securenow 8.5.0 → 8.7.0

package/nuxt-server-plugin.mjs

@@ -1,426 +1,506 @@
-/**
- * SecureNow Nitro Server Plugin
- *
- * Initialises the OpenTelemetry SDK and hooks into Nitro's request lifecycle
- * to create spans, capture metadata, and forward logs.
- *
- * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
- */
-
-import * as otelResources from '@opentelemetry/resources';
-import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
-import {
-  context as otelContext,
-  trace as otelTrace,
-  SpanStatusCode,
-} from '@opentelemetry/api';
-import { createRequire } from 'node:module';
-import { randomUUID } from 'node:crypto';
-
-const nodeRequire = createRequire(import.meta.url);
-const appConfig = nodeRequire('./app-config');
-const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
-const { nodeSdkDefaultTelemetryOptions } = nodeRequire('./otel-defaults');
-const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
-
-const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
-const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
-const { HttpInstrumentation } = nodeRequire('@opentelemetry/instrumentation-http');
-
-// ── Helpers ──
-
-function createResource(attributes) {
-  if (typeof otelResources.resourceFromAttributes === 'function') {
-    return otelResources.resourceFromAttributes(attributes);
-  }
-  if (typeof otelResources.Resource === 'function') {
-    return new otelResources.Resource(attributes);
-  }
-  throw new Error('Unsupported @opentelemetry/resources version');
-}
-
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-function redactSensitiveData(obj, fields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  for (const key of Object.keys(redacted)) {
-    const lower = key.toLowerCase();
-    if (fields.some((f) => lower.includes(f.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], fields);
-    }
-  }
-  return redacted;
-}
-
-// ── Runtime config helpers ──
-
-function getRuntimeOptions() {
-  try {
-    const cfg = useRuntimeConfig();
-    return cfg.securenow || {};
-  } catch {
-    return {};
-  }
-}
-
-// ── Plugin ──
-
-export default defineNitroPlugin(async (nitroApp) => {
-  const opts = getRuntimeOptions();
-
-  // Resolution order: opts -> .securenow/credentials.json -> package.json#name
-  const resolvedApp = appConfig.resolveAll();
-
-  // ── Naming ──
-  const rawBase = (opts.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
-  const baseName = rawBase || null;
-  // Default: auto-disable per-worker suffix when logged in (appId is the
-  // routing UUID and the dashboard does exact match). opts.noUuid or
-  // config.runtime.noUuid or opts.noUuid override.
-  const noUuid = appConfig.resolveNoUuid({ noUuid: opts.noUuid });
-  const deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
-    opts.environment || resolvedApp.deploymentEnvironment
-  );
-
-  let serviceName;
-  if (baseName) {
-    serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
-  } else {
-    serviceName = `nuxt-app-${randomUUID()}`;
-    console.warn(
-      '[securenow] ⚠️  No app identity resolved. Using fallback: %s',
-      serviceName,
-    );
-    console.warn(
-      '[securenow] Run `npx securenow login` or set app.key in .securenow/credentials.json',
-    );
-  }
-
-  const serviceInstanceId = `${baseName || 'securenow'}-${randomUUID()}`;
-
-  // ── Endpoints ──
-  const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: opts.endpoint || resolvedApp.instance });
-  const endpointBase = resolvedEndpoints.endpointBase;
-  const tracesUrl = resolvedEndpoints.tracesUrl;
-  const logsUrl = resolvedEndpoints.logsUrl;
-  const headers = resolvedEndpoints.headers;
-
-  // ── Resource ──
-  const resource = createResource({
-    [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-    [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
-    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
-    [SemanticResourceAttributes.SERVICE_VERSION]:
-      process.env.npm_package_version || undefined,
-    'framework': 'nuxt',
-  });
-
-  // ── Body capture config ──
-  // Opt-out default: set config.capture.body=false (or opts.captureBody=false) to disable.
-  const captureBody =
-    opts.captureBody ??
-    appConfig.boolConfig('capture.body', true);
-  const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
-  const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
-  const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-
-  // ── HTTP instrumentation ──
-  const httpInstrumentation = new HttpInstrumentation({
-    requestHook: (span, request) => {
-      try {
-        const hdrs = request.headers || {};
-        const ipDetails = resolveClientIpWithDetails(request);
-        const clientIp = ipDetails.ip || 'unknown';
-
-        span.setAttributes({
-          'http.client_ip': clientIp,
-          'http.client_ip.source': ipDetails.source,
-          'http.socket_ip': ipDetails.socketIp || '',
-          'http.forwarded_for': ipDetails.forwardedFor || '',
-          'http.real_ip': ipDetails.realIp || '',
-          'http.proxy.trusted': String(!!ipDetails.trustedProxy),
-          'http.request.header.x_forwarded_for': ipDetails.forwardedFor || '',
-          'http.request.header.x_real_ip': ipDetails.realIp || '',
-          'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
-          'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
-          'http.request.header.x_client_ip': ipDetails.clientIp || '',
-          'http.user_agent': hdrs['user-agent'] || '',
-          'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
-          'http.scheme':
-            hdrs['x-forwarded-proto'] ||
-            (request.socket?.encrypted ? 'https' : 'http'),
-          'http.referer': hdrs['referer'] || '',
-          'http.origin': hdrs['origin'] || '',
-          'http.request_id':
-            hdrs['x-request-id'] || hdrs['x-trace-id'] || '',
-        });
-
-        if (hdrs['authorization']) {
-          span.setAttribute('http.security.auth_present', 'true');
-        }
-        if (hdrs['cookie']) {
-          span.setAttribute('http.security.cookies_present', 'true');
-        }
-
-        // Body capture via stream listener (same approach as tracing.js)
-        if (
-          captureBody &&
-          request.method &&
-          ['POST', 'PUT', 'PATCH'].includes(request.method)
-        ) {
-          const ct = hdrs['content-type'] || '';
-          if (
-            ct.includes('application/json') ||
-            ct.includes('application/graphql') ||
-            ct.includes('application/x-www-form-urlencoded')
-          ) {
-            const chunks = [];
-            let size = 0;
-            request.on('data', (chunk) => {
-              size += chunk.length;
-              if (size <= maxBodySize) chunks.push(chunk);
-            });
-            request.on('end', () => {
-              if (size > maxBodySize) {
-                span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
-                return;
-              }
-              if (chunks.length === 0) return;
-              const raw = Buffer.concat(chunks).toString('utf8');
-              try {
-                const parsed = JSON.parse(raw);
-                const redacted = redactSensitiveData(parsed, allSensitiveFields);
-                span.setAttributes({
-                  'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-                  'http.request.body.type': ct.includes('graphql') ? 'graphql' : 'json',
-                  'http.request.body.size': size,
-                });
-              } catch {
-                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
-                span.setAttribute('http.request.body.parse_error', true);
-              }
-            });
-          }
-        }
-      } catch {
-        // never break the request
-      }
-    },
-  });
-
-  // ── Trace exporter + SDK ──
-  const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
-
-  const sdk = new NodeSDK({
-    ...nodeSdkTelemetryOptions,
-    traceExporter,
-    resource,
-    instrumentations: [httpInstrumentation],
-  });
-
-  sdk.start();
-  console.log('[securenow] 🚀 Nuxt OTel SDK started → %s', tracesUrl);
-  console.log(
-    '[securenow] service.name=%s instance.id=%s',
-    serviceName,
-    serviceInstanceId,
-  );
-
-  // ── Logging ──
-  // Opt-out default: set config.logging.enabled=false (or opts.logging=false) to disable.
-  const loggingEnabled =
-    opts.logging ??
-    appConfig.boolConfig('logging.enabled', true);
-
-  let loggerProvider = null;
-
-  if (loggingEnabled) {
-    try {
-      const { OTLPLogExporter } = await import(
-        '@opentelemetry/exporter-logs-otlp-http'
-      );
-      const { LoggerProvider, BatchLogRecordProcessor } = await import(
-        '@opentelemetry/sdk-logs'
-      );
-
-      const logExporter = new OTLPLogExporter({ url: logsUrl, headers });
-      loggerProvider = new LoggerProvider({
-        resource,
-        processors: [new BatchLogRecordProcessor(logExporter)],
-      });
-
-      const logger = loggerProvider.getLogger('console', '1.0.0');
-      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-      const orig = {
-        log: console.log,
-        info: console.info,
-        warn: console.warn,
-        error: console.error,
-        debug: console.debug,
-      };
-
-      function emitLog(sn, st, args) {
-        try {
-          const ctx = otelContext.active();
-          const spanCtx = otelTrace.getSpanContext(ctx);
-          logger.emit({
-            severityNumber: sn,
-            severityText: st,
-            body: args
-              .map((a) =>
-                typeof a === 'object' && a !== null ? JSON.stringify(a) : String(a),
-              )
-              .join(' '),
-            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
-            ...(spanCtx && { context: ctx }),
-          });
-        } catch {
-          // swallow
-        }
-      }
-
-      console.log = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.log.apply(console, a); };
-      console.info = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.info.apply(console, a); };
-      console.warn = (...a) => { emitLog(SEV.WARN, 'WARN', a); orig.warn.apply(console, a); };
-      console.error = (...a) => { emitLog(SEV.ERROR, 'ERROR', a); orig.error.apply(console, a); };
-      console.debug = (...a) => { emitLog(SEV.DEBUG, 'DEBUG', a); orig.debug.apply(console, a); };
-
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
-    } catch (e) {
-      console.warn('[securenow] ⚠️  Logging setup failed:', e.message);
-    }
-  } else {
-    console.log(
-      '[securenow] Logging: DISABLED (config.logging.enabled=false)',
-    );
-  }
-
-  if (captureBody) {
-    console.log(
-      '[securenow] 📝 Body capture: ENABLED (max %d bytes, redacting %d fields)',
-      maxBodySize,
-      allSensitiveFields.length,
-    );
-  }
-
-  // ── Free trial banner ──
-  try {
-    const { isFreeTrial, patchHttpForBanner } = await import('./free-trial-banner.js');
-    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
-      patchHttpForBanner();
-    }
-  } catch {
-    // not critical
-  }
-
-  // ── Firewall — runs independently from OTel ──
-  const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey) {
-    try {
-      const { init: fwInit } = await import('./firewall.js');
-      fwInit({
-        apiKey: firewallOptions.apiKey,
-        appKey: firewallOptions.appKey,
-        environment: deploymentEnvironment || firewallOptions.environment,
-        apiUrl: firewallOptions.apiUrl,
-        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
-        versionCheckInterval: firewallOptions.versionCheckInterval,
-        syncInterval: firewallOptions.syncInterval,
-        failMode: firewallOptions.failMode,
-        statusCode: firewallOptions.statusCode,
-        log: firewallOptions.log,
-        tcp: firewallOptions.tcp,
-        iptables: firewallOptions.iptables,
-        cloud: firewallOptions.cloud,
-        cloudDryRun: firewallOptions.cloudDryRun,
-        cloudflare: firewallOptions.cloudflare,
-        aws: firewallOptions.aws,
-        gcp: firewallOptions.gcp,
-      });
-    } catch (e) {
-      console.warn('[securenow] Firewall init failed:', e.message);
-    }
-  }
-
-  // ── Graceful shutdown ──
-  const shutdown = async (sig) => {
-    try {
-      await sdk.shutdown?.();
-      if (loggerProvider) await loggerProvider.shutdown?.();
-      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
-      console.log(`[securenow] Shut down on ${sig}`);
-    } catch {
-      // swallow
-    }
-  };
-  process.on('SIGINT', () => shutdown('SIGINT'));
-  process.on('SIGTERM', () => shutdown('SIGTERM'));
-
-  // ── Nitro request hooks for span enrichment ──
-  const tracer = otelTrace.getTracer('securenow-nuxt', '1.0.0');
-  const spanMap = new WeakMap();
-
-  nitroApp.hooks.hook('request', (event) => {
-    try {
-      const req = event.node.req;
-      const method = event.method || req.method || 'GET';
-      const path = event.path || req.url || '/';
-
-      const span = tracer.startSpan(`${method} ${path}`, {
-        attributes: {
-          'http.method': method,
-          'http.target': path,
-          'http.url': `${req.headers?.['x-forwarded-proto'] || 'http'}://${req.headers?.host || 'localhost'}${path}`,
-          'component': 'nuxt-nitro',
-        },
-      });
-
-      spanMap.set(event, span);
-    } catch {
-      // never break the request
-    }
-  });
-
-  nitroApp.hooks.hook('afterResponse', (event) => {
-    try {
-      const span = spanMap.get(event);
-      if (!span) return;
-
-      const status = event.node.res.statusCode || 200;
-      span.setAttribute('http.status_code', status);
-
-      if (status >= 500) {
-        span.setStatus({ code: SpanStatusCode.ERROR, message: `HTTP ${status}` });
-      }
-
-      span.end();
-      spanMap.delete(event);
-    } catch {
-      // swallow
-    }
-  });
-
-  nitroApp.hooks.hook('error', (error, { event }) => {
-    try {
-      const span = event ? spanMap.get(event) : null;
-      if (span) {
-        span.recordException(error);
-        span.setStatus({
-          code: SpanStatusCode.ERROR,
-          message: error.message || 'Internal Server Error',
-        });
-        span.end();
-        spanMap.delete(event);
-      }
-    } catch {
-      // swallow
-    }
-  });
-});
+/**
+ * SecureNow Nitro Server Plugin
+ *
+ * Initialises the OpenTelemetry SDK and hooks into Nitro's request lifecycle
+ * to create spans, capture metadata, and forward logs.
+ *
+ * This file is registered by the Nuxt module (nuxt.mjs) via addServerPlugin.
+ */
+
+import * as otelResources from '@opentelemetry/resources';
+import { SemanticResourceAttributes } from '@opentelemetry/semantic-conventions';
+import {
+  context as otelContext,
+  trace as otelTrace,
+  SpanStatusCode,
+} from '@opentelemetry/api';
+import { createRequire } from 'node:module';
+import { randomUUID } from 'node:crypto';
+
+const nodeRequire = createRequire(import.meta.url);
+const appConfig = nodeRequire('./app-config');
+const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
+const { nodeSdkDefaultTelemetryOptions } = nodeRequire('./otel-defaults');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
+
+const { NodeSDK } = nodeRequire('@opentelemetry/sdk-node');
+const { OTLPTraceExporter } = nodeRequire('@opentelemetry/exporter-trace-otlp-http');
+const { HttpInstrumentation } = nodeRequire('@opentelemetry/instrumentation-http');
+
+// ── Helpers ──
+
+function createResource(attributes) {
+  if (typeof otelResources.resourceFromAttributes === 'function') {
+    return otelResources.resourceFromAttributes(attributes);
+  }
+  if (typeof otelResources.Resource === 'function') {
+    return new otelResources.Resource(attributes);
+  }
+  throw new Error('Unsupported @opentelemetry/resources version');
+}
+
+// Default sensitive fields to redact from request bodies.
+// Matched substring-wise against lowercased keys (see redactSensitiveData),
+// so e.g. 'card' also catches 'creditCard' and 'account' also catches
+// 'accountNumber'. Over-redaction here is intentional: a falsely-redacted
+// telemetry value is always safer than a leaked secret. Entries are kept
+// specific enough to avoid nuking broad benign keys (e.g. we use
+// 'firstname'/'lastname'/'fullname', never bare 'name').
+const DEFAULT_SENSITIVE_FIELDS = [
+  // credentials / auth
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'authorization', 'bearer', 'credentials',
+  'mysql_pwd', 'otp', 'mfa', 'totp', 'sessionid', 'session_id',
+  'cookie', 'set-cookie',
+  // financial
+  'stripeToken', 'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'iban', 'account', 'accountnumber', 'routing', 'sortcode', 'taxid',
+  // PII
+  'ssn', 'pin', 'email', 'e_mail', 'phone', 'mobile', 'dob', 'birthdate',
+  'firstname', 'lastname', 'fullname', 'address', 'postcode', 'zip',
+  'passport', 'license',
+];
+
+// Conservative value-shape redactors. Key-name matching misses secrets that
+// land in free-form string values (GraphQL bodies, message fields, etc.), so
+// as a second layer we scrub string VALUES that *look like* a secret/PII.
+// These are intentionally precise/bounded so they don't garble normal prose,
+// and they only ever transform captured telemetry strings (read-only) — never
+// the actual request/response stream. Compiled once at module load.
+const VALUE_REDACTORS = [
+  // JWT: three base64url segments. Anchored to the eyJ header so it won't
+  // match arbitrary dotted tokens.
+  { name: 'jwt', re: /eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g },
+  // Bearer/Basic auth header value embedded in a body string.
+  { name: 'bearer', re: /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/gi },
+  // Stripe-style / SecureNow live+test API keys.
+  { name: 'apikey', re: /\b(?:sk|pk|rk|snk)_(?:live|test)_[A-Za-z0-9]{8,}/g },
+  // Email addresses (bounded local/domain parts).
+  { name: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },
+  // Credit-card-like: 13–19 digit runs that pass a Luhn check, allowing
+  // space/dash grouping. Luhn-gated to avoid clobbering ordinary long numbers.
+  { name: 'card', re: /\b(?:\d[ -]?){13,19}\b/g, luhn: true },
+];
+
+// Skip the value-shape scan on very large strings to bound per-body cost.
+const MAX_VALUE_SCAN_LENGTH = 16384;
+
+function luhnValid(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) { d *= 2; if (d > 9) d -= 9; }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+
+/**
+ * Redact obvious secret/PII shapes inside a captured string VALUE.
+ * Returns the input unchanged when nothing matches (cheap common case).
+ */
+function redactSensitiveValue(value) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  if (value.length > MAX_VALUE_SCAN_LENGTH) return value; // bound the work
+  let out = value;
+  for (const r of VALUE_REDACTORS) {
+    r.re.lastIndex = 0;
+    if (r.luhn) {
+      out = out.replace(r.re, (m) => {
+        const digits = m.replace(/[ -]/g, '');
+        if (digits.length < 13 || digits.length > 19) return m;
+        return luhnValid(digits) ? '[REDACTED]' : m;
+      });
+    } else {
+      out = out.replace(r.re, '[REDACTED]');
+    }
+  }
+  return out;
+}
+
+function redactSensitiveData(obj, fields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  for (const key of Object.keys(redacted)) {
+    const lower = key.toLowerCase();
+    if (fields.some((f) => lower.includes(f.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], fields);
+    } else if (typeof redacted[key] === 'string') {
+      // Second layer: even if the key name looks benign, scrub values that
+      // *look like* a secret/PII (JWT, bearer token, API key, email, card).
+      redacted[key] = redactSensitiveValue(redacted[key]);
+    }
+  }
+  return redacted;
+}
+
+// ── Runtime config helpers ──
+
+function getRuntimeOptions() {
+  try {
+    const cfg = useRuntimeConfig();
+    return cfg.securenow || {};
+  } catch {
+    return {};
+  }
+}
+
+// ── Plugin ──
+
+export default defineNitroPlugin(async (nitroApp) => {
+  const opts = getRuntimeOptions();
+
+  // Resolution order: opts -> .securenow/credentials.json -> package.json#name
+  const resolvedApp = appConfig.resolveAll();
+
+  // ── Naming ──
+  const rawBase = (opts.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
+  const baseName = rawBase || null;
+  // Default: auto-disable per-worker suffix when logged in (appId is the
+  // routing UUID and the dashboard does exact match). opts.noUuid or
+  // config.runtime.noUuid or opts.noUuid override.
+  const noUuid = appConfig.resolveNoUuid({ noUuid: opts.noUuid });
+  const deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
+    opts.environment || resolvedApp.deploymentEnvironment
+  );
+
+  let serviceName;
+  if (baseName) {
+    serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
+  } else {
+    serviceName = `nuxt-app-${randomUUID()}`;
+    console.warn(
+      '[securenow] ⚠️  No app identity resolved. Using fallback: %s',
+      serviceName,
+    );
+    console.warn(
+      '[securenow] Run `npx securenow login` or set app.key in .securenow/credentials.json',
+    );
+  }
+
+  const serviceInstanceId = `${baseName || 'securenow'}-${randomUUID()}`;
+
+  // ── Endpoints ──
+  const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: opts.endpoint || resolvedApp.instance });
+  const endpointBase = resolvedEndpoints.endpointBase;
+  const tracesUrl = resolvedEndpoints.tracesUrl;
+  const logsUrl = resolvedEndpoints.logsUrl;
+  const headers = resolvedEndpoints.headers;
+
+  // ── Resource ──
+  const resource = createResource({
+    [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+    [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: serviceInstanceId,
+    [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
+    [SemanticResourceAttributes.SERVICE_VERSION]:
+      process.env.npm_package_version || undefined,
+    'framework': 'nuxt',
+  });
+
+  // ── Body capture config ──
+  // Opt-out default: set config.capture.body=false (or opts.captureBody=false) to disable.
+  const captureBody =
+    opts.captureBody ??
+    appConfig.boolConfig('capture.body', true);
+  const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+  const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
+  const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+
+  // ── HTTP instrumentation ──
+  const httpInstrumentation = new HttpInstrumentation({
+    requestHook: (span, request) => {
+      try {
+        const hdrs = request.headers || {};
+        const ipDetails = resolveClientIpWithDetails(request);
+        const clientIp = ipDetails.ip || 'unknown';
+
+        span.setAttributes({
+          'http.client_ip': clientIp,
+          'http.client_ip.source': ipDetails.source,
+          'http.socket_ip': ipDetails.socketIp || '',
+          'http.forwarded_for': ipDetails.forwardedFor || '',
+          'http.real_ip': ipDetails.realIp || '',
+          'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+          'http.request.header.x_forwarded_for': ipDetails.forwardedFor || '',
+          'http.request.header.x_real_ip': ipDetails.realIp || '',
+          'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+          'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+          'http.request.header.x_client_ip': ipDetails.clientIp || '',
+          'http.user_agent': hdrs['user-agent'] || '',
+          'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
+          'http.scheme':
+            hdrs['x-forwarded-proto'] ||
+            (request.socket?.encrypted ? 'https' : 'http'),
+          'http.referer': hdrs['referer'] || '',
+          'http.origin': hdrs['origin'] || '',
+          'http.request_id':
+            hdrs['x-request-id'] || hdrs['x-trace-id'] || '',
+        });
+
+        if (hdrs['authorization']) {
+          span.setAttribute('http.security.auth_present', 'true');
+        }
+        if (hdrs['cookie']) {
+          span.setAttribute('http.security.cookies_present', 'true');
+        }
+
+        // Body capture via stream listener (same approach as tracing.js)
+        if (
+          captureBody &&
+          request.method &&
+          ['POST', 'PUT', 'PATCH'].includes(request.method)
+        ) {
+          const ct = hdrs['content-type'] || '';
+          if (
+            ct.includes('application/json') ||
+            ct.includes('application/graphql') ||
+            ct.includes('application/x-www-form-urlencoded')
+          ) {
+            const chunks = [];
+            let size = 0;
+            request.on('data', (chunk) => {
+              size += chunk.length;
+              if (size <= maxBodySize) chunks.push(chunk);
+            });
+            request.on('end', () => {
+              if (size > maxBodySize) {
+                span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
+                return;
+              }
+              if (chunks.length === 0) return;
+              const raw = Buffer.concat(chunks).toString('utf8');
+              try {
+                const parsed = JSON.parse(raw);
+                const redacted = redactSensitiveData(parsed, allSensitiveFields);
+                span.setAttributes({
+                  'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+                  'http.request.body.type': ct.includes('graphql') ? 'graphql' : 'json',
+                  'http.request.body.size': size,
+                });
+              } catch {
+                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
+                span.setAttribute('http.request.body.parse_error', true);
+              }
+            });
+          }
+        }
+      } catch {
+        // never break the request
+      }
+    },
+  });
+
+  // ── Trace exporter + SDK ──
+  const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
+
+  const sdk = new NodeSDK({
+    ...nodeSdkTelemetryOptions,
+    traceExporter,
+    resource,
+    instrumentations: [httpInstrumentation],
+  });
+
+  sdk.start();
+  console.log('[securenow] 🚀 Nuxt OTel SDK started → %s', tracesUrl);
+  console.log(
+    '[securenow] service.name=%s instance.id=%s',
+    serviceName,
+    serviceInstanceId,
+  );
+
+  // ── Logging ──
+  // Opt-out default: set config.logging.enabled=false (or opts.logging=false) to disable.
+  const loggingEnabled =
+    opts.logging ??
+    appConfig.boolConfig('logging.enabled', true);
+
+  let loggerProvider = null;
+
+  if (loggingEnabled) {
+    try {
+      const { OTLPLogExporter } = await import(
+        '@opentelemetry/exporter-logs-otlp-http'
+      );
+      const { LoggerProvider, BatchLogRecordProcessor } = await import(
+        '@opentelemetry/sdk-logs'
+      );
+
+      const logExporter = new OTLPLogExporter({ url: logsUrl, headers });
+      loggerProvider = new LoggerProvider({
+        resource,
+        processors: [new BatchLogRecordProcessor(logExporter)],
+      });
+
+      const logger = loggerProvider.getLogger('console', '1.0.0');
+      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+      const orig = {
+        log: console.log,
+        info: console.info,
+        warn: console.warn,
+        error: console.error,
+        debug: console.debug,
+      };
+
+      function emitLog(sn, st, args) {
+        try {
+          const ctx = otelContext.active();
+          const spanCtx = otelTrace.getSpanContext(ctx);
+          logger.emit({
+            severityNumber: sn,
+            severityText: st,
+            body: args
+              .map((a) =>
+                typeof a === 'object' && a !== null ? JSON.stringify(a) : String(a),
+              )
+              .join(' '),
+            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+            ...(spanCtx && { context: ctx }),
+          });
+        } catch {
+          // swallow
+        }
+      }
+
+      console.log = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.log.apply(console, a); };
+      console.info = (...a) => { emitLog(SEV.INFO, 'INFO', a); orig.info.apply(console, a); };
+      console.warn = (...a) => { emitLog(SEV.WARN, 'WARN', a); orig.warn.apply(console, a); };
+      console.error = (...a) => { emitLog(SEV.ERROR, 'ERROR', a); orig.error.apply(console, a); };
+      console.debug = (...a) => { emitLog(SEV.DEBUG, 'DEBUG', a); orig.debug.apply(console, a); };
+
+      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+    } catch (e) {
+      console.warn('[securenow] ⚠️  Logging setup failed:', e.message);
+    }
+  } else {
+    console.log(
+      '[securenow] Logging: DISABLED (config.logging.enabled=false)',
+    );
+  }
+
+  if (captureBody) {
+    console.log(
+      '[securenow] 📝 Body capture: ENABLED (max %d bytes, redacting %d fields)',
+      maxBodySize,
+      allSensitiveFields.length,
+    );
+  }
+
+  // ── Free trial banner ──
+  try {
+    const { isFreeTrial, patchHttpForBanner } = await import('./free-trial-banner.js');
+    if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
+      patchHttpForBanner();
+    }
+  } catch {
+    // not critical
+  }
+
+  // ── Firewall — runs independently from OTel ──
+  const firewallOptions = appConfig.resolveFirewallOptions();
+  if (firewallOptions.apiKey) {
+    try {
+      const { init: fwInit } = await import('./firewall.js');
+      fwInit({
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: deploymentEnvironment || firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+
+  // ── Graceful shutdown ──
+  const shutdown = async (sig) => {
+    try {
+      await sdk.shutdown?.();
+      if (loggerProvider) await loggerProvider.shutdown?.();
+      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
+      console.log(`[securenow] Shut down on ${sig}`);
+    } catch {
+      // swallow
+    }
+  };
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
+
+  // ── Nitro request hooks for span enrichment ──
+  const tracer = otelTrace.getTracer('securenow-nuxt', '1.0.0');
+  const spanMap = new WeakMap();
+
+  nitroApp.hooks.hook('request', (event) => {
+    try {
+      const req = event.node.req;
+      const method = event.method || req.method || 'GET';
+      const path = event.path || req.url || '/';
+
+      const span = tracer.startSpan(`${method} ${path}`, {
+        attributes: {
+          'http.method': method,
+          'http.target': path,
+          'http.url': `${req.headers?.['x-forwarded-proto'] || 'http'}://${req.headers?.host || 'localhost'}${path}`,
+          'component': 'nuxt-nitro',
+        },
+      });
+
+      spanMap.set(event, span);
+    } catch {
+      // never break the request
+    }
+  });
+
+  nitroApp.hooks.hook('afterResponse', (event) => {
+    try {
+      const span = spanMap.get(event);
+      if (!span) return;
+
+      const status = event.node.res.statusCode || 200;
+      span.setAttribute('http.status_code', status);
+
+      if (status >= 500) {
+        span.setStatus({ code: SpanStatusCode.ERROR, message: `HTTP ${status}` });
+      }
+
+      span.end();
+      spanMap.delete(event);
+    } catch {
+      // swallow
+    }
+  });
+
+  nitroApp.hooks.hook('error', (error, { event }) => {
+    try {
+      const span = event ? spanMap.get(event) : null;
+      if (span) {
+        span.recordException(error);
+        span.setStatus({
+          code: SpanStatusCode.ERROR,
+          message: error.message || 'Internal Server Error',
+        });
+        span.end();
+        spanMap.delete(event);
+      }
+    } catch {
+      // swallow
+    }
+  });
+});