npm - securenow - Versions diffs - 8.0.2 → 8.0.3 - Mend

securenow 8.0.2 → 8.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -66,7 +66,7 @@ Runtime credentials look like:
 }
 ```
-The SDK reads the runtime file at boot, sends traces/logs through the SecureNow ingest gateway, routes by `app.key`, and authenticates with the runtime API key. When you rotate with `npx securenow api-key create`, the CLI defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into runtime credentials. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does. Local credential files are auto-added to `.gitignore` so they never land in git.
+The SDK reads the runtime file at boot, sends traces/logs through the SecureNow ingest gateway, routes by `app.key`, and authenticates with the runtime API key. When you rotate with `npx securenow api-key create`, the CLI defaults to the current app in `.securenow/runtime.json`, resolves that app UUID to the server app id, creates a one-app `runtime_app` key, and stores the plaintext key back into runtime credentials. `npx securenow init` also fills the config block with secure defaults plus an `_securenow.explanations` section so users can see what every setting does.
 ---
@@ -81,7 +81,7 @@ npx securenow login
 Then ask your coding agent to wire each app with this prompt:
 ```text
-I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json, gitignore only SecureNow credential files, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
+I already ran npx securenow login from the repo root. For every Node.js or Next.js app under this repo: install securenow@latest, run or merge npx securenow init, create or reuse a SecureNow app, write local .securenow/runtime.json plus tokenless .securenow/credentials.production.json for secret-file deployment, enable traces, logs, body capture, multipart metadata, and firewall, then verify with npx securenow env --json, npx securenow test-span, npx securenow log send, and a local HTTP smoke test where possible. Do not print secrets.
 ```
 For production, deploy the tokenless runtime credentials as a secret file mounted at `<app-root>/.securenow/credentials.json`.
@@ -169,7 +169,7 @@ SecureNow does not export metrics by default. The preload sets `OTEL_METRICS_EXP
 ## Production Without Env Vars
-Production uses the same file structure. Do not commit `.securenow/`; instead deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
+Production uses the same file structure. Deploy a tokenless runtime credentials file as a secret file and mount/copy it to:
 ```text
 <app-root>/.securenow/credentials.json

package/SKILL-API.md CHANGED Viewed

@@ -70,7 +70,7 @@ npx securenow app connect        # pick/create app; runtime API key is minted au
 npx securenow api-key set snk_live_abc123...
 ```
-Both paths write the key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore) and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
+Both paths write the key to `.securenow/runtime.json` and the firewall activates on next start. For production, run `npx securenow credentials runtime --env production` and mount/copy the tokenless file as `.securenow/credentials.json` or `.securenow/credentials.<env>.json`.
 The automatically created key is scoped to the selected app only. Its
 `runtime_app` scopes are `traces:write`, `logs:write`, `firewall:read`,
@@ -224,7 +224,7 @@ On Vercel it uses `@vercel/otel`; self-hosted uses vanilla `@opentelemetry/sdk-n
 }
 ```
-Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled and gitignored. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
+Local development and production do not need `.env.local`; `npx securenow app connect` and `npx securenow init` keep `.securenow/runtime.json` filled with runtime credentials and secure defaults. For production, run `npx securenow credentials runtime --env production` and mount/copy the generated JSON as `.securenow/credentials.json` or `.securenow/credentials.production.json`.
 #### Next.js Body Capture
@@ -595,7 +595,7 @@ npm install securenow@latest
 npx securenow login
 ```
-No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and is gitignored without ignoring the whole `.securenow/` directory.
+No `.env` is needed. `npx securenow app connect` writes app identity, runtime API key, and secure defaults to `.securenow/runtime.json`; the SDK uses the default SecureNow ingestion gateway and the gateway routes by `app.key` while authenticating with the runtime API key. `npx securenow init` makes sure the file has explanations and secure SDK defaults.
 Update `package.json`:
 ```json
@@ -611,7 +611,7 @@ npm install securenow@latest
 npx securenow app connect        # pick/create app; runtime API key is minted automatically
 ```
-`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json` (gitignored via credential-file patterns, not a whole-directory `.securenow/` ignore). Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
+`securenow app connect` enables the selected app's firewall toggle and writes app/runtime config plus the runtime API key to `.securenow/runtime.json`. Traces, logs, request body capture, multipart metadata capture, and firewall enforcement are enabled by default. Then run `npx securenow init`; it creates `instrumentation.ts`, patches `next.config.*` when safe, or prints exact Codex/Claude merge instructions for existing files.
 ### Enable Firewall With Zero Tracing Overhead

package/SKILL-CLI.md CHANGED Viewed

@@ -180,7 +180,7 @@ securenow init [--env local] [--key <API_KEY>]
 ```
 Auto-detects framework (Next.js, Nuxt, Express, Fastify, Koa, Hapi, Node) from `package.json`. Then:
-- **Credentials**: ensures `.securenow/runtime.json` exists, has secure defaults/explanations, and local credential JSON files are gitignored without ignoring the whole `.securenow/` directory
+- **Credentials**: ensures `.securenow/runtime.json` exists with secure defaults and explanations
 - **Next.js**: creates `instrumentation.ts/js` with `securenow/nextjs` + `securenow/nextjs-auto-capture`, and adds `serverExternalPackages: ['securenow']` plus `outputFileTracingIncludes` when the config can be patched safely
 - **Existing Next.js files**: prints a Codex/Claude-ready merge prompt when instrumentation or config already exists or is too custom to safely patch
 - **Nuxt**: tells you to add `securenow/nuxt` to modules

package/app-config.js CHANGED Viewed

@@ -419,7 +419,7 @@ function withCredentialDefaults(credentials) {
   out.config = mergeMissing(out.config, DEFAULT_CONFIG);
   out._securenow = mergeMissing(out._securenow, {
     schemaVersion: CONFIG_SCHEMA_VERSION,
-    note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets; keep .securenow/ in .gitignore.',
+    note: 'Local SecureNow credentials and secure SDK defaults. This file may contain secrets.',
     precedence: 'The same credentials file works in local development and production. SDK runtime config is read from credentials JSON only.',
     explanations: CONFIG_EXPLANATIONS,
   });

package/cli/credentials.js CHANGED Viewed

@@ -39,7 +39,7 @@ function buildRuntimeCredentials(options = {}) {
     },
     _securenow: {
       ...(creds._securenow || {}),
-      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production. Do not commit it.',
+      note: 'Runtime SecureNow credentials and SDK defaults. Mount or copy this JSON as .securenow/credentials.json or .securenow/credentials.<environment>.json in production.',
       routing: 'Telemetry is sent to the default SecureNow ingestion gateway. The gateway routes by app.key, so runtime credentials do not expose per-instance collector URLs.',
       runtimeOnly: 'This file intentionally omits CLI OAuth fields: token, email, and expiresAt.',
       production: 'Production can use this same file shape instead of environment variables.',

package/mcp/catalog.js CHANGED Viewed

@@ -18,7 +18,7 @@ Primary goals:
 Safety rules:
 - Do not print full API keys, JWTs, tokens, or local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, or .securenow/credentials.*.json). Mask secrets.
-- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, .securenow/credentials.json, and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
+- Keep local SecureNow credential files secret (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and .securenow/credentials.*.json). Do not print them; mask secrets in summaries.
 - Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
 - If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
 - Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.

package/nextjs.js CHANGED Viewed

@@ -31,12 +31,12 @@
  */
 const { randomUUID } = require('crypto');
-const { defaultMetricsExporterToNone } = require('./otel-defaults');
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
 const appConfig = require('./app-config');
 const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
-defaultMetricsExporterToNone();
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 let isRegistered = false;
@@ -477,6 +477,7 @@ function registerSecureNow(options = {}) {
       });
       const sdk = new NodeSDK({
+        ...nodeSdkTelemetryOptions,
         serviceName: serviceName,
         traceExporter: traceExporter,
         instrumentations: [httpInstrumentation],

package/nuxt-server-plugin.mjs CHANGED Viewed

@@ -20,8 +20,8 @@ import { randomUUID } from 'node:crypto';
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
 const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
-const { defaultMetricsExporterToNone } = nodeRequire('./otel-defaults');
-defaultMetricsExporterToNone();
+const { nodeSdkDefaultTelemetryOptions } = nodeRequire('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
@@ -219,6 +219,7 @@ export default defineNitroPlugin(async (nitroApp) => {
   const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
   const sdk = new NodeSDK({
+    ...nodeSdkTelemetryOptions,
     traceExporter,
     resource,
     instrumentations: [httpInstrumentation],

package/otel-defaults.js CHANGED Viewed

@@ -1,11 +1,39 @@
 'use strict';
+function isUnset(value) {
+  return value == null || String(value).trim() === '';
+}
+function listIncludes(value, needle) {
+  return String(value || '')
+    .split(',')
+    .map((part) => part.trim().toLowerCase())
+    .includes(needle);
+}
 function defaultMetricsExporterToNone(env = process.env) {
   if (!env) return false;
   const current = env.OTEL_METRICS_EXPORTER;
-  if (current != null && String(current).trim() !== '') return false;
+  if (!isUnset(current)) return false;
   env.OTEL_METRICS_EXPORTER = 'none';
   return true;
 }
-module.exports = { defaultMetricsExporterToNone };
+function nodeSdkDefaultTelemetryOptions(env = process.env) {
+  const options = {};
+  defaultMetricsExporterToNone(env);
+  if (listIncludes(env?.OTEL_METRICS_EXPORTER, 'none')) {
+    options.metricReaders = [];
+  }
+  // SecureNow installs its own log exporter. Without this, sdk-node falls back
+  // to the upstream OTEL_LOGS_EXPORTER default and tries localhost:4318.
+  if (env && isUnset(env.OTEL_LOGS_EXPORTER)) {
+    options.logRecordProcessors = [];
+  }
+  return options;
+}
+module.exports = { defaultMetricsExporterToNone, nodeSdkDefaultTelemetryOptions };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "8.0.2",
+  "version": "8.0.3",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js CHANGED Viewed

@@ -14,8 +14,8 @@
  *   Production should mount/copy tokenless runtime credentials to the same path.
  */
-const { defaultMetricsExporterToNone } = require('./otel-defaults');
-defaultMetricsExporterToNone();
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
 const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
@@ -654,6 +654,7 @@ process.on('unhandledRejection', (reason) => {
 // -------- SDK --------
 const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
 const sdk = new NodeSDK({
+  ...nodeSdkTelemetryOptions,
   traceExporter,
   instrumentations: [
     httpInstrumentation,