safety rules:
 - Do not print full API keys, JWTs, tokens, or local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, or .securenow/credentials.*.json). Mask secrets.
-- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, .securenow/credentials.json, and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
+- Keep local SecureNow credential files secret (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and .securenow/credentials.*.json). Do not print them; mask secrets in summaries.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
@@ -32,7 +32,7 @@ Runbook:
 2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
    node -p "require('./node_modules/securenow/package.json').version"
    npx securenow version
-   Stop and fix the install if either is below 7.8.0 or npx still resolves an older local package.
+   Stop and fix the install if either is below 8.0.0 or npx still resolves an older local package.
 3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
 4. Mandatory auth/runtime gate:
    - Run npx securenow whoami from the project root.
@@ -43,10 +43,10 @@ Runbook:
 5. Validate project-local credentials without exposing secrets:
    - Confirm .securenow/runtime.json exists for SDK runtime setup, or legacy .securenow/credentials.json exists for old installs.
    - Confirm the runtime file has SecureNow's default config/explanations block.
-   - Confirm the runtime file has an app key/name/instance and a firewall API key after app selection.
+   - Confirm the runtime file has an app key/name/instance and a runtime API key after app selection. The app key only routes telemetry; the runtime API key is required to authenticate telemetry ingestion and firewall sync.
    - Confirm .securenow/admin.json exists only when admin CLI/MCP auth is needed.
    - Confirm .securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
-6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.8.0, and retry. Do not silently ignore init failures.
+6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=8.0.0, and retry. Do not silently ignore init failures.
 7. Configure the least invasive framework-specific integration:
    - Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include require("securenow/nextjs-auto-capture") for body capture. For Next 15+, add securenow to serverExternalPackages. For older Next.js, use experimental.serverComponentsExternalPackages. Preserve proxy.js/middleware.js.
    - Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
@@ -61,6 +61,7 @@ Runbook:
    - config.firewall.failMode: "open"
    - config.capture.maxBodySize: 10240
    For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json or <app-root>/.securenow/credentials.production.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
+   Do not proceed with telemetry verification if the runtime API key is missing; run npx securenow app connect or npx securenow api-key create first. The v8 ingestion gateway rejects app-key-only telemetry.
    Local credentials should use config.runtime.deploymentEnvironment="local". Production runtime credentials should use "production". The app key stays the same; traces, logs, firewall status, forensics, and CLI/MCP queries are scoped by environment.
 9. Verify firewall and threshold:
    - Run npx securenow firewall apps and npx securenow firewall status.

package/nextjs.js CHANGED Viewed

@@ -31,12 +31,12 @@
  */
 const { randomUUID } = require('crypto');
-const { defaultMetricsExporterToNone } = require('./otel-defaults');
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
 const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
-defaultMetricsExporterToNone();
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 let isRegistered = false;
@@ -477,6 +477,7 @@ function registerSecureNow(options = {}) {
       });
       const sdk = new NodeSDK({
+        ...nodeSdkTelemetryOptions,
         serviceName: serviceName,
         traceExporter: traceExporter,
         instrumentations: [httpInstrumentation],

package/nuxt-server-plugin.mjs CHANGED Viewed

@@ -20,8 +20,8 @@ import { randomUUID } from 'node:crypto';
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
 const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
-const { defaultMetricsExporterToNone } = nodeRequire('./otel-defaults');
-defaultMetricsExporterToNone();
+const { nodeSdkDefaultTelemetryOptions } = nodeRequire('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
@@ -219,6 +219,7 @@ export default defineNitroPlugin(async (nitroApp) => {
   const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
   const sdk = new NodeSDK({
+    ...nodeSdkTelemetryOptions,
     traceExporter,
     resource,
     instrumentations: [httpInstrumentation],

package/otel-defaults.js CHANGED Viewed

@@ -1,11 +1,39 @@
 'use strict';
+function isUnset(value) {
+  return value == null || String(value).trim() === '';
+}
+function listIncludes(value, needle) {
+  return String(value || '')
+    .split(',')
+    .map((part) => part.trim().toLowerCase())
+    .includes(needle);
+}
 function defaultMetricsExporterToNone(env = process.env) {
   if (!env) return false;
   const current = env.OTEL_METRICS_EXPORTER;
-  if (current != null && String(current).trim() !== '') return false;
+  if (!isUnset(current)) return false;
   env.OTEL_METRICS_EXPORTER = 'none';
   return true;
 }
-module.exports = { defaultMetricsExporterToNone };
+function nodeSdkDefaultTelemetryOptions(env = process.env) {
+  const options = {};
+  defaultMetricsExporterToNone(env);
+  if (listIncludes(env?.OTEL_METRICS_EXPORTER, 'none')) {
+    options.metricReaders = [];
+  }
+  // SecureNow installs its own log exporter. Without this, sdk-node falls back
+  // to the upstream OTEL_LOGS_EXPORTER default and tries localhost:4318.
+  if (env && isUnset(env.OTEL_LOGS_EXPORTER)) {
+    options.logRecordProcessors = [];
+  }
+  return options;
+}
+module.exports = { defaultMetricsExporterToNone, nodeSdkDefaultTelemetryOptions };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "8.0.1",
+  "version": "8.0.3",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js CHANGED Viewed

@@ -14,8 +14,8 @@
  *   Production should mount/copy tokenless runtime credentials to the same path.
  */
-const { defaultMetricsExporterToNone } = require('./otel-defaults');
-defaultMetricsExporterToNone();
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
@@ -654,6 +654,7 @@ process.on('unhandledRejection', (reason) => {
 // -------- SDK --------
 const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
 const sdk = new NodeSDK({
+  ...nodeSdkTelemetryOptions,
   traceExporter,
   instrumentations: [
     httpInstrumentation,