Copy one universal prompt into Claude Code, Codex, Cursor, Windsurf, or Copilot Chat. It detects the framework and verifies the setup end to end.
SecureNow enables the full app protection set by default in v8+.
Works with Claude Code, Codex, Cursor, Windsurf, and Copilot Chat. If you already ran npm i securenow, it will verify and upgrade if needed.
You are working in an existing JavaScript or TypeScript app. Set up SecureNow end-to-end for the framework/runtime already used by this repo. Treat this as a real onboarding, not just a package install.
Primary goals:
- Use the latest published SecureNow npm package. Require securenow@8.0.0 or newer for split admin/runtime credentials and runtime-authenticated ingestion.
- By default, enable tracing, logs, POST request body capture, multipart metadata capture, and the SecureNow firewall.
- If I explicitly ask for firewall-only mode, keep the same install/login/verification gates, but use firewall-only preload and do not add tracing, logging, or OTel instrumentation.
- The firewall must protect the selected SecureNow app, use SecureNow's own blocklist/allowlist/IPDB data, and respect that app's SecureNow AI IPDB confidence threshold. Do not add custom IP reputation providers or custom auto-blocking.
- Do not confuse IP Allowlist with Trusted IPs. IP Allowlist is restrictive deny-by-default: when any allowlist entry exists for an app/environment, only listed IPs can reach it and all other IPs are blocked. Use Trusted IPs for known-safe monitors, office/VPN traffic, or false-positive suppression. Only use allowlist after explicit human approval to lock the app/environment to known IPs.
Safety rules:
- Do not print full API keys, JWTs, tokens, or local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, or .securenow/credentials.*.json). Mask secrets.
- Do not commit secrets. Ignore only local SecureNow credential files (.securenow/admin.json, .securenow/runtime.json, .securenow/credentials.json, and .securenow/credentials.*.json); keep the .securenow/ directory itself trackable for repo-owned docs/templates.
- Do not manually browse to a SecureNow auth URL. Always start auth with npx securenow login so the CLI generates the required callback and state.
- If the browser says "Missing callback parameter", you opened the wrong URL: rerun npx securenow login from the project root.
- Do not skip login, app selection, firewall connection, or verification unless I explicitly say to.
- Preserve existing middleware, proxy, instrumentation, Docker, PM2, and start scripts.
- Do not add SecureNow runtime defaults to .env, PM2 env, Docker env, or shared process env. The SDK reads .securenow/runtime.json locally and generated runtime credential files in production.
Runbook:
1. Identify the project root, package manager, framework, start/build/test scripts, process manager files, Docker files, and existing middleware/proxy/instrumentation.
2. Install or upgrade SecureNow with the detected package manager, using securenow@latest. Verify the actual installed version with:
node -p "require('./node_modules/securenow/package.json').version"
npx securenow version
Stop and fix the install if either is below 8.0.0 or npx still resolves an older local package.
3. Read the installed package surface before editing files: node_modules/securenow/package.json, README/NPM_README, SKILL-API, SKILL-CLI, docs/MCP-GUIDE.md if present, npx securenow help, and relevant subcommand help for login/init/firewall/doctor/env/test-span/log/mcp.
4. Mandatory auth/runtime gate:
- Run npx securenow whoami from the project root.
- If admin auth is missing, run npx securenow admin login from the project root and wait for the browser flow.
- If runtime app config is missing, run npx securenow app connect from the project root and wait for the browser flow.
- After the CLI exits, rerun npx securenow whoami.
- Do not proceed to app edits or verification until whoami shows the required lane(s). SDK setup needs runtime app config; admin/global MCP operations need admin auth.
5. Validate project-local credentials without exposing secrets:
- Confirm .securenow/runtime.json exists for SDK runtime setup, or legacy .securenow/credentials.json exists for old installs.
- Confirm the runtime file has SecureNow's default config/explanations block.
- Confirm the runtime file has an app key/name/instance and a runtime API key. The app key only routes telemetry; the runtime API key is required to authenticate telemetry ingestion and firewall sync.
- Confirm .securenow/admin.json exists only when admin CLI/MCP auth is needed.
- Confirm .securenow/admin.json, .securenow/runtime.json, legacy .securenow/credentials.json, and any .securenow/credentials.*.json runtime files are ignored by git, without ignoring the entire .securenow/ directory.
6. Run npx securenow init. If it fails with ui.header is not a function or another CLI bug, upgrade to securenow@latest, verify >=8.0.0, and retry. Do not silently ignore init failures.
7. Configure the least invasive framework-specific integration:
- Next.js: preserve instrumentation.js/ts. Register securenow/nextjs only when NEXT_RUNTIME is nodejs. In ESM files, use createRequire before require("securenow/nextjs"). Include the documented auto-capture import/wrapper for body capture. Preserve proxy.js/middleware.js.
- Nuxt/Nitro: use the documented securenow/nuxt module or Nitro server plugin.
- Express/Fastify/NestJS/Koa/Hapi/Hono/raw Node: preload securenow/register through existing scripts, NODE_OPTIONS, PM2 node_args, Docker CMD, or the process manager already used.
- Firewall-only: preload securenow/firewall-only or use the documented securenow run --firewall-only command. Do not add OTel/tracing/logging in this mode.
- Vite/browser-only: use only documented browser integration and state that server firewall protection requires a server runtime.
8. Do not create or require a .env file for local development or production. The SDK reads defaults from .securenow/runtime.json, with legacy .securenow/credentials.json and generated runtime credential files still supported:
- config.logging.enabled: true
- config.capture.body: true
- config.capture.multipart: true
- config.firewall.enabled: true
- config.firewall.failMode: "open"
- config.capture.maxBodySize: 10240
For production, run npx securenow credentials runtime --env production, store the resulting JSON as a deployment secret file, and mount/copy it to <app-root>/.securenow/credentials.json or <app-root>/.securenow/credentials.production.json. Do not recommend env vars unless the user explicitly asks for legacy fallbacks.
Do not proceed with telemetry verification if the runtime API key is missing; run npx securenow app connect or npx securenow api-key create first. The v8 ingestion gateway rejects app-key-only telemetry.
9. Verify firewall and threshold:
- Run npx securenow firewall apps and npx securenow firewall status.
- Confirm the selected app is present, firewallEnabled is true, and the SecureNow AI IPDB confidence threshold is visible.
- If firewallEnabled is false, run the documented per-app enable command, for example npx securenow firewall enable --app <appKey>, then verify again.
10. End-to-end proof:
- Run npx securenow doctor.
- Run npx securenow env and confirm loggingEnabled, captureBody, captureMultipart, and firewallEnabled resolve true from credentials/defaults, unless I explicitly requested firewall-only.
- If available and not in firewall-only mode, send telemetry:
npx securenow test-span securenow.onboarding
npx securenow log send "SecureNow onboarding test" --level info
- Run the repo build/test command if available.
- For MCP-capable clients, optionally smoke-test npx securenow mcp with the securenow_auth_status tool.
Final response:
- List every changed file.
- Summarize installed SecureNow version and linked app name/key, masking secrets.
- Show verification commands and pass/fail result.
- Mention skipped checks and why.
- Provide exact command(s) to start the protected app.You do not normally edit these by hand. npx securenow login writes the app, runtime API key, and SDK defaults to project-local runtime credentials. Shown here for production/CI file-backed deployment.
# Runtime credentials written by `npx securenow login` # or `npx securenow app connect` to .securenow/runtime.json: # app key/name, ingest gateway routing, runtime API key, and SDK defaults. # The runtime API key is required for telemetry ingestion and firewall sync. # Admin/control-plane CLI and MCP auth lives separately in .securenow/admin.json. # For production/CI, mount/copy the runtime credentials file generated with: # npx securenow credentials runtime --env production # # Default-on settings live in .securenow/runtime.json: # config.logging.enabled=true # config.capture.body=true # config.capture.multipart=true # config.firewall.enabled=true