securenow 8.5.0 → 8.7.0

package/tracing.js

@@ -1,758 +1,844 @@
-'use strict';
-
-/**
- * Preload with: node --require securenow/register app.js
- *
- * Works for both CJS and ESM apps. On Node >=20.6 the ESM loader hook is
- * auto-registered via module.register() — no --import flag needed.
- * On Node 18 with "type": "module", add the hook manually:
- *   node --import @opentelemetry/instrumentation/hook.mjs --require securenow/register app.js
- *
- * Config:
- *   Runtime config is read from .securenow/credentials.json.
- *   Run `npx securenow login` and `npx securenow init` to create it.
- *   Production should mount/copy tokenless runtime credentials to the same path.
- */
-
-const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
-const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
-
-const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
-const { NodeSDK } = require('@opentelemetry/sdk-node');
-const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
-const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
-const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
-const otelResources = require('@opentelemetry/resources');
-const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
-const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
-const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongodb');
-const { randomUUID } = require('crypto');
-const appConfig = require('./app-config');
-
-function createResource(attributes) {
-  if (typeof otelResources.resourceFromAttributes === 'function') {
-    return otelResources.resourceFromAttributes(attributes);
-  }
-  if (typeof otelResources.Resource === 'function') {
-    return new otelResources.Resource(attributes);
-  }
-  throw new Error('Unsupported @opentelemetry/resources version');
-}
-
-// Default sensitive fields to redact from request bodies
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-function escapeRegex(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key of Object.keys(redacted)) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Redact sensitive data from GraphQL query strings
- */
-function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!query || typeof query !== 'string') return query;
-  
-  let redacted = query;
-  
-  // Redact sensitive fields in GraphQL arguments and variables
-  sensitiveFields.forEach(field => {
-    const escaped = escapeRegex(field);
-    const patterns = [
-      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
-    ];
-    
-    patterns.forEach(pattern => {
-      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
-        if (suffix) {
-          return `${prefix}[REDACTED]${suffix}`;
-        } else {
-          return `${prefix}[REDACTED]`;
-        }
-      });
-    });
-  });
-  
-  return redacted;
-}
-
-// -------- Multipart streaming parser --------
-// Streams through the request without buffering file content.
-// Only part headers and text-field values are kept in memory,
-// so memory stays bounded (~few KB) regardless of upload size.
-
-function extractBoundary(contentType) {
-  const match = contentType.match(/boundary=(?:"([^"]+)"|([^\s;]+))/i);
-  return match ? (match[1] || match[2]) : null;
-}
-
-function createMultipartMetaCollector(contentType, sensitiveFields, maxTextFieldSize, onComplete) {
-  const boundary = extractBoundary(contentType);
-  if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return null; }
-
-  const result = { fields: Object.create(null), files: [] };
-  let totalSize = 0;
-  let buf = Buffer.alloc(0);
-
-  const MAX_PARTS = 100;
-  let partCount = 0;
-
-  const FIRST_DELIM = Buffer.from('--' + boundary);
-  const DELIM       = Buffer.from('\r\n--' + boundary);
-  const HDR_END     = Buffer.from('\r\n\r\n');
-
-  let initialized = false;
-  let inHeaders = true;
-  let isFile = false;
-  let fldName = '';
-  let fName = '';
-  let pCT = '';
-  let bodyBytes = 0;
-  let textVal = '';
-
-  function flushPart() {
-    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
-    if (isFile) {
-      result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
-    } else {
-      const lower = fldName.toLowerCase();
-      const redact = sensitiveFields.some(f => lower.includes(f.toLowerCase()));
-      result.fields[fldName] = redact ? '[REDACTED]' : textVal.substring(0, maxTextFieldSize);
-    }
-    fldName = ''; bodyBytes = 0; textVal = ''; partCount++;
-  }
-
-  function drain() {
-    if (!initialized) {
-      const i = buf.indexOf(FIRST_DELIM);
-      if (i === -1) {
-        if (buf.length > FIRST_DELIM.length + 4) buf = buf.slice(buf.length - FIRST_DELIM.length - 4);
-        return;
-      }
-      buf = buf.slice(i + FIRST_DELIM.length);
-      initialized = true;
-      inHeaders = true;
-    }
-
-    let guard = 200;
-    while (buf.length > 0 && guard-- > 0 && partCount < MAX_PARTS) {
-      if (inHeaders) {
-        if (buf.length >= 2 && buf[0] === 0x2D && buf[1] === 0x2D) { buf = Buffer.alloc(0); return; }
-        if (buf.length >= 2 && buf[0] === 0x0D && buf[1] === 0x0A) { buf = buf.slice(2); continue; }
-
-        const hi = buf.indexOf(HDR_END);
-        if (hi === -1) return;
-
-        const hdr = buf.slice(0, hi).toString('latin1');
-        buf = buf.slice(hi + 4);
-
-        const nm = hdr.match(/name="([^"]+)"/);
-        const fn = hdr.match(/filename="([^"]*)"/);
-        const ct = hdr.match(/Content-Type:\s*(.+)/i);
-        fldName = nm ? nm[1] : '';
-        fName   = fn ? fn[1] : '';
-        pCT     = ct ? ct[1].trim() : '';
-        isFile  = !!fn;
-        bodyBytes = 0;
-        textVal = '';
-        inHeaders = false;
-      }
-
-      const di = buf.indexOf(DELIM);
-      if (di === -1) {
-        const safe = Math.max(0, buf.length - DELIM.length - 2);
-        if (safe > 0) {
-          bodyBytes += safe;
-          if (!isFile && textVal.length < maxTextFieldSize) {
-            textVal += buf.slice(0, safe).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-          }
-          buf = buf.slice(safe);
-        }
-        return;
-      }
-
-      bodyBytes += di;
-      if (!isFile && textVal.length < maxTextFieldSize) {
-        textVal += buf.slice(0, di).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-      }
-      flushPart();
-      buf = buf.slice(di + DELIM.length);
-      inHeaders = true;
-    }
-  }
-
-  function onData(chunk) {
-    const data = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
-    totalSize += data.length;
-    buf = Buffer.concat([buf, data]);
-    drain();
-  }
-
-  function onEnd() {
-    try {
-      if (!inHeaders && fldName) {
-        bodyBytes += buf.length;
-        if (!isFile) textVal += buf.toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-        flushPart();
-      }
-      onComplete({ parsed: result, totalSize });
-    } catch (e) {
-      onComplete({ error: 'PARSE_ERROR' });
-    }
-  }
-
-  return { onData, onEnd };
-}
-
-function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFieldSize, onComplete) {
-  const collector = createMultipartMetaCollector(contentType, sensitiveFields, maxTextFieldSize, onComplete);
-  if (!collector) return;
-  request.on('data', collector.onData);
-  request.on('end', collector.onEnd);
-}
-
-// -------- ESM detection --------
-// register.js auto-registers the hook via module.register() on Node >=20.6.
-// This warning only fires if BOTH --import AND module.register() were skipped
-// (e.g. Node 18, or require('securenow/tracing') called directly without register.js).
-(() => {
-  try {
-    const fs = require('fs');
-    const path = require('path');
-    const pkgPath = path.resolve(process.cwd(), 'package.json');
-    if (fs.existsSync(pkgPath)) {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-      if (pkg.type === 'module') {
-        const execArgv = process.execArgv.join(' ');
-        const hasCliHook = execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle');
-        const hasModuleRegister = typeof require('node:module').register === 'function';
-        if (!hasCliHook && !hasModuleRegister) {
-          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
-          console.warn('[securenow]    Upgrade to Node >=20.6 (recommended) or add: --import @opentelemetry/instrumentation/hook.mjs');
-        }
-      }
-    }
-  } catch (_) {}
-})();
-
-// -------- diagnostics --------
-const diagLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
-(() => {
-  const level = diagLevel === 'debug' ? DiagLogLevel.DEBUG :
-                diagLevel === 'info'  ? DiagLogLevel.INFO  :
-                diagLevel === 'warn'  ? DiagLogLevel.WARN  :
-                diagLevel === 'error' ? DiagLogLevel.ERROR : DiagLogLevel.NONE;
-  diag.setLogger(new DiagConsoleLogger(), level);
-  console.log('[securenow] preload loaded pid=%d', process.pid);
-})();
-
-// -------- endpoints & app resolution --------
-// Resolution order for endpoint/appId/apiKey: .securenow/credentials.json -> package.json#name -> defaults.
-const resolvedApp = appConfig.resolveAll();
-const resolvedEndpoints = appConfig.resolveEndpoints();
-
-const endpointBase = resolvedEndpoints.endpointBase;
-const tracesUrl = resolvedEndpoints.tracesUrl;
-const logsUrl = resolvedEndpoints.logsUrl;
-
-// resolveEndpoints() also adds app routing and runtime auth headers when
-// explicit OTLP headers did not provide them.
-const headers = resolvedEndpoints.headers;
-
-// -------- naming rules --------
-const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
-const baseName = rawBase || null;
-// Auto-disables the per-worker suffix when we resolved a routing UUID from
-// credentials — the dashboard does exact-match IN on service.name, so any
-// suffix breaks routing. config.runtime.noUuid can override.
-const noUuid   = appConfig.resolveNoUuid();
-const strict   = appConfig.boolConfig('runtime.strict', false);
-const inPm2Cluster = !!(process.env.NODE_APP_INSTANCE || process.env.pm_id);
-
-// Fail fast in cluster if base is missing (no more "free" names)
-if (!baseName && inPm2Cluster && strict) {
-  console.error('[securenow] FATAL: app identity missing in cluster (pid=%d). Exiting due to config.runtime.strict=true.', process.pid);
-  // small delay so the log flushes
-  setTimeout(() => process.exit(1), 10);
-}
-
-// service.name
-let serviceName;
-if (baseName) {
-  serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
-} else {
-  // last-resort fallback (only if STRlCT is off). You can rename this to make it obvious in monitoring.
-  serviceName = `securenow-free-${randomUUID()}`;
-}
-
-// service.instance.id = <appid-or-fallback>-<uuid> (unique per worker)
-const instancePrefix   = baseName || 'securenow';
-const serviceInstanceId = `${instancePrefix}-${randomUUID()}`;
-
-// Loud line per worker to prove what was used
-console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=%s instance.id=%s',
-  process.pid,
-  JSON.stringify(baseName),
-  JSON.stringify(endpointBase),
-  resolvedApp.appKey ? 'set' : 'none',
-  serviceName,
-  serviceInstanceId
-);
-
-// -------- instrumentations --------
-const disabledMap = {};
-for (const n of appConfig.listConfig('otel.disableInstrumentations')) {
-  disabledMap[n] = { enabled: false };
-}
-
-// -------- Body Capture Configuration --------
-// Opt-out defaults: set config.capture.body=false to disable.
-const captureBody = appConfig.boolConfig('capture.body', true);
-const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
-const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
-const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-
-const captureMultipart = appConfig.boolConfig('capture.multipart', true);
-
-const BODY_CAPTURE_PATCH = Symbol.for('securenow.bodyCapture.emitPatch');
-
-function installRequestBodyObserver(span, request, contentType) {
-  if (!request || request[BODY_CAPTURE_PATCH]) return;
-
-  const normalizedContentType = String(contentType || '').toLowerCase();
-  const isStructuredBody = captureBody && (
-    normalizedContentType.includes('application/json') ||
-    normalizedContentType.includes('application/graphql') ||
-    normalizedContentType.includes('application/x-www-form-urlencoded')
-  );
-  const isMultipartBody = normalizedContentType.includes('multipart/form-data');
-
-  if (!isStructuredBody && !isMultipartBody) return;
-
-  if (isMultipartBody && !captureMultipart) {
-    span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-    span.setAttribute('http.request.body.type', 'multipart');
-    span.setAttribute('http.request.body.note', 'Multipart capture disabled by config.capture.multipart=false');
-    return;
-  }
-
-  let chunks = [];
-  let size = 0;
-  let structuredDone = false;
-
-  const multipartCollector = isMultipartBody && captureMultipart
-    ? createMultipartMetaCollector(normalizedContentType, allSensitiveFields, 1000, ({ error, parsed, totalSize }) => {
-        try {
-          if (error === 'BOUNDARY_NOT_FOUND') {
-            span.setAttribute('http.request.body', '[MULTIPART - BOUNDARY NOT FOUND]');
-            span.setAttribute('http.request.body.type', 'multipart');
-            return;
-          }
-          if (error) {
-            span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
-            span.setAttribute('http.request.body.type', 'multipart');
-            span.setAttribute('http.request.body.parse_error', true);
-            return;
-          }
-          span.setAttributes({
-            'http.request.body': JSON.stringify(parsed).substring(0, maxBodySize),
-            'http.request.body.type': 'multipart',
-            'http.request.body.size': totalSize,
-            'http.request.body.fields_count': Object.keys(parsed.fields).length,
-            'http.request.body.files_count': parsed.files.length,
-          });
-        } catch (e) {
-          span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
-          span.setAttribute('http.request.body.type', 'multipart');
-          span.setAttribute('http.request.body.parse_error', true);
-        }
-      })
-    : null;
-
-  if (isMultipartBody && captureMultipart && !multipartCollector) return;
-
-  function finishStructuredCapture() {
-    if (!isStructuredBody || structuredDone) return;
-    structuredDone = true;
-
-    if (size > maxBodySize) {
-      span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
-      span.setAttribute('http.request.body.size', size);
-      chunks = [];
-      return;
-    }
-
-    if (chunks.length === 0) return;
-
-    const body = Buffer.concat(chunks).toString('utf8');
-    chunks = [];
-
-    try {
-      if (normalizedContentType.includes('application/graphql')) {
-        const redacted = redactGraphQLQuery(body, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': redacted.substring(0, maxBodySize),
-          'http.request.body.type': 'graphql',
-          'http.request.body.size': size,
-        });
-      } else if (normalizedContentType.includes('application/json')) {
-        const parsed = JSON.parse(body);
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': 'json',
-          'http.request.body.size': size,
-        });
-      } else if (normalizedContentType.includes('application/x-www-form-urlencoded')) {
-        const parsed = Object.fromEntries(new URLSearchParams(body));
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': 'form',
-          'http.request.body.size': size,
-        });
-      }
-    } catch (e) {
-      span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
-      span.setAttribute('http.request.body.parse_error', true);
-      span.setAttribute('http.request.body.size', size);
-    }
-  }
-
-  const originalEmit = request.emit;
-  request[BODY_CAPTURE_PATCH] = true;
-  request.emit = function securenowObservedEmit(event, ...args) {
-    try {
-      if (event === 'data' && args.length > 0) {
-        const chunk = Buffer.isBuffer(args[0]) ? args[0] : Buffer.from(args[0]);
-        if (isStructuredBody) {
-          size += chunk.length;
-          if (size <= maxBodySize) chunks.push(chunk);
-        }
-        if (multipartCollector) multipartCollector.onData(chunk);
-      } else if (event === 'end') {
-        finishStructuredCapture();
-        if (multipartCollector) multipartCollector.onEnd();
-      }
-    } catch (_) {
-      // Body capture must never interfere with the application request stream.
-    }
-    return originalEmit.apply(this, [event, ...args]);
-  };
-}
-
-// -------- Trusted proxy IP resolution --------
-const { resolveClientIpWithDetails } = require('./resolve-ip');
-
-// Configure HTTP instrumentation with body capture
-const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
-const httpInstrumentation = new HttpInstrumentation({
-  requestHook: (span, request) => {
-    try {
-      const ipDetails = resolveClientIpWithDetails(request);
-      if (ipDetails.ip) {
-        span.setAttribute('http.client_ip', ipDetails.ip);
-        span.setAttribute('http.client_ip.source', ipDetails.source);
-        span.setAttribute('http.socket_ip', ipDetails.socketIp || '');
-        span.setAttribute('http.proxy.trusted', String(!!ipDetails.trustedProxy));
-        if (ipDetails.forwardedFor) {
-          span.setAttribute('http.forwarded_for', ipDetails.forwardedFor);
-          span.setAttribute('http.request.header.x_forwarded_for', ipDetails.forwardedFor);
-        }
-        if (ipDetails.realIp) {
-          span.setAttribute('http.real_ip', ipDetails.realIp);
-          span.setAttribute('http.request.header.x_real_ip', ipDetails.realIp);
-        }
-        if (ipDetails.cfConnectingIp) {
-          span.setAttribute('http.cf.connecting_ip', ipDetails.cfConnectingIp);
-          span.setAttribute('http.request.header.cf_connecting_ip', ipDetails.cfConnectingIp);
-        }
-        if (ipDetails.trueClientIp) {
-          span.setAttribute('http.request.header.true_client_ip', ipDetails.trueClientIp);
-        }
-        if (ipDetails.clientIp) {
-          span.setAttribute('http.request.header.x_client_ip', ipDetails.clientIp);
-        }
-      }
-
-      if (request.headers) {
-        const SKIP_HEADERS = new Set(['cookie', 'authorization', 'proxy-authorization', 'set-cookie', 'x-api-key', 'x-auth-token']);
-        const safe = {};
-        for (const [k, v] of Object.entries(request.headers)) {
-          if (SKIP_HEADERS.has(k.toLowerCase())) { safe[k] = '[REDACTED]'; continue; }
-          safe[k] = typeof v === 'string' ? v.substring(0, 500) : String(v);
-        }
-        const serialized = JSON.stringify(safe);
-        if (serialized.length <= 8192) {
-          span.setAttribute('http.request.headers', serialized);
-        }
-      }
-
-      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
-        const contentType = request.headers['content-type'] || '';
-        installRequestBodyObserver(span, request, contentType);
-      }
-    } catch (error) {
-      // Silently fail
-    }
-  },
-});
-
-// -------- Logging Configuration --------
-// Opt-out default: set config.logging.enabled=false to disable.
-const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
-
-// Create shared resource for both traces and logs
-const sharedResource = createResource({
-  [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-  [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
-  [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: appConfig.resolveDeploymentEnvironment(),
-  [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
-});
-
-// Initialize LoggerProvider if logging is enabled
-let loggerProvider = null;
-
-if (loggingEnabled) {
-  const logExporter = new OTLPLogExporter({ 
-    url: logsUrl, 
-    headers 
-  });
-  
-  const batchLogProcessor = new BatchLogRecordProcessor(logExporter);
-  loggerProvider = new LoggerProvider({
-    resource: sharedResource,
-    processors: [batchLogProcessor],
-  });
-
-  // Auto-patch console.* so every log/warn/error becomes an OTel log record
-  const _logger = loggerProvider.getLogger('console', '1.0.0');
-  const _orig = console.__securenow_original || { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
-  if (!console.__securenow_original) console.__securenow_original = _orig;
-  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-  function _emit(sn, st, args) {
-    try {
-      const activeCtx = context.active();
-      const spanCtx = trace.getSpanContext(activeCtx);
-      _logger.emit({
-        severityNumber: sn,
-        severityText: st,
-        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
-        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
-        ...(spanCtx && { context: activeCtx }),
-      });
-    } catch (_) {}
-  }
-  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
-  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
-  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
-  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
-  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
-  console.__securenow_patched = true;
-}
-
-// -------- Guard against OTLP exporter socket errors --------
-// The OTLP HTTP exporter uses keep-alive connections that can be reset by the
-// remote end (ECONNRESET / "socket hang up"). These transient errors sometimes
-// escape as unhandled exceptions or rejections because the underlying HTTP
-// request's error path isn't fully covered by the OTel library. We install
-// targeted process-level handlers to catch them and log at debug level instead
-// of crashing the host app.
-const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
-function _isOtlpTransientError(err) {
-  if (!err) return false;
-  if (_TRANSIENT_CODES.has(err.code)) return true;
-  if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
-  return false;
-}
-function _looksLikeOtlpStack(err) {
-  const s = err && err.stack;
-  if (!s) return false;
-  return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
-    || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
-}
-function _looksLikeConfiguredOtlpEndpoint(err) {
-  const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
-  try {
-    const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
-    return hosts.some((host) => host && text.includes(host));
-  } catch (_) {
-    return false;
-  }
-}
-function _originalConsole(method) {
-  const originals = console.__securenow_original || console.__securenowOriginalConsole;
-  return (originals && originals[method]) || console[method] || console.log;
-}
-let _lastSuppressedOtlpErrorLogAt = 0;
-function _formatOtlpError(err) {
-  if (!err) return 'unknown error';
-  const parts = [err.message || String(err)];
-  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
-  if (err.syscall) parts.push(`syscall=${err.syscall}`);
-  if (err.hostname) parts.push(`host=${err.hostname}`);
-  return parts.join(' ');
-}
-function _reportSuppressedOtlpError(kind, err, origin) {
-  const level = String(diagLevel || '').toLowerCase();
-  if (level === 'none') return;
-  const now = Date.now();
-  if (level !== 'debug' && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
-  _lastSuppressedOtlpErrorLogAt = now;
-  const method = level === 'debug' ? 'debug' : 'error';
-  _originalConsole(method).call(
-    console,
-    '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
-    kind,
-    origin || 'async',
-    _formatOtlpError(err)
-  );
-}
-
-process.on('uncaughtException', (err, origin) => {
-  if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
-    _reportSuppressedOtlpError('error', err, origin);
-    return; // swallow - do not crash
-  }
-  // Not ours — re-throw so the default handler (or the app's own handler) fires
-  throw err;
-});
-process.on('unhandledRejection', (reason) => {
-  if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
-    _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
-    return; // swallow
-  }
-  // Not ours — re-throw as unhandled so Node's default behaviour applies
-  throw reason;
-});
-
-// -------- SDK --------
-const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
-const sdk = new NodeSDK({
-  ...nodeSdkTelemetryOptions,
-  traceExporter,
-  instrumentations: [
-    httpInstrumentation,
-    ...(disabledMap['@opentelemetry/instrumentation-mongodb'] ? [] : [new MongoDBInstrumentation()]),
-    ...getNodeAutoInstrumentations({ 
-      ...disabledMap,
-      '@opentelemetry/instrumentation-http': { enabled: false },
-      '@opentelemetry/instrumentation-mongodb': { enabled: false },
-    }),
-  ],
-  resource: sharedResource,
-});
-
-// -------- start / shutdown (sync/async safe) --------
-(async () => {
-  try {
-    await Promise.resolve(sdk.start?.());
-    console.log('[securenow] OTel SDK started → %s', tracesUrl);
-    if (loggingEnabled) {
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
-    } else {
-      console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
-    }
-    if (captureBody) {
-      console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
-    }
-    if (captureMultipart) {
-      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
-    }
-    if (appConfig.boolConfig('runtime.testSpan', false)) {
-      const api = require('@opentelemetry/api');
-      const tracer = api.trace.getTracer('securenow-smoke');
-      const span = tracer.startSpan('securenow.startup.smoke'); span.end();
-    }
-
-    // Free trial banner
-    const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
-    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
-      patchHttpForBanner();
-    }
-
-    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
-    // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
-    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
-    const firewallOptions = appConfig.resolveFirewallOptions();
-    if (firewallOptions.apiKey) {
-      require('./firewall').init({
-        apiKey: firewallOptions.apiKey,
-        appKey: firewallOptions.appKey,
-        environment: firewallOptions.environment,
-        apiUrl: firewallOptions.apiUrl,
-        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
-        versionCheckInterval: firewallOptions.versionCheckInterval,
-        syncInterval: firewallOptions.syncInterval,
-        failMode: firewallOptions.failMode,
-        statusCode: firewallOptions.statusCode,
-        log: firewallOptions.log,
-        tcp: firewallOptions.tcp,
-        iptables: firewallOptions.iptables,
-        cloud: firewallOptions.cloud,
-        cloudDryRun: firewallOptions.cloudDryRun,
-        cloudflare: firewallOptions.cloudflare,
-        aws: firewallOptions.aws,
-        gcp: firewallOptions.gcp,
-      });
-    }
-  } catch (e) {
-    console.error('[securenow] OTel start failed:', e && e.stack || e);
-  }
-})();
-
-let shuttingDown = false;
-async function safeShutdown(sig) {
-  if (shuttingDown) return;
-  shuttingDown = true;
-  try { 
-    await Promise.resolve(sdk.shutdown?.()); 
-    if (loggerProvider) {
-      await Promise.resolve(loggerProvider.shutdown?.());
-    }
-    try { require('./firewall').shutdown(); } catch (_) {}
-    console.log(`[securenow] Tracing and logging terminated on ${sig}`); 
-  }
-  catch (e) { console.error('[securenow] Shutdown error:', e); }
-  finally { process.exit(0); }
-}
-process.on('SIGINT',  () => safeShutdown('SIGINT'));
-process.on('SIGTERM', () => safeShutdown('SIGTERM'));
-
-// -------- Export logger for consuming applications --------
-module.exports = {
-  loggerProvider,
-  getLogger: (name = 'default', version = '1.0.0') => {
-    if (!loggerProvider) {
-      console.warn('[securenow] Logging is disabled (config.logging.enabled=false). Enable it in .securenow/credentials.json to use getLogger().');
-      return null;
-    }
-    return loggerProvider.getLogger(name, version);
-  },
-  isLoggingEnabled: () => loggingEnabled,
-};
+'use strict';
+
+/**
+ * Preload with: node --require securenow/register app.js
+ *
+ * Works for both CJS and ESM apps. On Node >=20.6 the ESM loader hook is
+ * auto-registered via module.register() — no --import flag needed.
+ * On Node 18 with "type": "module", add the hook manually:
+ *   node --import @opentelemetry/instrumentation/hook.mjs --require securenow/register app.js
+ *
+ * Config:
+ *   Runtime config is read from .securenow/credentials.json.
+ *   Run `npx securenow login` and `npx securenow init` to create it.
+ *   Production should mount/copy tokenless runtime credentials to the same path.
+ */
+
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
+
+const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
+const { NodeSDK } = require('@opentelemetry/sdk-node');
+const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
+const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
+const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
+const otelResources = require('@opentelemetry/resources');
+const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
+const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
+const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongodb');
+const { randomUUID } = require('crypto');
+const appConfig = require('./app-config');
+
+function createResource(attributes) {
+  if (typeof otelResources.resourceFromAttributes === 'function') {
+    return otelResources.resourceFromAttributes(attributes);
+  }
+  if (typeof otelResources.Resource === 'function') {
+    return new otelResources.Resource(attributes);
+  }
+  throw new Error('Unsupported @opentelemetry/resources version');
+}
+
+// Default sensitive fields to redact from request bodies.
+// Matched substring-wise against lowercased keys (see redactSensitiveData),
+// so e.g. 'card' also catches 'creditCard' and 'account' also catches
+// 'accountNumber'. Over-redaction here is intentional: a falsely-redacted
+// telemetry value is always safer than a leaked secret. Entries are kept
+// specific enough to avoid nuking broad benign keys (e.g. we use
+// 'firstname'/'lastname'/'fullname', never bare 'name').
+const DEFAULT_SENSITIVE_FIELDS = [
+  // credentials / auth
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'authorization', 'bearer', 'credentials',
+  'mysql_pwd', 'otp', 'mfa', 'totp', 'sessionid', 'session_id',
+  'cookie', 'set-cookie',
+  // financial
+  'stripeToken', 'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'iban', 'account', 'accountnumber', 'routing', 'sortcode', 'taxid',
+  // PII
+  'ssn', 'pin', 'email', 'e_mail', 'phone', 'mobile', 'dob', 'birthdate',
+  'firstname', 'lastname', 'fullname', 'address', 'postcode', 'zip',
+  'passport', 'license',
+];
+
+// Conservative value-shape redactors. Key-name matching misses secrets that
+// land in free-form string values (GraphQL bodies, message fields, etc.), so
+// as a second layer we scrub string VALUES that *look like* a secret/PII.
+// These are intentionally precise/bounded so they don't garble normal prose,
+// and they only ever transform captured telemetry strings (read-only) — never
+// the actual request/response stream. Compiled once at module load.
+const VALUE_REDACTORS = [
+  // JWT: three base64url segments. Anchored to the eyJ header so it won't
+  // match arbitrary dotted tokens.
+  { name: 'jwt', re: /eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g },
+  // Bearer/Basic auth header value embedded in a body string.
+  { name: 'bearer', re: /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/gi },
+  // Stripe-style / SecureNow live+test API keys.
+  { name: 'apikey', re: /\b(?:sk|pk|rk|snk)_(?:live|test)_[A-Za-z0-9]{8,}/g },
+  // Email addresses (bounded local/domain parts).
+  { name: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },
+  // Credit-card-like: 13–19 digit runs that pass a Luhn check, allowing
+  // space/dash grouping. Luhn-gated to avoid clobbering ordinary long numbers.
+  { name: 'card', re: /\b(?:\d[ -]?){13,19}\b/g, luhn: true },
+];
+
+// Skip the value-shape scan on very large strings to bound per-body cost.
+const MAX_VALUE_SCAN_LENGTH = 16384;
+
+function luhnValid(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) { d *= 2; if (d > 9) d -= 9; }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+
+/**
+ * Redact obvious secret/PII shapes inside a captured string VALUE.
+ * Returns the input unchanged when nothing matches (cheap common case).
+ */
+function redactSensitiveValue(value) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  if (value.length > MAX_VALUE_SCAN_LENGTH) return value; // bound the work
+  let out = value;
+  for (const r of VALUE_REDACTORS) {
+    r.re.lastIndex = 0;
+    if (r.luhn) {
+      out = out.replace(r.re, (m) => {
+        const digits = m.replace(/[ -]/g, '');
+        if (digits.length < 13 || digits.length > 19) return m;
+        return luhnValid(digits) ? '[REDACTED]' : m;
+      });
+    } else {
+      out = out.replace(r.re, '[REDACTED]');
+    }
+  }
+  return out;
+}
+
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    } else if (typeof redacted[key] === 'string') {
+      // Second layer: even if the key name looks benign, scrub values that
+      // *look like* a secret/PII (JWT, bearer token, API key, email, card).
+      redacted[key] = redactSensitiveValue(redacted[key]);
+    }
+  }
+
+  return redacted;
+}
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  
+  let redacted = query;
+  
+  // Redact sensitive fields in GraphQL arguments and variables
+  sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
+    const patterns = [
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        if (suffix) {
+          return `${prefix}[REDACTED]${suffix}`;
+        } else {
+          return `${prefix}[REDACTED]`;
+        }
+      });
+    });
+  });
+
+  // Second layer: scrub secret/PII *shapes* anywhere in the (free-form) query
+  // body — catches values the key-name pass above can't see.
+  redacted = redactSensitiveValue(redacted);
+
+  return redacted;
+}
+
+// -------- Multipart streaming parser --------
+// Streams through the request without buffering file content.
+// Only part headers and text-field values are kept in memory,
+// so memory stays bounded (~few KB) regardless of upload size.
+
+function extractBoundary(contentType) {
+  const match = contentType.match(/boundary=(?:"([^"]+)"|([^\s;]+))/i);
+  return match ? (match[1] || match[2]) : null;
+}
+
+function createMultipartMetaCollector(contentType, sensitiveFields, maxTextFieldSize, onComplete) {
+  const boundary = extractBoundary(contentType);
+  if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return null; }
+
+  const result = { fields: Object.create(null), files: [] };
+  let totalSize = 0;
+  let buf = Buffer.alloc(0);
+
+  const MAX_PARTS = 100;
+  let partCount = 0;
+
+  const FIRST_DELIM = Buffer.from('--' + boundary);
+  const DELIM       = Buffer.from('\r\n--' + boundary);
+  const HDR_END     = Buffer.from('\r\n\r\n');
+
+  let initialized = false;
+  let inHeaders = true;
+  let isFile = false;
+  let fldName = '';
+  let fName = '';
+  let pCT = '';
+  let bodyBytes = 0;
+  let textVal = '';
+
+  function flushPart() {
+    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
+    if (isFile) {
+      result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
+    } else {
+      const lower = fldName.toLowerCase();
+      const redact = sensitiveFields.some(f => lower.includes(f.toLowerCase()));
+      // Name-match redaction first; otherwise scrub secret/PII *shapes* in the value.
+      result.fields[fldName] = redact
+        ? '[REDACTED]'
+        : redactSensitiveValue(textVal.substring(0, maxTextFieldSize));
+    }
+    fldName = ''; bodyBytes = 0; textVal = ''; partCount++;
+  }
+
+  function drain() {
+    if (!initialized) {
+      const i = buf.indexOf(FIRST_DELIM);
+      if (i === -1) {
+        if (buf.length > FIRST_DELIM.length + 4) buf = buf.slice(buf.length - FIRST_DELIM.length - 4);
+        return;
+      }
+      buf = buf.slice(i + FIRST_DELIM.length);
+      initialized = true;
+      inHeaders = true;
+    }
+
+    let guard = 200;
+    while (buf.length > 0 && guard-- > 0 && partCount < MAX_PARTS) {
+      if (inHeaders) {
+        if (buf.length >= 2 && buf[0] === 0x2D && buf[1] === 0x2D) { buf = Buffer.alloc(0); return; }
+        if (buf.length >= 2 && buf[0] === 0x0D && buf[1] === 0x0A) { buf = buf.slice(2); continue; }
+
+        const hi = buf.indexOf(HDR_END);
+        if (hi === -1) return;
+
+        const hdr = buf.slice(0, hi).toString('latin1');
+        buf = buf.slice(hi + 4);
+
+        const nm = hdr.match(/name="([^"]+)"/);
+        const fn = hdr.match(/filename="([^"]*)"/);
+        const ct = hdr.match(/Content-Type:\s*(.+)/i);
+        fldName = nm ? nm[1] : '';
+        fName   = fn ? fn[1] : '';
+        pCT     = ct ? ct[1].trim() : '';
+        isFile  = !!fn;
+        bodyBytes = 0;
+        textVal = '';
+        inHeaders = false;
+      }
+
+      const di = buf.indexOf(DELIM);
+      if (di === -1) {
+        const safe = Math.max(0, buf.length - DELIM.length - 2);
+        if (safe > 0) {
+          bodyBytes += safe;
+          if (!isFile && textVal.length < maxTextFieldSize) {
+            textVal += buf.slice(0, safe).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+          }
+          buf = buf.slice(safe);
+        }
+        return;
+      }
+
+      bodyBytes += di;
+      if (!isFile && textVal.length < maxTextFieldSize) {
+        textVal += buf.slice(0, di).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+      }
+      flushPart();
+      buf = buf.slice(di + DELIM.length);
+      inHeaders = true;
+    }
+  }
+
+  function onData(chunk) {
+    const data = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalSize += data.length;
+    buf = Buffer.concat([buf, data]);
+    drain();
+  }
+
+  function onEnd() {
+    try {
+      if (!inHeaders && fldName) {
+        bodyBytes += buf.length;
+        if (!isFile) textVal += buf.toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+        flushPart();
+      }
+      onComplete({ parsed: result, totalSize });
+    } catch (e) {
+      onComplete({ error: 'PARSE_ERROR' });
+    }
+  }
+
+  return { onData, onEnd };
+}
+
+function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFieldSize, onComplete) {
+  const collector = createMultipartMetaCollector(contentType, sensitiveFields, maxTextFieldSize, onComplete);
+  if (!collector) return;
+  request.on('data', collector.onData);
+  request.on('end', collector.onEnd);
+}
+
+// -------- ESM detection --------
+// register.js auto-registers the hook via module.register() on Node >=20.6.
+// This warning only fires if BOTH --import AND module.register() were skipped
+// (e.g. Node 18, or require('securenow/tracing') called directly without register.js).
+(() => {
+  try {
+    const fs = require('fs');
+    const path = require('path');
+    const pkgPath = path.resolve(process.cwd(), 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      if (pkg.type === 'module') {
+        const execArgv = process.execArgv.join(' ');
+        const hasCliHook = execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle');
+        const hasModuleRegister = typeof require('node:module').register === 'function';
+        if (!hasCliHook && !hasModuleRegister) {
+          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
+          console.warn('[securenow]    Upgrade to Node >=20.6 (recommended) or add: --import @opentelemetry/instrumentation/hook.mjs');
+        }
+      }
+    }
+  } catch (_) {}
+})();
+
+// -------- diagnostics --------
+const diagLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
+(() => {
+  const level = diagLevel === 'debug' ? DiagLogLevel.DEBUG :
+                diagLevel === 'info'  ? DiagLogLevel.INFO  :
+                diagLevel === 'warn'  ? DiagLogLevel.WARN  :
+                diagLevel === 'error' ? DiagLogLevel.ERROR : DiagLogLevel.NONE;
+  diag.setLogger(new DiagConsoleLogger(), level);
+  console.log('[securenow] preload loaded pid=%d', process.pid);
+})();
+
+// -------- endpoints & app resolution --------
+// Resolution order for endpoint/appId/apiKey: .securenow/credentials.json -> package.json#name -> defaults.
+const resolvedApp = appConfig.resolveAll();
+const resolvedEndpoints = appConfig.resolveEndpoints();
+
+const endpointBase = resolvedEndpoints.endpointBase;
+const tracesUrl = resolvedEndpoints.tracesUrl;
+const logsUrl = resolvedEndpoints.logsUrl;
+
+// resolveEndpoints() also adds app routing and runtime auth headers when
+// explicit OTLP headers did not provide them.
+const headers = resolvedEndpoints.headers;
+
+// -------- naming rules --------
+const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
+const baseName = rawBase || null;
+// Auto-disables the per-worker suffix when we resolved a routing UUID from
+// credentials — the dashboard does exact-match IN on service.name, so any
+// suffix breaks routing. config.runtime.noUuid can override.
+const noUuid   = appConfig.resolveNoUuid();
+const strict   = appConfig.boolConfig('runtime.strict', false);
+const inPm2Cluster = !!(process.env.NODE_APP_INSTANCE || process.env.pm_id);
+
+// Fail fast in cluster if base is missing (no more "free" names)
+if (!baseName && inPm2Cluster && strict) {
+  console.error('[securenow] FATAL: app identity missing in cluster (pid=%d). Exiting due to config.runtime.strict=true.', process.pid);
+  // small delay so the log flushes
+  setTimeout(() => process.exit(1), 10);
+}
+
+// service.name
+let serviceName;
+if (baseName) {
+  serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
+} else {
+  // last-resort fallback (only if STRlCT is off). You can rename this to make it obvious in monitoring.
+  serviceName = `securenow-free-${randomUUID()}`;
+}
+
+// service.instance.id = <appid-or-fallback>-<uuid> (unique per worker)
+const instancePrefix   = baseName || 'securenow';
+const serviceInstanceId = `${instancePrefix}-${randomUUID()}`;
+
+// Loud line per worker to prove what was used
+console.log('[securenow] pid=%d appId=%s instance=%s apiKey=%s → service.name=%s instance.id=%s',
+  process.pid,
+  JSON.stringify(baseName),
+  JSON.stringify(endpointBase),
+  resolvedApp.appKey ? 'set' : 'none',
+  serviceName,
+  serviceInstanceId
+);
+
+// -------- instrumentations --------
+const disabledMap = {};
+for (const n of appConfig.listConfig('otel.disableInstrumentations')) {
+  disabledMap[n] = { enabled: false };
+}
+
+// -------- Body Capture Configuration --------
+// Opt-out defaults: set config.capture.body=false to disable.
+const captureBody = appConfig.boolConfig('capture.body', true);
+const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
+const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+
+const captureMultipart = appConfig.boolConfig('capture.multipart', true);
+
+const BODY_CAPTURE_PATCH = Symbol.for('securenow.bodyCapture.emitPatch');
+
+function installRequestBodyObserver(span, request, contentType) {
+  if (!request || request[BODY_CAPTURE_PATCH]) return;
+
+  const normalizedContentType = String(contentType || '').toLowerCase();
+  const isStructuredBody = captureBody && (
+    normalizedContentType.includes('application/json') ||
+    normalizedContentType.includes('application/graphql') ||
+    normalizedContentType.includes('application/x-www-form-urlencoded')
+  );
+  const isMultipartBody = normalizedContentType.includes('multipart/form-data');
+
+  if (!isStructuredBody && !isMultipartBody) return;
+
+  if (isMultipartBody && !captureMultipart) {
+    span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+    span.setAttribute('http.request.body.type', 'multipart');
+    span.setAttribute('http.request.body.note', 'Multipart capture disabled by config.capture.multipart=false');
+    return;
+  }
+
+  let chunks = [];
+  let size = 0;
+  let structuredDone = false;
+
+  const multipartCollector = isMultipartBody && captureMultipart
+    ? createMultipartMetaCollector(normalizedContentType, allSensitiveFields, 1000, ({ error, parsed, totalSize }) => {
+        try {
+          if (error === 'BOUNDARY_NOT_FOUND') {
+            span.setAttribute('http.request.body', '[MULTIPART - BOUNDARY NOT FOUND]');
+            span.setAttribute('http.request.body.type', 'multipart');
+            return;
+          }
+          if (error) {
+            span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+            span.setAttribute('http.request.body.type', 'multipart');
+            span.setAttribute('http.request.body.parse_error', true);
+            return;
+          }
+          span.setAttributes({
+            'http.request.body': JSON.stringify(parsed).substring(0, maxBodySize),
+            'http.request.body.type': 'multipart',
+            'http.request.body.size': totalSize,
+            'http.request.body.fields_count': Object.keys(parsed.fields).length,
+            'http.request.body.files_count': parsed.files.length,
+          });
+        } catch (e) {
+          span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+          span.setAttribute('http.request.body.type', 'multipart');
+          span.setAttribute('http.request.body.parse_error', true);
+        }
+      })
+    : null;
+
+  if (isMultipartBody && captureMultipart && !multipartCollector) return;
+
+  function finishStructuredCapture() {
+    if (!isStructuredBody || structuredDone) return;
+    structuredDone = true;
+
+    if (size > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
+      span.setAttribute('http.request.body.size', size);
+      chunks = [];
+      return;
+    }
+
+    if (chunks.length === 0) return;
+
+    const body = Buffer.concat(chunks).toString('utf8');
+    chunks = [];
+
+    try {
+      if (normalizedContentType.includes('application/graphql')) {
+        const redacted = redactGraphQLQuery(body, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': redacted.substring(0, maxBodySize),
+          'http.request.body.type': 'graphql',
+          'http.request.body.size': size,
+        });
+      } else if (normalizedContentType.includes('application/json')) {
+        const parsed = JSON.parse(body);
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': 'json',
+          'http.request.body.size': size,
+        });
+      } else if (normalizedContentType.includes('application/x-www-form-urlencoded')) {
+        const parsed = Object.fromEntries(new URLSearchParams(body));
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': 'form',
+          'http.request.body.size': size,
+        });
+      }
+    } catch (e) {
+      span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
+      span.setAttribute('http.request.body.parse_error', true);
+      span.setAttribute('http.request.body.size', size);
+    }
+  }
+
+  const originalEmit = request.emit;
+  request[BODY_CAPTURE_PATCH] = true;
+  request.emit = function securenowObservedEmit(event, ...args) {
+    try {
+      if (event === 'data' && args.length > 0) {
+        const chunk = Buffer.isBuffer(args[0]) ? args[0] : Buffer.from(args[0]);
+        if (isStructuredBody) {
+          size += chunk.length;
+          if (size <= maxBodySize) chunks.push(chunk);
+        }
+        if (multipartCollector) multipartCollector.onData(chunk);
+      } else if (event === 'end') {
+        finishStructuredCapture();
+        if (multipartCollector) multipartCollector.onEnd();
+      }
+    } catch (_) {
+      // Body capture must never interfere with the application request stream.
+    }
+    return originalEmit.apply(this, [event, ...args]);
+  };
+}
+
+// -------- Trusted proxy IP resolution --------
+const { resolveClientIpWithDetails } = require('./resolve-ip');
+
+// Configure HTTP instrumentation with body capture
+const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
+const httpInstrumentation = new HttpInstrumentation({
+  requestHook: (span, request) => {
+    try {
+      const ipDetails = resolveClientIpWithDetails(request);
+      if (ipDetails.ip) {
+        span.setAttribute('http.client_ip', ipDetails.ip);
+        span.setAttribute('http.client_ip.source', ipDetails.source);
+        span.setAttribute('http.socket_ip', ipDetails.socketIp || '');
+        span.setAttribute('http.proxy.trusted', String(!!ipDetails.trustedProxy));
+        if (ipDetails.forwardedFor) {
+          span.setAttribute('http.forwarded_for', ipDetails.forwardedFor);
+          span.setAttribute('http.request.header.x_forwarded_for', ipDetails.forwardedFor);
+        }
+        if (ipDetails.realIp) {
+          span.setAttribute('http.real_ip', ipDetails.realIp);
+          span.setAttribute('http.request.header.x_real_ip', ipDetails.realIp);
+        }
+        if (ipDetails.cfConnectingIp) {
+          span.setAttribute('http.cf.connecting_ip', ipDetails.cfConnectingIp);
+          span.setAttribute('http.request.header.cf_connecting_ip', ipDetails.cfConnectingIp);
+        }
+        if (ipDetails.trueClientIp) {
+          span.setAttribute('http.request.header.true_client_ip', ipDetails.trueClientIp);
+        }
+        if (ipDetails.clientIp) {
+          span.setAttribute('http.request.header.x_client_ip', ipDetails.clientIp);
+        }
+      }
+
+      if (request.headers) {
+        const SKIP_HEADERS = new Set(['cookie', 'authorization', 'proxy-authorization', 'set-cookie', 'x-api-key', 'x-auth-token']);
+        const safe = {};
+        for (const [k, v] of Object.entries(request.headers)) {
+          if (SKIP_HEADERS.has(k.toLowerCase())) { safe[k] = '[REDACTED]'; continue; }
+          safe[k] = typeof v === 'string' ? v.substring(0, 500) : String(v);
+        }
+        const serialized = JSON.stringify(safe);
+        if (serialized.length <= 8192) {
+          span.setAttribute('http.request.headers', serialized);
+        }
+      }
+
+      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+        const contentType = request.headers['content-type'] || '';
+        installRequestBodyObserver(span, request, contentType);
+      }
+    } catch (error) {
+      // Silently fail
+    }
+  },
+});
+
+// -------- Logging Configuration --------
+// Opt-out default: set config.logging.enabled=false to disable.
+const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
+
+// Create shared resource for both traces and logs
+const sharedResource = createResource({
+  [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+  [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
+  [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: appConfig.resolveDeploymentEnvironment(),
+  [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
+});
+
+// Initialize LoggerProvider if logging is enabled
+let loggerProvider = null;
+
+if (loggingEnabled) {
+  const logExporter = new OTLPLogExporter({ 
+    url: logsUrl, 
+    headers 
+  });
+  
+  const batchLogProcessor = new BatchLogRecordProcessor(logExporter);
+  loggerProvider = new LoggerProvider({
+    resource: sharedResource,
+    processors: [batchLogProcessor],
+  });
+
+  // Auto-patch console.* so every log/warn/error becomes an OTel log record
+  const _logger = loggerProvider.getLogger('console', '1.0.0');
+  const _orig = console.__securenow_original || { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
+  if (!console.__securenow_original) console.__securenow_original = _orig;
+  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+  function _emit(sn, st, args) {
+    try {
+      const activeCtx = context.active();
+      const spanCtx = trace.getSpanContext(activeCtx);
+      _logger.emit({
+        severityNumber: sn,
+        severityText: st,
+        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
+        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+        ...(spanCtx && { context: activeCtx }),
+      });
+    } catch (_) {}
+  }
+  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
+  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
+  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
+  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
+  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
+  console.__securenow_patched = true;
+}
+
+// -------- Guard against OTLP exporter socket errors --------
+// The OTLP HTTP exporter uses keep-alive connections that can be reset by the
+// remote end (ECONNRESET / "socket hang up"). These transient errors sometimes
+// escape as unhandled exceptions or rejections because the underlying HTTP
+// request's error path isn't fully covered by the OTel library. We install
+// targeted process-level handlers to catch them and log at debug level instead
+// of crashing the host app.
+const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
+function _isOtlpTransientError(err) {
+  if (!err) return false;
+  if (_TRANSIENT_CODES.has(err.code)) return true;
+  if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
+  return false;
+}
+function _looksLikeOtlpStack(err) {
+  const s = err && err.stack;
+  if (!s) return false;
+  return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
+    || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
+}
+function _looksLikeConfiguredOtlpEndpoint(err) {
+  const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+  try {
+    const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+    return hosts.some((host) => host && text.includes(host));
+  } catch (_) {
+    return false;
+  }
+}
+function _originalConsole(method) {
+  const originals = console.__securenow_original || console.__securenowOriginalConsole;
+  return (originals && originals[method]) || console[method] || console.log;
+}
+let _lastSuppressedOtlpErrorLogAt = 0;
+function _formatOtlpError(err) {
+  if (!err) return 'unknown error';
+  const parts = [err.message || String(err)];
+  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+  if (err.syscall) parts.push(`syscall=${err.syscall}`);
+  if (err.hostname) parts.push(`host=${err.hostname}`);
+  return parts.join(' ');
+}
+function _reportSuppressedOtlpError(kind, err, origin) {
+  const level = String(diagLevel || '').toLowerCase();
+  if (level === 'none') return;
+  const now = Date.now();
+  if (level !== 'debug' && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+  _lastSuppressedOtlpErrorLogAt = now;
+  const method = level === 'debug' ? 'debug' : 'error';
+  _originalConsole(method).call(
+    console,
+    '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+    kind,
+    origin || 'async',
+    _formatOtlpError(err)
+  );
+}
+
+process.on('uncaughtException', (err, origin) => {
+  if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+    _reportSuppressedOtlpError('error', err, origin);
+    return; // swallow - do not crash
+  }
+  // Not ours — re-throw so the default handler (or the app's own handler) fires
+  throw err;
+});
+process.on('unhandledRejection', (reason) => {
+  if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+    _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
+    return; // swallow
+  }
+  // Not ours — re-throw as unhandled so Node's default behaviour applies
+  throw reason;
+});
+
+// -------- SDK --------
+const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
+const sdk = new NodeSDK({
+  ...nodeSdkTelemetryOptions,
+  traceExporter,
+  instrumentations: [
+    httpInstrumentation,
+    ...(disabledMap['@opentelemetry/instrumentation-mongodb'] ? [] : [new MongoDBInstrumentation()]),
+    ...getNodeAutoInstrumentations({ 
+      ...disabledMap,
+      '@opentelemetry/instrumentation-http': { enabled: false },
+      '@opentelemetry/instrumentation-mongodb': { enabled: false },
+    }),
+  ],
+  resource: sharedResource,
+});
+
+// -------- start / shutdown (sync/async safe) --------
+(async () => {
+  try {
+    await Promise.resolve(sdk.start?.());
+    console.log('[securenow] OTel SDK started → %s', tracesUrl);
+    if (loggingEnabled) {
+      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+    } else {
+      console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
+    }
+    if (captureBody) {
+      console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
+    }
+    if (captureMultipart) {
+      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
+    }
+    if (appConfig.boolConfig('runtime.testSpan', false)) {
+      const api = require('@opentelemetry/api');
+      const tracer = api.trace.getTracer('securenow-smoke');
+      const span = tracer.startSpan('securenow.startup.smoke'); span.end();
+    }
+
+    // Free trial banner
+    const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
+    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
+      patchHttpForBanner();
+    }
+
+    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
+    // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
+    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
+    const firewallOptions = appConfig.resolveFirewallOptions();
+    if (firewallOptions.apiKey) {
+      require('./firewall').init({
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
+      });
+    }
+  } catch (e) {
+    console.error('[securenow] OTel start failed:', e && e.stack || e);
+  }
+})();
+
+let shuttingDown = false;
+async function safeShutdown(sig) {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  try { 
+    await Promise.resolve(sdk.shutdown?.()); 
+    if (loggerProvider) {
+      await Promise.resolve(loggerProvider.shutdown?.());
+    }
+    try { require('./firewall').shutdown(); } catch (_) {}
+    console.log(`[securenow] Tracing and logging terminated on ${sig}`); 
+  }
+  catch (e) { console.error('[securenow] Shutdown error:', e); }
+  finally { process.exit(0); }
+}
+process.on('SIGINT',  () => safeShutdown('SIGINT'));
+process.on('SIGTERM', () => safeShutdown('SIGTERM'));
+
+// -------- Export logger for consuming applications --------
+module.exports = {
+  loggerProvider,
+  getLogger: (name = 'default', version = '1.0.0') => {
+    if (!loggerProvider) {
+      console.warn('[securenow] Logging is disabled (config.logging.enabled=false). Enable it in .securenow/credentials.json to use getLogger().');
+      return null;
+    }
+    return loggerProvider.getLogger(name, version);
+  },
+  isLoggingEnabled: () => loggingEnabled,
+};