securenow 8.6.0 → 8.7.0

package/cli/security.js

@@ -63,17 +63,68 @@ async function alertRulesRoute(args, flags) {
   if (sub === 'exclusions') {
     return alertRuleExclusions(args.slice(1), flags);
   }
+  if (sub === 'promote') {
+    return alertRuleSetMode(args.slice(1), flags, 'prod');
+  }
+  if (sub === 'demote') {
+    return alertRuleSetMode(args.slice(1), flags, 'test');
+  }
   if (sub === 'list') {
     return alertRulesList(args.slice(1), flags);
   }
   return alertRulesList(args, flags);
 }
 
+// Promote (test -> prod) or demote (prod -> test) one or more rules. In test mode a
+// rule detects only — instant.block, automations, and the autonomous operator all
+// skip its notifications. Promoting to prod makes those mitigations eligible.
+async function alertRuleSetMode(args, flags, mode) {
+  requireAuth();
+  const ids = args.filter(Boolean);
+  const verb = mode === 'prod' ? 'promote' : 'demote';
+  if (ids.length === 0) {
+    ui.error(`Usage: securenow alerts rules ${verb} <rule-id> [<rule-id> ...] [--yes]`);
+    process.exit(1);
+  }
+  if (mode === 'prod' && !flags.yes && !flags.force) {
+    ui.warn('Promoting to prod ARMS automatic mitigation (instant.block, automations, autonomous operator) for matching detections.');
+    const ok = await ui.confirm(`Promote ${ids.length} rule${ids.length !== 1 ? 's' : ''} to prod (mitigations become eligible)?`);
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  let okCount = 0;
+  const failures = [];
+  for (const id of ids) {
+    const s = ui.spinner(`${mode === 'prod' ? 'Promoting' : 'Demoting'} ${id}`);
+    try {
+      await api.put(`/alert-rules/${id}`, { mode });
+      s.stop(`${ui.truncate(id, 12)} → ${mode}`);
+      okCount++;
+    } catch (err) {
+      s.fail(`Failed on ${ui.truncate(id, 12)}: ${err.message}`);
+      failures.push(id);
+    }
+  }
+  if (flags.json) { ui.json({ mode, updated: okCount, failed: failures }); return; }
+  console.log('');
+  ui.success(`${okCount}/${ids.length} rule${ids.length !== 1 ? 's' : ''} set to ${mode}.`);
+  if (mode === 'prod') ui.info('Enable the matching automations to let mitigations act. Reverse anytime: securenow alerts rules demote <id>');
+  else ui.info('Detect-only — no mitigation will act. Promote when confident: securenow alerts rules promote <id>');
+}
+
 async function alertRulesList(args, flags) {
   requireAuth();
+  // Server-side filters (API supports ?mode/status/active/isSystem).
+  const query = {};
+  if (flags.mode === 'test' || flags.mode === 'prod') query.mode = flags.mode;
+  if (['Active', 'Disabled', 'Paused'].includes(flags.status)) query.status = flags.status;
+  if (flags.active === true || flags.active === 'true') query.active = 'true';
+  else if (flags.active === false || flags.active === 'false') query.active = 'false';
+  if (flags.system === true || flags.system === 'true') query.isSystem = 'true';
+  else if (flags.user === true || flags.user === 'true') query.isSystem = 'false';
+
   const s = ui.spinner('Fetching alert rules');
   try {
-    const data = await api.get('/alert-rules');
+    const data = await api.get('/alert-rules', Object.keys(query).length ? { query } : undefined);
     const rules = data.alertRules || [];
     s.stop(`Found ${rules.length} rule${rules.length !== 1 ? 's' : ''}`);
 
@@ -81,15 +132,17 @@ async function alertRulesList(args, flags) {
 
     console.log('');
     const rows = rules.map((r) => [
-      ui.c.dim(ui.truncate(r._id, 12)),
+      ui.c.dim(ui.truncate(r._id || r.id, 12)),
       r.name || '—',
       ruleStatusBadge(r),
+      r.mode === 'test' ? ui.c.yellow('test') : ui.c.dim('prod'),
       formatRuleApplicationsCell(r),
       r.schedule?.enabled === false ? ui.c.dim('off') : (r.schedule?.description || r.schedule?.cronExpression || '—'),
     ]);
-    ui.table(['ID', 'Name', 'Status', 'Applications', 'Schedule'], rows);
+    ui.table(['ID', 'Name', 'Status', 'Mode', 'Applications', 'Schedule'], rows);
     console.log('');
-    console.log(ui.c.dim('  Applications: "all apps" = all current & future active apps.  show <id>  ·  update <id> --applications-all  ·  --apps k1,k2'));
+    console.log(ui.c.dim('  Filters: --mode test|prod  --status Active|Disabled|Paused  --active true|false  --system|--user'));
+    console.log(ui.c.dim('  Mode: test = detect-only (no mitigation, human review).  Promote: securenow alerts rules promote <id>'));
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch alert rules');
@@ -236,6 +289,7 @@ async function alertRuleShow(args, flags) {
     ui.keyValue([
       ['ID', r._id || r.id || id],
       ['Status', r.status || '—'],
+      ['Mode', r.mode === 'test' ? ui.c.yellow('test (detect-only, no mitigation)') : (r.mode || 'prod')],
       ['System rule', r.isSystem ? 'yes' : 'no'],
       ['Applications', appLine],
       ['Schedule', r.schedule?.enabled === false ? 'disabled' : (r.schedule?.description || r.schedule?.cronExpression || '—')],
@@ -258,7 +312,7 @@ async function alertRuleUpdate(args, flags) {
   }
   const id = args[0];
   if (!id) {
-    ui.error('Usage: securenow alerts rules update <rule-id> (--applications-all | --apps <k1,k2>)');
+    ui.error('Usage: securenow alerts rules update <rule-id> [--applications-all | --apps <k1,k2>] [--status Active|Disabled|Paused | --enable | --disable | --pause] [--mode test|prod]');
     process.exit(1);
   }
 
@@ -297,8 +351,25 @@ async function alertRuleUpdate(args, flags) {
       ui.error('No application keys parsed from --apps');
       process.exit(1);
     }
-  } else {
-    ui.error('Nothing to update. Use --applications-all or --apps key1,key2');
+  }
+
+  // Status: --status X, or convenience --enable / --disable / --pause.
+  let status = null;
+  if (flags.enable === true || flags.enable === 'true') status = 'Active';
+  else if (flags.disable === true || flags.disable === 'true') status = 'Disabled';
+  else if (flags.pause === true || flags.pause === 'true') status = 'Paused';
+  else if (flags.status) {
+    const match = ['Active', 'Disabled', 'Paused'].find((x) => x.toLowerCase() === String(flags.status).toLowerCase());
+    if (!match) { ui.error('--status must be Active, Disabled, or Paused'); process.exit(1); }
+    status = match;
+  }
+  if (status) body.status = status;
+
+  // Lifecycle mode promote/demote (also available as: alerts rules promote|demote <id>).
+  if (flags.mode === 'test' || flags.mode === 'prod') body.mode = flags.mode;
+
+  if (Object.keys(body).length === 0) {
+    ui.error('Nothing to update. Use --applications-all/--apps, --status (or --enable/--disable/--pause), or --mode test|prod (or: alerts rules promote/demote <id>).');
     process.exit(1);
   }
 
@@ -306,7 +377,8 @@ async function alertRuleUpdate(args, flags) {
   try {
     await api.put(`/alert-rules/${id}`, body);
     s.stop('Updated');
-    ui.success('Alert rule updated');
+    const extras = [body.status && `status → ${body.status}`, body.mode && `mode → ${body.mode}`].filter(Boolean);
+    ui.success('Alert rule updated' + (extras.length ? ` (${extras.join(', ')})` : ''));
   } catch (err) {
     s.fail('Failed to update alert rule');
     throw err;

package/cli.js

@@ -255,8 +255,8 @@ const COMMANDS = {
     usage: 'securenow alerts <subcommand> [options]',
     sub: {
       rules: {
-        desc: 'Create, list, show, update, set-sql, validate, delete, test, or tune alert rules',
-        usage: 'securenow alerts rules <list|create|show|update|set-sql|validate|delete|test|dry-run-query|tune-query|exclusions> [options]',
+        desc: 'Create, list, show, update, promote/demote, set-sql, validate, delete, test, or tune alert rules',
+        usage: 'securenow alerts rules <list|create|show|update|promote|demote|set-sql|validate|delete|test|dry-run-query|tune-query|exclusions> [options]',
         flags: {
           json: 'Output as JSON',
           name: 'With create: rule name',
@@ -275,7 +275,14 @@ const COMMANDS = {
           'no-applications-all': 'With update: scope to explicit --apps list',
           apps: 'Comma-separated app keys (with create/update)',
           app: 'Application key for rule tests',
-          mode: 'Rule test mode: dry_run or live',
+          mode: 'With test: dry_run | live.  With list/update: lifecycle test | prod (test = detect-only, no mitigation)',
+          status: 'With update: Active | Disabled | Paused.  With list: filter by status',
+          enable: 'With update: shortcut for --status Active',
+          disable: 'With update: shortcut for --status Disabled',
+          pause: 'With update: shortcut for --status Paused',
+          active: 'With list: filter active (true) or non-active (false)',
+          system: 'With list: only system rules',
+          user: 'With list: only user (non-system) rules',
           wait: 'Wait for rule test completion',
           sql: 'Detection/candidate/replacement SQL, @file, or - for stdin (create, set-sql, update, validate, dry-run-query, tune-query)',
           query: 'Alias for --sql',

package/nextjs-auto-capture.js

@@ -1,195 +1,274 @@
-/**
- * SecureNow Next.js Automatic Body Capture
- * 
- * This module automatically patches Next.js request handling to capture bodies
- * WITHOUT requiring customers to wrap their handlers or change their code.
- * 
- * Usage in instrumentation.ts:
- * 
- * import { registerSecureNow } from 'securenow/nextjs';
- * import 'securenow/nextjs-auto-capture'; // Just import this line!
- * 
- * export function register() {
- *   registerSecureNow();
- * }
- * 
- * That's it! Bodies are now captured automatically.
- */
-
-const { trace } = require('@opentelemetry/api');
-const appConfig = require('./app-config');
-
-// Default sensitive fields to redact
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key of Object.keys(redacted)) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Safe body capture that doesn't interfere with Next.js
- */
-async function safeBodyCapture(request, span) {
-  if (!span) return;
-  
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
-    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    
-    // Only for supported types
-    if (!contentType.includes('application/json') && 
-        !contentType.includes('application/graphql') &&
-        !contentType.includes('application/x-www-form-urlencoded')) {
-      return;
-    }
-    
-    // Try to read from cache if available (Next.js may have already read it)
-    let bodyText;
-    
-    // Attempt 1: Check if body was already cached by Next.js
-    if (request._bodyText) {
-      bodyText = request._bodyText;
-    } else {
-      // Attempt 2: Try to clone and read
-      try {
-        const cloned = request.clone();
-        bodyText = await cloned.text();
-        // Cache it for Next.js
-        request._bodyText = bodyText;
-      } catch (e) {
-        // If clone fails, body was already consumed - skip silently
-        return;
-      }
-    }
-    
-    if (bodyText.length > maxBodySize) {
-      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
-      return;
-    }
-    
-    // Parse and redact
-    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
-      try {
-        const parsed = JSON.parse(bodyText);
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        // Parse error - skip
-      }
-    } else if (contentType.includes('application/x-www-form-urlencoded')) {
-      try {
-        const params = new URLSearchParams(bodyText);
-        const parsed = Object.fromEntries(params);
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': 'form',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        // Parse error - skip
-      }
-    }
-  } catch (error) {
-    // Silently fail - never break the request
-  }
-}
-
-/**
- * Check if body capture is enabled
- */
-function isBodyCaptureEnabled() {
-  return appConfig.boolConfig('capture.body', true);
-}
-
-/**
- * Patch Next.js Request to cache body text
- * This allows us to read the body without consuming it
- */
-function patchNextRequest() {
-  if (typeof Request === 'undefined') return;
-  
-  const originalText = Request.prototype.text;
-  const originalJson = Request.prototype.json;
-  
-  // Patch text() to cache result
-  Request.prototype.text = async function() {
-    if (this._bodyText !== undefined) {
-      return this._bodyText;
-    }
-    const text = await originalText.call(this);
-    this._bodyText = text;
-    
-    // Capture for tracing if enabled
-    if (isBodyCaptureEnabled() && ['POST', 'PUT', 'PATCH'].includes(this.method)) {
-      const span = trace.getActiveSpan();
-      if (span) {
-        // Schedule capture after this call (non-blocking)
-        setImmediate(() => {
-          safeBodyCapture(this, span).catch(() => {});
-        });
-      }
-    }
-    
-    return text;
-  };
-  
-  // Patch json() to cache and capture
-  Request.prototype.json = async function() {
-    // First get text
-    const text = await this.text();
-    // Then parse
-    return JSON.parse(text);
-  };
-  
-  console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
-}
-
-// Auto-patch when module is imported
-if (isBodyCaptureEnabled()) {
-  try {
-    patchNextRequest();
-    console.log('[securenow] 📝 Automatic body capture: ENABLED');
-    console.log('[securenow] 💡 No code changes needed - bodies captured automatically!');
-  } catch (error) {
-    console.warn('[securenow] ⚠️  Auto-capture patch failed:', error.message);
-    console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
-  }
-} else {
-  console.log('[securenow] Automatic body capture: DISABLED (config.capture.body=false)');
-}
-
-module.exports = {
-  patchNextRequest,
-  safeBodyCapture,
-  redactSensitiveData,
-  isBodyCaptureEnabled,
-};
-
+/**
+ * SecureNow Next.js Automatic Body Capture
+ * 
+ * This module automatically patches Next.js request handling to capture bodies
+ * WITHOUT requiring customers to wrap their handlers or change their code.
+ * 
+ * Usage in instrumentation.ts:
+ * 
+ * import { registerSecureNow } from 'securenow/nextjs';
+ * import 'securenow/nextjs-auto-capture'; // Just import this line!
+ * 
+ * export function register() {
+ *   registerSecureNow();
+ * }
+ * 
+ * That's it! Bodies are now captured automatically.
+ */
+
+const { trace } = require('@opentelemetry/api');
+const appConfig = require('./app-config');
+
+// Default sensitive fields to redact from request bodies.
+// Matched substring-wise against lowercased keys (see redactSensitiveData),
+// so e.g. 'card' also catches 'creditCard' and 'account' also catches
+// 'accountNumber'. Over-redaction here is intentional: a falsely-redacted
+// telemetry value is always safer than a leaked secret. Entries are kept
+// specific enough to avoid nuking broad benign keys (e.g. we use
+// 'firstname'/'lastname'/'fullname', never bare 'name').
+const DEFAULT_SENSITIVE_FIELDS = [
+  // credentials / auth
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'authorization', 'bearer', 'credentials',
+  'mysql_pwd', 'otp', 'mfa', 'totp', 'sessionid', 'session_id',
+  'cookie', 'set-cookie',
+  // financial
+  'stripeToken', 'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'iban', 'account', 'accountnumber', 'routing', 'sortcode', 'taxid',
+  // PII
+  'ssn', 'pin', 'email', 'e_mail', 'phone', 'mobile', 'dob', 'birthdate',
+  'firstname', 'lastname', 'fullname', 'address', 'postcode', 'zip',
+  'passport', 'license',
+];
+
+// Conservative value-shape redactors. Key-name matching misses secrets that
+// land in free-form string values (GraphQL bodies, message fields, etc.), so
+// as a second layer we scrub string VALUES that *look like* a secret/PII.
+// These are intentionally precise/bounded so they don't garble normal prose,
+// and they only ever transform captured telemetry strings (read-only) — never
+// the actual request/response stream. Compiled once at module load.
+const VALUE_REDACTORS = [
+  // JWT: three base64url segments. Anchored to the eyJ header so it won't
+  // match arbitrary dotted tokens.
+  { name: 'jwt', re: /eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g },
+  // Bearer/Basic auth header value embedded in a body string.
+  { name: 'bearer', re: /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/gi },
+  // Stripe-style / SecureNow live+test API keys.
+  { name: 'apikey', re: /\b(?:sk|pk|rk|snk)_(?:live|test)_[A-Za-z0-9]{8,}/g },
+  // Email addresses (bounded local/domain parts).
+  { name: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },
+  // Credit-card-like: 13–19 digit runs that pass a Luhn check, allowing
+  // space/dash grouping. Luhn-gated to avoid clobbering ordinary long numbers.
+  { name: 'card', re: /\b(?:\d[ -]?){13,19}\b/g, luhn: true },
+];
+
+// Skip the value-shape scan on very large strings to bound per-body cost.
+const MAX_VALUE_SCAN_LENGTH = 16384;
+
+function luhnValid(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) { d *= 2; if (d > 9) d -= 9; }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+
+/**
+ * Redact obvious secret/PII shapes inside a captured string VALUE.
+ * Returns the input unchanged when nothing matches (cheap common case).
+ */
+function redactSensitiveValue(value) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  if (value.length > MAX_VALUE_SCAN_LENGTH) return value; // bound the work
+  let out = value;
+  for (const r of VALUE_REDACTORS) {
+    r.re.lastIndex = 0;
+    if (r.luhn) {
+      out = out.replace(r.re, (m) => {
+        const digits = m.replace(/[ -]/g, '');
+        if (digits.length < 13 || digits.length > 19) return m;
+        return luhnValid(digits) ? '[REDACTED]' : m;
+      });
+    } else {
+      out = out.replace(r.re, '[REDACTED]');
+    }
+  }
+  return out;
+}
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    } else if (typeof redacted[key] === 'string') {
+      // Second layer: even if the key name looks benign, scrub values that
+      // *look like* a secret/PII (JWT, bearer token, API key, email, card).
+      redacted[key] = redactSensitiveValue(redacted[key]);
+    }
+  }
+
+  return redacted;
+}
+
+/**
+ * Safe body capture that doesn't interfere with Next.js
+ */
+async function safeBodyCapture(request, span) {
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Try to read from cache if available (Next.js may have already read it)
+    let bodyText;
+    
+    // Attempt 1: Check if body was already cached by Next.js
+    if (request._bodyText) {
+      bodyText = request._bodyText;
+    } else {
+      // Attempt 2: Try to clone and read
+      try {
+        const cloned = request.clone();
+        bodyText = await cloned.text();
+        // Cache it for Next.js
+        request._bodyText = bodyText;
+      } catch (e) {
+        // If clone fails, body was already consumed - skip silently
+        return;
+      }
+    }
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      return;
+    }
+    
+    // Parse and redact
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        // Parse error - skip
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      try {
+        const params = new URLSearchParams(bodyText);
+        const parsed = Object.fromEntries(params);
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': 'form',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        // Parse error - skip
+      }
+    }
+  } catch (error) {
+    // Silently fail - never break the request
+  }
+}
+
+/**
+ * Check if body capture is enabled
+ */
+function isBodyCaptureEnabled() {
+  return appConfig.boolConfig('capture.body', true);
+}
+
+/**
+ * Patch Next.js Request to cache body text
+ * This allows us to read the body without consuming it
+ */
+function patchNextRequest() {
+  if (typeof Request === 'undefined') return;
+  
+  const originalText = Request.prototype.text;
+  const originalJson = Request.prototype.json;
+  
+  // Patch text() to cache result
+  Request.prototype.text = async function() {
+    if (this._bodyText !== undefined) {
+      return this._bodyText;
+    }
+    const text = await originalText.call(this);
+    this._bodyText = text;
+    
+    // Capture for tracing if enabled
+    if (isBodyCaptureEnabled() && ['POST', 'PUT', 'PATCH'].includes(this.method)) {
+      const span = trace.getActiveSpan();
+      if (span) {
+        // Schedule capture after this call (non-blocking)
+        setImmediate(() => {
+          safeBodyCapture(this, span).catch(() => {});
+        });
+      }
+    }
+    
+    return text;
+  };
+  
+  // Patch json() to cache and capture
+  Request.prototype.json = async function() {
+    // First get text
+    const text = await this.text();
+    // Then parse
+    return JSON.parse(text);
+  };
+  
+  console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
+}
+
+// Auto-patch when module is imported
+if (isBodyCaptureEnabled()) {
+  try {
+    patchNextRequest();
+    console.log('[securenow] 📝 Automatic body capture: ENABLED');
+    console.log('[securenow] 💡 No code changes needed - bodies captured automatically!');
+  } catch (error) {
+    console.warn('[securenow] ⚠️  Auto-capture patch failed:', error.message);
+    console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
+  }
+} else {
+  console.log('[securenow] Automatic body capture: DISABLED (config.capture.body=false)');
+}
+
+module.exports = {
+  patchNextRequest,
+  safeBodyCapture,
+  redactSensitiveData,
+  isBodyCaptureEnabled,
+};
+