Copy one universal prompt into Claude Code, Codex, Cursor, Windsurf, or Copilot Chat. It detects the framework and verifies the setup end to end.
SecureNow enables the full app protection set by default in v7.5.1+.
Works with Claude Code, Codex, Cursor, Windsurf, and Copilot Chat. If you already ran npm i securenow, it will verify and upgrade if needed.
You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
Primary goals:
- Use the latest published SecureNow npm package. Require securenow@7.5.1 or newer.
- By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
- If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
Safety rules:
- Do not print full API keys, JWTs, tokens, or .securenow/credentials.json. Mask secrets.
- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/credentials.json and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
- Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
- If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
- Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
- Preserve existing middleware, proxy, instrumentation, Docker, PM2, and start scripts.
- Do not add SECURENOW_FIREWALL_ENABLED to .env, PM2 env, Docker env, or shared process env. The firewall is on by default; disable it only with the dashboard toggle or config.firewall.enabled=false in .securenow/credentials.json.
Runbook:
1. Identify the project root, package manager, framework, start/build/test scripts, process manager files, Docker files, and existing middleware/proxy/instrumentation.
2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
node -p "require('./node_modules/securenow/package.json').version"
npx securenow version
Stop and fix the install if either is below 7.5.1 or npx still resolves an older local package.
3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, docs/MCP-GUIDE.md if present, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
4. Mandatory auth gate:
- Run npx securenow whoami from the project root.
- If not logged in, run npx securenow login from the project root and wait for the browser flow.
- After the CLI exits, rerun npx securenow whoami.
- Do not proceed to app edits or verification until whoami succeeds.
5. Validate project-local credentials without exposing secrets:
- Confirm .securenow/credentials.json exists.
- Confirm it has an app key/name/instance and a firewall API key.
- Confirm .securenow/credentials.json and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=7.5.1, and retry. Do not silently ignore init failures.
7. Configure the least invasive framework-specific integration:
- Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include the documented auto-capture import/wrapper for body capture. Preserve proxy.js/middleware.js.
- Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
- Express/Fastify/NestJS/Koa/Hapi/Hono/raw Node: preload securenow/register through existing scripts, NODE_OPTIONS, PM2 node_args, Docker CMD, or the process manager already used.
- Firewall-only: preload securenow/firewall-only or use the documented securenow run --firewall-only command. Do not add OTel/tracing/logging in this mode.
- Vite/browser-only: use only documented browser integration and state that server firewall protection requires a server runtime.
8. Keep runtime configuration file-backed:
- Do not create or require .env files for SecureNow defaults.
- Confirm .securenow/credentials.json has config.logging.enabled=true, config.capture.body=true, config.capture.multipart=true, and config.firewall.enabled is absent or true.
- For production/CI, mount/copy the runtime .securenow/credentials.json generated by npx securenow credentials runtime --env production.
9. Verify firewall and threshold:
- Run npx securenow firewall apps and npx securenow firewall status.
- Confirm the selected app is present, firewallEnabled is true, and the SecureNow IPDB confidence threshold is visible.
- If firewallEnabled is false, run the documented per-app enable command, for example npx securenow firewall enable --app <appKey>, then verify again.
10. End-to-end proof:
- Run npx securenow doctor.
- Run npx securenow env and confirm loggingEnabled, captureBody, captureMultipart, and firewallEnabled resolve true from credentials/defaults, unless I explicitly requested firewall-only.
- If available and not in firewall-only mode, send telemetry:
npx securenow test-span securenow.onboarding
npx securenow log send "SecureNow onboarding test" --level info
- Run the repo build/test command if available.
- For MCP-capable clients, optionally smoke-test npx securenow mcp with the securenow_auth_status tool.
Final response:
- List every changed file.
- Summarize installed SecureNow version and linked app name/key, masking secrets.
- Show verification commands and pass/fail result.
- Mention skipped checks and why.
- Provide exact command(s) to start the protected app.You do not normally edit these by hand. npx securenow login writes the app, instance, and firewall key to project-local credentials. Shown here for production/CI overrides.
# Written by `npx securenow login` to .securenow/credentials.json: # app key, instance URL, and firewall API key. # For production/CI, mount/copy the runtime credentials file generated with: # npx securenow credentials runtime --env production # # Default-on settings live in .securenow/credentials.json: # config.logging.enabled=true # config.capture.body=true # config.capture.multipart=true # config.firewall.enabled=true