npm - securenow - Versions diffs - 8.6.0 → 8.7.0 - Mend

securenow 8.6.0 → 8.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/cli/security.js +80 -8
package/cli.js +10 -3
package/nextjs-auto-capture.js +274 -195
package/nextjs-middleware.js +268 -185
package/nextjs-wrapper.js +234 -155
package/nextjs.js +768 -685
package/nuxt-server-plugin.mjs +506 -426
package/package.json +1 -1
package/tracing.js +844 -758

package/nextjs.js CHANGED Viewed

@@ -1,685 +1,768 @@
-'use strict';
-/**
- * SecureNow Next.js Integration using @vercel/otel
- *
- * Usage in Next.js app:
- *
- * 1. Add securenow to serverExternalPackages and standalone output tracing
- *    includes in next.config.js:
- *
- *    const nextConfig = {
- *      serverExternalPackages: ["securenow"],
- *      outputFileTracingIncludes: {
- *        "/*": ["<securenow package glob>"],
- *      },
- *    };
- *
- * 2. Create instrumentation.ts (or .js) in your project root:
- *
- *    export async function register() {
- *      if (process.env.NEXT_RUNTIME !== "nodejs") return;
- *      const securenowNext = await import(/* webpackIgnore: true *\/ "securenow/nextjs");
- *      const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
- *      registerSecureNow({ captureBody: true });
- *      await import(/* webpackIgnore: true *\/ "securenow/nextjs-auto-capture");
- *    }
- *
- * 3. Run `npx securenow login` and `npx securenow init`.
- *    The SDK reads app identity, collector, firewall, capture, and
- *    deploymentEnvironment from .securenow/credentials.json.
- */
-const { randomUUID } = require('crypto');
-const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
-const appConfig = require('./app-config');
-const { resolveClientIpWithDetails } = require('./resolve-ip');
-const otelResources = require('@opentelemetry/resources');
-const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
-let isRegistered = false;
-function requireRuntimeModule(name) {
-  const nodeRequire = typeof __non_webpack_require__ === 'function' ? __non_webpack_require__ : eval('require');
-  return nodeRequire(name);
-}
-function requireNodeBuiltin(name) {
-  return requireRuntimeModule(name);
-}
-function createResource(attributes) {
-  if (typeof otelResources.resourceFromAttributes === 'function') {
-    return otelResources.resourceFromAttributes(attributes);
-  }
-  if (typeof otelResources.Resource === 'function') {
-    return new otelResources.Resource(attributes);
-  }
-  throw new Error('Unsupported @opentelemetry/resources version');
-}
-// Default sensitive fields to redact from request bodies
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  for (const key of Object.keys(redacted)) {
-    const lowerKey = key.toLowerCase();
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      // Recursively redact nested objects
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  return redacted;
-}
-function escapeRegex(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-/**
- * Redact sensitive data from GraphQL query strings
- */
-function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!query || typeof query !== 'string') return query;
-  let redacted = query;
-  // Redact sensitive fields in GraphQL arguments and variables
-  // Matches patterns like: password: "value" or password:"value" or password:'value'
-  sensitiveFields.forEach(field => {
-    const escaped = escapeRegex(field);
-    const patterns = [
-      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
-    ];
-    patterns.forEach(pattern => {
-      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
-        if (suffix) {
-          return `${prefix}[REDACTED]${suffix}`;
-        } else {
-          return `${prefix}[REDACTED]`;
-        }
-      });
-    });
-  });
-  return redacted;
-}
-/**
- * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
- * @param {Object} options - Optional configuration
- * @param {string} options.serviceName - Service name (defaults to .securenow/credentials.json app.key/app.name)
- * @param {string} options.endpoint - Advanced OTLP endpoint override (defaults to the SecureNow ingest gateway)
- * @param {string} options.environment - deployment.environment override (defaults to config.runtime.deploymentEnvironment)
- * @param {boolean} options.noUuid - Don't append UUID to service name
- */
-function registerSecureNow(options = {}) {
-  // Only register once
-  if (isRegistered) {
-    console.log('[securenow] Already registered, skipping...');
-    return;
-  }
-  // Skip for Edge runtime
-  if (process.env.NEXT_RUNTIME === 'edge') {
-    console.log('[securenow] Skipping Edge runtime (Node.js only)');
-    return;
-  }
-  // Detect environment outside try block for error handling
-  const isVercel = !!(process.env.VERCEL || process.env.VERCEL_ENV || process.env.VERCEL_URL);
-  let deploymentEnvironment = appConfig.resolveDeploymentEnvironment();
-  try {
-    console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
-    // -------- Configuration --------
-    // Resolution order: explicit options -> .securenow/credentials.json -> package.json#name.
-    // Telemetry goes to the stable ingest gateway by default; the API gateway
-    // routes by app.key to the dashboard-selected instance.
-    const resolvedApp = appConfig.resolveAll();
-    const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
-    const baseName = rawBase || null;
-    // Default: auto-disable suffix when logged in (appId is the routing UUID
-    // and the dashboard does exact match). opts.noUuid or config.runtime.noUuid
-    // can still override.
-    const noUuid = appConfig.resolveNoUuid({ noUuid: options.noUuid });
-    deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
-      options.environment || resolvedApp.deploymentEnvironment
-    );
-    // service.name
-    let serviceName;
-    if (baseName) {
-      serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
-    } else {
-      serviceName = `nextjs-app-${randomUUID()}`;
-      console.warn('[securenow] No app identity resolved. Using fallback: %s', serviceName);
-      console.warn('[securenow] Run `npx securenow login` and `npx securenow init` to write .securenow/credentials.json');
-    }
-    // -------- Endpoint Configuration --------
-    const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: options.endpoint || resolvedApp.instance });
-    const endpointBase = resolvedEndpoints.endpointBase;
-    const tracesUrl = resolvedEndpoints.tracesUrl;
-    const logsUrl = resolvedEndpoints.logsUrl;
-    const headers = resolvedEndpoints.headers;
-    const otelLogLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
-    const isDevelopmentRuntime = process.env.NODE_ENV === 'development';
-    console.log('[securenow] Next.js App -> service.name=%s', serviceName);
-    console.log('[securenow] Environment: %s', deploymentEnvironment);
-    // -------- Body Capture Configuration --------
-    // Opt-out default: set config.capture.body=false (or options.captureBody=false) to disable.
-    const captureBody = options.captureBody ?? appConfig.boolConfig('capture.body', true);
-    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
-    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    // -------- Log environment detection --------
-    if (!isVercel) {
-      console.log('[securenow] Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
-    }
-    // -------- Use different initialization based on environment --------
-    const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
-    // Configure HTTP instrumentation with comprehensive header capture
-    const httpInstrumentation = new HttpInstrumentation({
-      requireParentforOutgoingSpans: false,
-      requireParentforIncomingSpans: false,
-      ignoreIncomingRequestHook: (request) => {
-        // Never ignore - we want to trace all requests
-        return false;
-      },
-      requestHook: (span, request) => {
-        // SYNCHRONOUS ONLY - no async operations to avoid timing issues
-        try {
-          // Capture all headers
-          const headers = request.headers || {};
-          // ======== IP ADDRESS CAPTURE ========
-          const ipDetails = resolveClientIpWithDetails(request);
-          const forwardedFor = ipDetails.forwardedFor;
-          const realIp = ipDetails.realIp;
-          const socketIp = ipDetails.socketIp;
-          const primaryIp = ipDetails.ip || 'unknown';
-          // ======== PROTOCOL & CONNECTION ========
-          const scheme = headers['x-forwarded-proto'] ||
-                        (request.socket?.encrypted ? 'https' : 'http');
-          const host = headers['x-forwarded-host'] || headers['host'] || '';
-          const port = headers['x-forwarded-port'] || request.socket?.localPort || '';
-          // ======== REQUEST METADATA ========
-          const userAgent = headers['user-agent'] || '';
-          const referer = headers['referer'] || headers['referrer'] || '';
-          const accept = headers['accept'] || '';
-          const acceptLanguage = headers['accept-language'] || '';
-          const acceptEncoding = headers['accept-encoding'] || '';
-          const contentType = headers['content-type'] || '';
-          const contentLength = headers['content-length'] || '';
-          const origin = headers['origin'] || '';
-          // ======== PROXY & LOAD BALANCER ========
-          const originalUri = headers['x-original-uri'] || '';
-          const originalMethod = headers['x-original-method'] || '';
-          const requestId = headers['x-request-id'] || headers['x-trace-id'] || headers['x-correlation-id'] || '';
-          // ======== SET ALL ATTRIBUTES ========
-          const attributes = {
-            // IP & Network
-            'http.client_ip': primaryIp,
-            'http.client_ip.source': ipDetails.source,
-            'http.forwarded_for': forwardedFor || '',
-            'http.real_ip': realIp || '',
-            'http.socket_ip': socketIp || '',
-            'http.proxy.trusted': String(!!ipDetails.trustedProxy),
-            'http.request.header.x_forwarded_for': forwardedFor || '',
-            'http.request.header.x_real_ip': realIp || '',
-            'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
-            'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
-            'http.request.header.x_client_ip': ipDetails.clientIp || '',
-            // Protocol & Host
-            'http.scheme': scheme,
-            'http.host': host,
-            'http.port': port.toString(),
-            'http.forwarded_proto': headers['x-forwarded-proto'] || '',
-            'http.forwarded_host': headers['x-forwarded-host'] || '',
-            // Request Details
-            'http.user_agent': userAgent,
-            'http.referer': referer,
-            'http.origin': origin,
-            'http.accept': accept,
-            'http.accept_language': acceptLanguage,
-            'http.accept_encoding': acceptEncoding,
-            'http.content_type': contentType,
-            'http.content_length': contentLength,
-            // Proxy & Routing
-            'http.original_uri': originalUri,
-            'http.original_method': originalMethod,
-            'http.request_id': requestId,
-            // Connection Info
-            'http.connection': headers['connection'] || '',
-            'http.upgrade': headers['upgrade'] || '',
-          };
-          // Set all attributes at once
-          span.setAttributes(attributes);
-          // ======== GEOGRAPHIC DATA ========
-          // Vercel geo headers
-          if (headers['x-vercel-ip-country']) {
-            span.setAttributes({
-              'http.geo.country': headers['x-vercel-ip-country'],
-              'http.geo.region': headers['x-vercel-ip-country-region'] || '',
-              'http.geo.city': headers['x-vercel-ip-city'] || '',
-              'http.geo.latitude': headers['x-vercel-ip-latitude'] || '',
-              'http.geo.longitude': headers['x-vercel-ip-longitude'] || '',
-              'http.geo.timezone': headers['x-vercel-ip-timezone'] || '',
-            });
-          }
-          // Cloudflare geo headers
-          if (headers['cf-ipcountry']) {
-            span.setAttributes({
-              'http.geo.country': headers['cf-ipcountry'],
-              'http.geo.cf_ray': headers['cf-ray'] || '',
-              'http.geo.cf_visitor': headers['cf-visitor'] || '',
-            });
-          }
-          // Cloudflare additional headers
-          if (headers['cf-connecting-ip']) {
-            span.setAttribute('http.cf.connecting_ip', headers['cf-connecting-ip']);
-          }
-          // ======== SECURITY HEADERS ========
-          if (headers['x-csrf-token']) {
-            span.setAttribute('http.security.csrf_token_present', 'true');
-          }
-          if (headers['authorization']) {
-            span.setAttribute('http.security.auth_present', 'true');
-            // Never log the actual token!
-          }
-          if (headers['cookie']) {
-            span.setAttribute('http.security.cookies_present', 'true');
-            // Never log actual cookies!
-          }
-          // Debug log in development
-          if (isDevelopmentRuntime || otelLogLevel === 'debug') {
-            console.log('[securenow] Captured IP: %s (from: %s)',
-              primaryIp,
-              ipDetails.source || 'unknown'
-            );
-          }
-          // -------- Request Body NOT captured at HTTP instrumentation level --------
-          // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
-          // Next.js manages request streams internally and reading them here causes conflicts
-          // Body capture must be done in Next.js middleware using request.clone()
-        } catch (error) {
-          // Silently fail to not break the request
-          if (otelLogLevel === 'debug') {
-            console.error('[securenow] Error in requestHook:', error.message);
-          }
-        }
-      },
-      responseHook: (span, response) => {
-        try {
-          // Capture response metadata
-          span.setAttributes({
-            'http.status_code': response.statusCode || 0,
-            'http.status_message': response.statusMessage || '',
-            'http.response.content_type': response.headers?.['content-type'] || '',
-            'http.response.content_length': response.headers?.['content-length'] || '',
-          });
-        } catch (error) {
-          // Silently fail
-        }
-      },
-    });
-    // -------- Guard against OTLP exporter socket errors --------
-    // The OTLP HTTP exporter uses keep-alive connections that can be reset by
-    // the remote end (ECONNRESET / "socket hang up"). These transient errors
-    // sometimes escape as unhandled exceptions or rejections. We catch them
-    // here and log at debug level instead of crashing the host app.
-    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
-    function _isOtlpTransientError(err) {
-      if (!err) return false;
-      if (_TRANSIENT_CODES.has(err.code)) return true;
-      if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
-      return false;
-    }
-    function _looksLikeOtlpStack(err) {
-      const s = err && err.stack;
-      if (!s) return false;
-      return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
-        || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
-    }
-    function _looksLikeConfiguredOtlpEndpoint(err) {
-      const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
-      try {
-        const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
-        return hosts.some((host) => host && text.includes(host));
-      } catch (_) {
-        return false;
-      }
-    }
-    const _diagDebug = otelLogLevel === 'debug';
-    let _lastSuppressedOtlpErrorLogAt = 0;
-    function _originalConsole(method) {
-      const originals = console.__securenow_original || console.__securenowOriginalConsole;
-      return (originals && originals[method]) || console[method] || console.log;
-    }
-    function _formatOtlpError(err) {
-      if (!err) return 'unknown error';
-      const parts = [err.message || String(err)];
-      if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
-      if (err.syscall) parts.push(`syscall=${err.syscall}`);
-      if (err.hostname) parts.push(`host=${err.hostname}`);
-      return parts.join(' ');
-    }
-    function _reportSuppressedOtlpError(kind, err, origin) {
-      if (otelLogLevel === 'none') return;
-      const now = Date.now();
-      if (!_diagDebug && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
-      _lastSuppressedOtlpErrorLogAt = now;
-      const method = _diagDebug ? 'debug' : 'error';
-      _originalConsole(method).call(
-        console,
-        '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
-        kind,
-        origin || 'async',
-        _formatOtlpError(err)
-      );
-    }
-    process.on('uncaughtException', (err, origin) => {
-      if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
-        _reportSuppressedOtlpError('error', err, origin);
-        return;
-      }
-      throw err;
-    });
-    process.on('unhandledRejection', (reason) => {
-      if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
-        _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
-        return;
-      }
-      throw reason;
-    });
-    if (isVercel) {
-      // -------- Vercel Environment: Use @vercel/otel --------
-      const { registerOTel } = require('@vercel/otel');
-      registerOTel({
-        serviceName: serviceName,
-        attributes: {
-          'deployment.environment': deploymentEnvironment,
-          'service.version': process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
-          'vercel.region': process.env.VERCEL_REGION || undefined,
-        },
-        instrumentations: [httpInstrumentation],
-        instrumentationConfig: {
-          fetch: {
-            // Propagate context to your backend APIs
-            propagateContextUrls: [
-              /^https?:\/\/localhost/,
-              /^https?:\/\/.*\.vercel\.app/,
-              // Add your backend domains here
-            ],
-            // Optionally ignore certain URLs
-            ignoreUrls: [
-              /_next\/static/,
-              /_next\/image/,
-              /\.map$/,
-            ],
-          },
-        },
-      });
-    } else {
-      // -------- Self-Hosted (EC2/PM2): Use Vanilla OpenTelemetry SDK --------
-      const { NodeSDK } = require('@opentelemetry/sdk-node');
-      const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
-      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
-      const traceExporter = new OTLPTraceExporter({
-        url: tracesUrl,
-            headers
-      });
-      const sdk = new NodeSDK({
-        ...nodeSdkTelemetryOptions,
-        serviceName: serviceName,
-        traceExporter: traceExporter,
-        instrumentations: [httpInstrumentation],
-        resource: createResource({
-          [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
-          [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
-        }),
-      });
-      sdk.start();
-      console.log('[securenow] Vanilla SDK initialized for self-hosted environment');
-      // -------- Logging (self-hosted only) --------
-      // Opt-out default: set config.logging.enabled=false to disable.
-      const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
-      if (loggingEnabled) {
-        try {
-          const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
-          const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
-          const logExporter = new OTLPLogExporter({
-            url: logsUrl,
-            headers,
-          });
-          const loggerProvider = new LoggerProvider({
-            resource: createResource({
-              [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
-            }),
-            processors: [new BatchLogRecordProcessor(logExporter)],
-          });
-          // Patch console to forward logs as OTLP log records
-          const logger = loggerProvider.getLogger('console', '1.0.0');
-          const SeverityNumber = { INFO: 9, WARN: 13, ERROR: 17 };
-          const origLog = console.log;
-          const origWarn = console.warn;
-          const origError = console.error;
-          const { context: otelContext, trace: otelTrace } = require('@opentelemetry/api');
-          function _emitLog(sn, st, args) {
-            try {
-              const activeCtx = otelContext.active();
-              const spanCtx = otelTrace.getSpanContext(activeCtx);
-              logger.emit({
-                severityNumber: sn,
-                severityText: st,
-                body: args.map(String).join(' '),
-                ...(spanCtx && { context: activeCtx }),
-              });
-            } catch (_) {}
-          }
-          console.log = (...args) => {
-            origLog.apply(console, args);
-            _emitLog(SeverityNumber.INFO, 'INFO', args);
-          };
-          console.warn = (...args) => {
-            origWarn.apply(console, args);
-            _emitLog(SeverityNumber.WARN, 'WARN', args);
-          };
-          console.error = (...args) => {
-            origError.apply(console, args);
-            _emitLog(SeverityNumber.ERROR, 'ERROR', args);
-          };
-          console.log('[securenow] Logging: ENABLED -> %s', logsUrl);
-          // Auto-log every incoming HTTP request/response
-          try {
-            const http = requireNodeBuiltin('node:http');
-            const originalEmit = http.Server.prototype.emit;
-            http.Server.prototype.emit = function (event, req, res) {
-              if (event === 'request' && req && res) {
-                const start = Date.now();
-                const method = req.method;
-                const url = req.url;
-                res.on('finish', () => {
-                  const reqCtx = otelContext.active();
-                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
-                  const duration = Date.now() - start;
-                  const status = res.statusCode;
-                  const ipDetails = resolveClientIpWithDetails(req);
-                  const ip = ipDetails.ip || '-';
-                  const ua = req.headers['user-agent'] || '-';
-                  const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
-                  const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
-                  const severityText = status >= 500 ? 'ERROR' : status >= 400 ? 'WARN' : 'INFO';
-                  origLog.call(console, '[securenow] %s %s %d %dms', method, url, status, duration);
-                  try {
-                    logger.emit({
-                      severityNumber: severity,
-                      severityText,
-                      body,
-                      attributes: {
-                        'http.method': method,
-                        'http.url': url,
-                        'http.status_code': status,
-                        'http.duration_ms': duration,
-                        'http.client_ip': ip,
-                        'http.client_ip.source': ipDetails.source || 'unknown',
-                        'http.socket_ip': ipDetails.socketIp || '',
-                        'http.forwarded_for': ipDetails.forwardedFor || '',
-                        'http.real_ip': ipDetails.realIp || '',
-                        'http.proxy.trusted': String(!!ipDetails.trustedProxy),
-                        'http.user_agent': ua,
-                      },
-                      ...(reqSpanCtx && { context: reqCtx }),
-                    });
-                  } catch (_) {}
-                });
-              }
-              return originalEmit.apply(this, arguments);
-            };
-            console.log('[securenow] HTTP request logging: ENABLED');
-          } catch (_) {}
-          // Graceful shutdown for logs
-          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
-          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
-        } catch (e) {
-          console.warn('[securenow] Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
-        }
-      } else {
-        console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
-      }
-    }
-    isRegistered = true;
-    // Free trial banner (optional - may not be bundled in standalone builds)
-    try {
-      const { isFreeTrial, patchHttpForBanner } = requireRuntimeModule('./free-trial-banner');
-      if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
-        patchHttpForBanner();
-      }
-    } catch (_) {}
-    console.log('[securenow] OpenTelemetry started for Next.js -> %s', tracesUrl);
-    console.log('[securenow] Auto-capturing comprehensive request metadata:');
-    console.log('[securenow]    - IP addresses (x-forwarded-for, x-real-ip, socket)');
-    console.log('[securenow]    - User-Agent, Referer, Origin, Accept headers');
-    console.log('[securenow]    - Protocol, Host, Port (proxy-aware)');
-    console.log('[securenow]    - Geographic data (Vercel/Cloudflare)');
-    console.log('[securenow]    - Request IDs, CSRF tokens, Auth presence');
-    console.log('[securenow]    - Response status, content-type, content-length');
-    console.log('[securenow] Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
-    if (captureBody) {
-      console.log('[securenow] For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
-    }
-    // Optional test span
-    if (appConfig.boolConfig('runtime.testSpan', false)) {
-      const api = require('@opentelemetry/api');
-      const tracer = api.trace.getTracer('securenow-nextjs');
-      const span = tracer.startSpan('securenow.nextjs.startup');
-      span.setAttribute('next.runtime', process.env.NEXT_RUNTIME || 'nodejs');
-      span.end();
-      console.log('[securenow] Test span created');
-    }
-  } catch (error) {
-    console.error('[securenow] Failed to initialize OpenTelemetry:', error);
-    if (isVercel) {
-      console.error('[securenow] Make sure you have @vercel/otel installed: npm install @vercel/otel');
-    } else {
-      console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
-    }
-  }
-  // Firewall - runs independently from OTel so it works even if tracing fails.
-  // Key and environment come from .securenow/credentials.json (written by
-  // login/init or credentials runtime), so no .env entry is needed.
-  const firewallOptions = appConfig.resolveFirewallOptions();
-  if (firewallOptions.apiKey) {
-    try {
-      requireRuntimeModule('./firewall').init({
-        apiKey: firewallOptions.apiKey,
-        appKey: firewallOptions.appKey,
-        environment: deploymentEnvironment || firewallOptions.environment,
-        apiUrl: firewallOptions.apiUrl,
-        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
-        versionCheckInterval: firewallOptions.versionCheckInterval,
-        syncInterval: firewallOptions.syncInterval,
-        failMode: firewallOptions.failMode,
-        statusCode: firewallOptions.statusCode,
-        log: firewallOptions.log,
-        tcp: firewallOptions.tcp,
-        iptables: firewallOptions.iptables,
-        cloud: firewallOptions.cloud,
-        cloudDryRun: firewallOptions.cloudDryRun,
-        cloudflare: firewallOptions.cloudflare,
-        aws: firewallOptions.aws,
-        gcp: firewallOptions.gcp,
-      });
-    } catch (e) {
-      console.warn('[securenow] Firewall init failed:', e.message);
-    }
-  }
-}
-module.exports = {
-  registerSecureNow,
-};
+'use strict';
+/**
+ * SecureNow Next.js Integration using @vercel/otel
+ *
+ * Usage in Next.js app:
+ *
+ * 1. Add securenow to serverExternalPackages and standalone output tracing
+ *    includes in next.config.js:
+ *
+ *    const nextConfig = {
+ *      serverExternalPackages: ["securenow"],
+ *      outputFileTracingIncludes: {
+ *        "/*": ["<securenow package glob>"],
+ *      },
+ *    };
+ *
+ * 2. Create instrumentation.ts (or .js) in your project root:
+ *
+ *    export async function register() {
+ *      if (process.env.NEXT_RUNTIME !== "nodejs") return;
+ *      const securenowNext = await import(/* webpackIgnore: true *\/ "securenow/nextjs");
+ *      const registerSecureNow = securenowNext.registerSecureNow || securenowNext.default?.registerSecureNow;
+ *      registerSecureNow({ captureBody: true });
+ *      await import(/* webpackIgnore: true *\/ "securenow/nextjs-auto-capture");
+ *    }
+ *
+ * 3. Run `npx securenow login` and `npx securenow init`.
+ *    The SDK reads app identity, collector, firewall, capture, and
+ *    deploymentEnvironment from .securenow/credentials.json.
+ */
+const { randomUUID } = require('crypto');
+const { nodeSdkDefaultTelemetryOptions } = require('./otel-defaults');
+const appConfig = require('./app-config');
+const { resolveClientIpWithDetails } = require('./resolve-ip');
+const otelResources = require('@opentelemetry/resources');
+const nodeSdkTelemetryOptions = nodeSdkDefaultTelemetryOptions();
+let isRegistered = false;
+function requireRuntimeModule(name) {
+  const nodeRequire = typeof __non_webpack_require__ === 'function' ? __non_webpack_require__ : eval('require');
+  return nodeRequire(name);
+}
+function requireNodeBuiltin(name) {
+  return requireRuntimeModule(name);
+}
+function createResource(attributes) {
+  if (typeof otelResources.resourceFromAttributes === 'function') {
+    return otelResources.resourceFromAttributes(attributes);
+  }
+  if (typeof otelResources.Resource === 'function') {
+    return new otelResources.Resource(attributes);
+  }
+  throw new Error('Unsupported @opentelemetry/resources version');
+}
+// Default sensitive fields to redact from request bodies.
+// Matched substring-wise against lowercased keys (see redactSensitiveData),
+// so e.g. 'card' also catches 'creditCard' and 'account' also catches
+// 'accountNumber'. Over-redaction here is intentional: a falsely-redacted
+// telemetry value is always safer than a leaked secret. Entries are kept
+// specific enough to avoid nuking broad benign keys (e.g. we use
+// 'firstname'/'lastname'/'fullname', never bare 'name').
+const DEFAULT_SENSITIVE_FIELDS = [
+  // credentials / auth
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'authorization', 'bearer', 'credentials',
+  'mysql_pwd', 'otp', 'mfa', 'totp', 'sessionid', 'session_id',
+  'cookie', 'set-cookie',
+  // financial
+  'stripeToken', 'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'iban', 'account', 'accountnumber', 'routing', 'sortcode', 'taxid',
+  // PII
+  'ssn', 'pin', 'email', 'e_mail', 'phone', 'mobile', 'dob', 'birthdate',
+  'firstname', 'lastname', 'fullname', 'address', 'postcode', 'zip',
+  'passport', 'license',
+];
+// Conservative value-shape redactors. Key-name matching misses secrets that
+// land in free-form string values (GraphQL bodies, message fields, etc.), so
+// as a second layer we scrub string VALUES that *look like* a secret/PII.
+// These are intentionally precise/bounded so they don't garble normal prose,
+// and they only ever transform captured telemetry strings (read-only) — never
+// the actual request/response stream. Compiled once at module load.
+const VALUE_REDACTORS = [
+  // JWT: three base64url segments. Anchored to the eyJ header so it won't
+  // match arbitrary dotted tokens.
+  { name: 'jwt', re: /eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g },
+  // Bearer/Basic auth header value embedded in a body string.
+  { name: 'bearer', re: /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/gi },
+  // Stripe-style / SecureNow live+test API keys.
+  { name: 'apikey', re: /\b(?:sk|pk|rk|snk)_(?:live|test)_[A-Za-z0-9]{8,}/g },
+  // Email addresses (bounded local/domain parts).
+  { name: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },
+  // Credit-card-like: 13–19 digit runs that pass a Luhn check, allowing
+  // space/dash grouping. Luhn-gated to avoid clobbering ordinary long numbers.
+  { name: 'card', re: /\b(?:\d[ -]?){13,19}\b/g, luhn: true },
+];
+// Skip the value-shape scan on very large strings to bound per-body cost.
+const MAX_VALUE_SCAN_LENGTH = 16384;
+function luhnValid(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) { d *= 2; if (d > 9) d -= 9; }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+/**
+ * Redact obvious secret/PII shapes inside a captured string VALUE.
+ * Returns the input unchanged when nothing matches (cheap common case).
+ */
+function redactSensitiveValue(value) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  if (value.length > MAX_VALUE_SCAN_LENGTH) return value; // bound the work
+  let out = value;
+  for (const r of VALUE_REDACTORS) {
+    r.re.lastIndex = 0;
+    if (r.luhn) {
+      out = out.replace(r.re, (m) => {
+        const digits = m.replace(/[ -]/g, '');
+        if (digits.length < 13 || digits.length > 19) return m;
+        return luhnValid(digits) ? '[REDACTED]' : m;
+      });
+    } else {
+      out = out.replace(r.re, '[REDACTED]');
+    }
+  }
+  return out;
+}
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      // Recursively redact nested objects
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    } else if (typeof redacted[key] === 'string') {
+      // Second layer: even if the key name looks benign, scrub values that
+      // *look like* a secret/PII (JWT, bearer token, API key, email, card).
+      redacted[key] = redactSensitiveValue(redacted[key]);
+    }
+  }
+  return redacted;
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  let redacted = query;
+  // Redact sensitive fields in GraphQL arguments and variables
+  // Matches patterns like: password: "value" or password:"value" or password:'value'
+  sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
+    const patterns = [
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        if (suffix) {
+          return `${prefix}[REDACTED]${suffix}`;
+        } else {
+          return `${prefix}[REDACTED]`;
+        }
+      });
+    });
+  });
+  // Second layer: scrub secret/PII *shapes* anywhere in the (free-form) query
+  // body — catches values the key-name pass above can't see.
+  redacted = redactSensitiveValue(redacted);
+  return redacted;
+}
+/**
+ * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
+ * @param {Object} options - Optional configuration
+ * @param {string} options.serviceName - Service name (defaults to .securenow/credentials.json app.key/app.name)
+ * @param {string} options.endpoint - Advanced OTLP endpoint override (defaults to the SecureNow ingest gateway)
+ * @param {string} options.environment - deployment.environment override (defaults to config.runtime.deploymentEnvironment)
+ * @param {boolean} options.noUuid - Don't append UUID to service name
+ */
+function registerSecureNow(options = {}) {
+  // Only register once
+  if (isRegistered) {
+    console.log('[securenow] Already registered, skipping...');
+    return;
+  }
+  // Skip for Edge runtime
+  if (process.env.NEXT_RUNTIME === 'edge') {
+    console.log('[securenow] Skipping Edge runtime (Node.js only)');
+    return;
+  }
+  // Detect environment outside try block for error handling
+  const isVercel = !!(process.env.VERCEL || process.env.VERCEL_ENV || process.env.VERCEL_URL);
+  let deploymentEnvironment = appConfig.resolveDeploymentEnvironment();
+  try {
+    console.log('[securenow] Next.js integration loading (pid=%d)', process.pid);
+    // -------- Configuration --------
+    // Resolution order: explicit options -> .securenow/credentials.json -> package.json#name.
+    // Telemetry goes to the stable ingest gateway by default; the API gateway
+    // routes by app.key to the dashboard-selected instance.
+    const resolvedApp = appConfig.resolveAll();
+    const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
+    const baseName = rawBase || null;
+    // Default: auto-disable suffix when logged in (appId is the routing UUID
+    // and the dashboard does exact match). opts.noUuid or config.runtime.noUuid
+    // can still override.
+    const noUuid = appConfig.resolveNoUuid({ noUuid: options.noUuid });
+    deploymentEnvironment = appConfig.normalizeDeploymentEnvironment(
+      options.environment || resolvedApp.deploymentEnvironment
+    );
+    // service.name
+    let serviceName;
+    if (baseName) {
+      serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
+    } else {
+      serviceName = `nextjs-app-${randomUUID()}`;
+      console.warn('[securenow] No app identity resolved. Using fallback: %s', serviceName);
+      console.warn('[securenow] Run `npx securenow login` and `npx securenow init` to write .securenow/credentials.json');
+    }
+    // -------- Endpoint Configuration --------
+    const resolvedEndpoints = appConfig.resolveEndpoints({ endpoint: options.endpoint || resolvedApp.instance });
+    const endpointBase = resolvedEndpoints.endpointBase;
+    const tracesUrl = resolvedEndpoints.tracesUrl;
+    const logsUrl = resolvedEndpoints.logsUrl;
+    const headers = resolvedEndpoints.headers;
+    const otelLogLevel = String(appConfig.configValue('otel.logLevel', '') || '').toLowerCase();
+    const isDevelopmentRuntime = process.env.NODE_ENV === 'development';
+    console.log('[securenow] Next.js App -> service.name=%s', serviceName);
+    console.log('[securenow] Environment: %s', deploymentEnvironment);
+    // -------- Body Capture Configuration --------
+    // Opt-out default: set config.capture.body=false (or options.captureBody=false) to disable.
+    const captureBody = options.captureBody ?? appConfig.boolConfig('capture.body', true);
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    // -------- Log environment detection --------
+    if (!isVercel) {
+      console.log('[securenow] Self-hosted environment detected (EC2/PM2) - using vanilla SDK');
+    }
+    // -------- Use different initialization based on environment --------
+    const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
+    // Configure HTTP instrumentation with comprehensive header capture
+    const httpInstrumentation = new HttpInstrumentation({
+      requireParentforOutgoingSpans: false,
+      requireParentforIncomingSpans: false,
+      ignoreIncomingRequestHook: (request) => {
+        // Never ignore - we want to trace all requests
+        return false;
+      },
+      requestHook: (span, request) => {
+        // SYNCHRONOUS ONLY - no async operations to avoid timing issues
+        try {
+          // Capture all headers
+          const headers = request.headers || {};
+          // ======== IP ADDRESS CAPTURE ========
+          const ipDetails = resolveClientIpWithDetails(request);
+          const forwardedFor = ipDetails.forwardedFor;
+          const realIp = ipDetails.realIp;
+          const socketIp = ipDetails.socketIp;
+          const primaryIp = ipDetails.ip || 'unknown';
+          // ======== PROTOCOL & CONNECTION ========
+          const scheme = headers['x-forwarded-proto'] ||
+                        (request.socket?.encrypted ? 'https' : 'http');
+          const host = headers['x-forwarded-host'] || headers['host'] || '';
+          const port = headers['x-forwarded-port'] || request.socket?.localPort || '';
+          // ======== REQUEST METADATA ========
+          const userAgent = headers['user-agent'] || '';
+          const referer = headers['referer'] || headers['referrer'] || '';
+          const accept = headers['accept'] || '';
+          const acceptLanguage = headers['accept-language'] || '';
+          const acceptEncoding = headers['accept-encoding'] || '';
+          const contentType = headers['content-type'] || '';
+          const contentLength = headers['content-length'] || '';
+          const origin = headers['origin'] || '';
+          // ======== PROXY & LOAD BALANCER ========
+          const originalUri = headers['x-original-uri'] || '';
+          const originalMethod = headers['x-original-method'] || '';
+          const requestId = headers['x-request-id'] || headers['x-trace-id'] || headers['x-correlation-id'] || '';
+          // ======== SET ALL ATTRIBUTES ========
+          const attributes = {
+            // IP & Network
+            'http.client_ip': primaryIp,
+            'http.client_ip.source': ipDetails.source,
+            'http.forwarded_for': forwardedFor || '',
+            'http.real_ip': realIp || '',
+            'http.socket_ip': socketIp || '',
+            'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+            'http.request.header.x_forwarded_for': forwardedFor || '',
+            'http.request.header.x_real_ip': realIp || '',
+            'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+            'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+            'http.request.header.x_client_ip': ipDetails.clientIp || '',
+            // Protocol & Host
+            'http.scheme': scheme,
+            'http.host': host,
+            'http.port': port.toString(),
+            'http.forwarded_proto': headers['x-forwarded-proto'] || '',
+            'http.forwarded_host': headers['x-forwarded-host'] || '',
+            // Request Details
+            'http.user_agent': userAgent,
+            'http.referer': referer,
+            'http.origin': origin,
+            'http.accept': accept,
+            'http.accept_language': acceptLanguage,
+            'http.accept_encoding': acceptEncoding,
+            'http.content_type': contentType,
+            'http.content_length': contentLength,
+            // Proxy & Routing
+            'http.original_uri': originalUri,
+            'http.original_method': originalMethod,
+            'http.request_id': requestId,
+            // Connection Info
+            'http.connection': headers['connection'] || '',
+            'http.upgrade': headers['upgrade'] || '',
+          };
+          // Set all attributes at once
+          span.setAttributes(attributes);
+          // ======== GEOGRAPHIC DATA ========
+          // Vercel geo headers
+          if (headers['x-vercel-ip-country']) {
+            span.setAttributes({
+              'http.geo.country': headers['x-vercel-ip-country'],
+              'http.geo.region': headers['x-vercel-ip-country-region'] || '',
+              'http.geo.city': headers['x-vercel-ip-city'] || '',
+              'http.geo.latitude': headers['x-vercel-ip-latitude'] || '',
+              'http.geo.longitude': headers['x-vercel-ip-longitude'] || '',
+              'http.geo.timezone': headers['x-vercel-ip-timezone'] || '',
+            });
+          }
+          // Cloudflare geo headers
+          if (headers['cf-ipcountry']) {
+            span.setAttributes({
+              'http.geo.country': headers['cf-ipcountry'],
+              'http.geo.cf_ray': headers['cf-ray'] || '',
+              'http.geo.cf_visitor': headers['cf-visitor'] || '',
+            });
+          }
+          // Cloudflare additional headers
+          if (headers['cf-connecting-ip']) {
+            span.setAttribute('http.cf.connecting_ip', headers['cf-connecting-ip']);
+          }
+          // ======== SECURITY HEADERS ========
+          if (headers['x-csrf-token']) {
+            span.setAttribute('http.security.csrf_token_present', 'true');
+          }
+          if (headers['authorization']) {
+            span.setAttribute('http.security.auth_present', 'true');
+            // Never log the actual token!
+          }
+          if (headers['cookie']) {
+            span.setAttribute('http.security.cookies_present', 'true');
+            // Never log actual cookies!
+          }
+          // Debug log in development
+          if (isDevelopmentRuntime || otelLogLevel === 'debug') {
+            console.log('[securenow] Captured IP: %s (from: %s)',
+              primaryIp,
+              ipDetails.source || 'unknown'
+            );
+          }
+          // -------- Request Body NOT captured at HTTP instrumentation level --------
+          // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
+          // Next.js manages request streams internally and reading them here causes conflicts
+          // Body capture must be done in Next.js middleware using request.clone()
+        } catch (error) {
+          // Silently fail to not break the request
+          if (otelLogLevel === 'debug') {
+            console.error('[securenow] Error in requestHook:', error.message);
+          }
+        }
+      },
+      responseHook: (span, response) => {
+        try {
+          // Capture response metadata
+          span.setAttributes({
+            'http.status_code': response.statusCode || 0,
+            'http.status_message': response.statusMessage || '',
+            'http.response.content_type': response.headers?.['content-type'] || '',
+            'http.response.content_length': response.headers?.['content-length'] || '',
+          });
+        } catch (error) {
+          // Silently fail
+        }
+      },
+    });
+    // -------- Guard against OTLP exporter socket errors --------
+    // The OTLP HTTP exporter uses keep-alive connections that can be reset by
+    // the remote end (ECONNRESET / "socket hang up"). These transient errors
+    // sometimes escape as unhandled exceptions or rejections. We catch them
+    // here and log at debug level instead of crashing the host app.
+    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
+    function _isOtlpTransientError(err) {
+      if (!err) return false;
+      if (_TRANSIENT_CODES.has(err.code)) return true;
+      if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
+      return false;
+    }
+    function _looksLikeOtlpStack(err) {
+      const s = err && err.stack;
+      if (!s) return false;
+      return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
+        || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
+    }
+    function _looksLikeConfiguredOtlpEndpoint(err) {
+      const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+      try {
+        const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+        return hosts.some((host) => host && text.includes(host));
+      } catch (_) {
+        return false;
+      }
+    }
+    const _diagDebug = otelLogLevel === 'debug';
+    let _lastSuppressedOtlpErrorLogAt = 0;
+    function _originalConsole(method) {
+      const originals = console.__securenow_original || console.__securenowOriginalConsole;
+      return (originals && originals[method]) || console[method] || console.log;
+    }
+    function _formatOtlpError(err) {
+      if (!err) return 'unknown error';
+      const parts = [err.message || String(err)];
+      if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+      if (err.syscall) parts.push(`syscall=${err.syscall}`);
+      if (err.hostname) parts.push(`host=${err.hostname}`);
+      return parts.join(' ');
+    }
+    function _reportSuppressedOtlpError(kind, err, origin) {
+      if (otelLogLevel === 'none') return;
+      const now = Date.now();
+      if (!_diagDebug && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+      _lastSuppressedOtlpErrorLogAt = now;
+      const method = _diagDebug ? 'debug' : 'error';
+      _originalConsole(method).call(
+        console,
+        '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+        kind,
+        origin || 'async',
+        _formatOtlpError(err)
+      );
+    }
+    process.on('uncaughtException', (err, origin) => {
+      if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+        _reportSuppressedOtlpError('error', err, origin);
+        return;
+      }
+      throw err;
+    });
+    process.on('unhandledRejection', (reason) => {
+      if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+        _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
+        return;
+      }
+      throw reason;
+    });
+    if (isVercel) {
+      // -------- Vercel Environment: Use @vercel/otel --------
+      const { registerOTel } = require('@vercel/otel');
+      registerOTel({
+        serviceName: serviceName,
+        attributes: {
+          'deployment.environment': deploymentEnvironment,
+          'service.version': process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
+          'vercel.region': process.env.VERCEL_REGION || undefined,
+        },
+        instrumentations: [httpInstrumentation],
+        instrumentationConfig: {
+          fetch: {
+            // Propagate context to your backend APIs
+            propagateContextUrls: [
+              /^https?:\/\/localhost/,
+              /^https?:\/\/.*\.vercel\.app/,
+              // Add your backend domains here
+            ],
+            // Optionally ignore certain URLs
+            ignoreUrls: [
+              /_next\/static/,
+              /_next\/image/,
+              /\.map$/,
+            ],
+          },
+        },
+      });
+    } else {
+      // -------- Self-Hosted (EC2/PM2): Use Vanilla OpenTelemetry SDK --------
+      const { NodeSDK } = require('@opentelemetry/sdk-node');
+      const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
+      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
+      const traceExporter = new OTLPTraceExporter({
+        url: tracesUrl,
+            headers
+      });
+      const sdk = new NodeSDK({
+        ...nodeSdkTelemetryOptions,
+        serviceName: serviceName,
+        traceExporter: traceExporter,
+        instrumentations: [httpInstrumentation],
+        resource: createResource({
+          [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+          [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
+          [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || undefined,
+        }),
+      });
+      sdk.start();
+      console.log('[securenow] Vanilla SDK initialized for self-hosted environment');
+      // -------- Logging (self-hosted only) --------
+      // Opt-out default: set config.logging.enabled=false to disable.
+      const loggingEnabled = appConfig.boolConfig('logging.enabled', true);
+      if (loggingEnabled) {
+        try {
+          const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
+          const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
+          const logExporter = new OTLPLogExporter({
+            url: logsUrl,
+            headers,
+          });
+          const loggerProvider = new LoggerProvider({
+            resource: createResource({
+              [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: deploymentEnvironment,
+            }),
+            processors: [new BatchLogRecordProcessor(logExporter)],
+          });
+          // Patch console to forward logs as OTLP log records
+          const logger = loggerProvider.getLogger('console', '1.0.0');
+          const SeverityNumber = { INFO: 9, WARN: 13, ERROR: 17 };
+          const origLog = console.log;
+          const origWarn = console.warn;
+          const origError = console.error;
+          const { context: otelContext, trace: otelTrace } = require('@opentelemetry/api');
+          function _emitLog(sn, st, args) {
+            try {
+              const activeCtx = otelContext.active();
+              const spanCtx = otelTrace.getSpanContext(activeCtx);
+              logger.emit({
+                severityNumber: sn,
+                severityText: st,
+                body: args.map(String).join(' '),
+                ...(spanCtx && { context: activeCtx }),
+              });
+            } catch (_) {}
+          }
+          console.log = (...args) => {
+            origLog.apply(console, args);
+            _emitLog(SeverityNumber.INFO, 'INFO', args);
+          };
+          console.warn = (...args) => {
+            origWarn.apply(console, args);
+            _emitLog(SeverityNumber.WARN, 'WARN', args);
+          };
+          console.error = (...args) => {
+            origError.apply(console, args);
+            _emitLog(SeverityNumber.ERROR, 'ERROR', args);
+          };
+          console.log('[securenow] Logging: ENABLED -> %s', logsUrl);
+          // Auto-log every incoming HTTP request/response
+          try {
+            const http = requireNodeBuiltin('node:http');
+            const originalEmit = http.Server.prototype.emit;
+            http.Server.prototype.emit = function (event, req, res) {
+              if (event === 'request' && req && res) {
+                const start = Date.now();
+                const method = req.method;
+                const url = req.url;
+                res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
+                  const duration = Date.now() - start;
+                  const status = res.statusCode;
+                  const ipDetails = resolveClientIpWithDetails(req);
+                  const ip = ipDetails.ip || '-';
+                  const ua = req.headers['user-agent'] || '-';
+                  const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
+                  const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
+                  const severityText = status >= 500 ? 'ERROR' : status >= 400 ? 'WARN' : 'INFO';
+                  origLog.call(console, '[securenow] %s %s %d %dms', method, url, status, duration);
+                  try {
+                    logger.emit({
+                      severityNumber: severity,
+                      severityText,
+                      body,
+                      attributes: {
+                        'http.method': method,
+                        'http.url': url,
+                        'http.status_code': status,
+                        'http.duration_ms': duration,
+                        'http.client_ip': ip,
+                        'http.client_ip.source': ipDetails.source || 'unknown',
+                        'http.socket_ip': ipDetails.socketIp || '',
+                        'http.forwarded_for': ipDetails.forwardedFor || '',
+                        'http.real_ip': ipDetails.realIp || '',
+                        'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+                        'http.user_agent': ua,
+                      },
+                      ...(reqSpanCtx && { context: reqCtx }),
+                    });
+                  } catch (_) {}
+                });
+              }
+              return originalEmit.apply(this, arguments);
+            };
+            console.log('[securenow] HTTP request logging: ENABLED');
+          } catch (_) {}
+          // Graceful shutdown for logs
+          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
+          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { requireRuntimeModule('./firewall').shutdown(); } catch (_) {} });
+        } catch (e) {
+          console.warn('[securenow] Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
+        }
+      } else {
+        console.log('[securenow] Logging: DISABLED (config.logging.enabled=false)');
+      }
+    }
+    isRegistered = true;
+    // Free trial banner (optional - may not be bundled in standalone builds)
+    try {
+      const { isFreeTrial, patchHttpForBanner } = requireRuntimeModule('./free-trial-banner');
+      if (isFreeTrial(endpointBase) && !appConfig.boolConfig('runtime.hideBanner', false)) {
+        patchHttpForBanner();
+      }
+    } catch (_) {}
+    console.log('[securenow] OpenTelemetry started for Next.js -> %s', tracesUrl);
+    console.log('[securenow] Auto-capturing comprehensive request metadata:');
+    console.log('[securenow]    - IP addresses (x-forwarded-for, x-real-ip, socket)');
+    console.log('[securenow]    - User-Agent, Referer, Origin, Accept headers');
+    console.log('[securenow]    - Protocol, Host, Port (proxy-aware)');
+    console.log('[securenow]    - Geographic data (Vercel/Cloudflare)');
+    console.log('[securenow]    - Request IDs, CSRF tokens, Auth presence');
+    console.log('[securenow]    - Response status, content-type, content-length');
+    console.log('[securenow] Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
+    if (captureBody) {
+      console.log('[securenow] For body capture in Next.js, use: import "securenow/nextjs-auto-capture"');
+    }
+    // Optional test span
+    if (appConfig.boolConfig('runtime.testSpan', false)) {
+      const api = require('@opentelemetry/api');
+      const tracer = api.trace.getTracer('securenow-nextjs');
+      const span = tracer.startSpan('securenow.nextjs.startup');
+      span.setAttribute('next.runtime', process.env.NEXT_RUNTIME || 'nodejs');
+      span.end();
+      console.log('[securenow] Test span created');
+    }
+  } catch (error) {
+    console.error('[securenow] Failed to initialize OpenTelemetry:', error);
+    if (isVercel) {
+      console.error('[securenow] Make sure you have @vercel/otel installed: npm install @vercel/otel');
+    } else {
+      console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
+    }
+  }
+  // Firewall - runs independently from OTel so it works even if tracing fails.
+  // Key and environment come from .securenow/credentials.json (written by
+  // login/init or credentials runtime), so no .env entry is needed.
+  const firewallOptions = appConfig.resolveFirewallOptions();
+  if (firewallOptions.apiKey) {
+    try {
+      requireRuntimeModule('./firewall').init({
+        apiKey: firewallOptions.apiKey,
+        appKey: firewallOptions.appKey,
+        environment: deploymentEnvironment || firewallOptions.environment,
+        apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
+        versionCheckInterval: firewallOptions.versionCheckInterval,
+        syncInterval: firewallOptions.syncInterval,
+        failMode: firewallOptions.failMode,
+        statusCode: firewallOptions.statusCode,
+        log: firewallOptions.log,
+        tcp: firewallOptions.tcp,
+        iptables: firewallOptions.iptables,
+        cloud: firewallOptions.cloud,
+        cloudDryRun: firewallOptions.cloudDryRun,
+        cloudflare: firewallOptions.cloudflare,
+        aws: firewallOptions.aws,
+        gcp: firewallOptions.gcp,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+}
+module.exports = {
+  registerSecureNow,
+};