securenow 5.12.1 → 5.14.0

package/cli/firewall.js

@@ -23,10 +23,17 @@ async function status(args, flags) {
     ui.keyValue([
       ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
       ['Last updated', data.updatedAt || 'unknown'],
+      ['Allowed IPs', data.allowlistCount != null ? `${data.allowlistCount} total (${data.allowlistExactCount} exact + ${data.allowlistCidrCount} CIDR ranges)` : '0'],
+      ['Allowlist updated', data.allowlistUpdatedAt || 'never'],
       ['Sync TTL', `${data.ttl || 60}s`],
     ]);
+    if (data.allowlistCount > 0) {
+      console.log('');
+      console.log(`  ${ui.c.yellow('!')} Allowlist is active — only ${data.allowlistCount} IP(s) can reach your app`);
+    }
     console.log('');
     console.log(`  ${ui.c.dim('Manage your blocklist:')} securenow blocklist`);
+    console.log(`  ${ui.c.dim('Manage your allowlist:')} securenow allowlist`);
     console.log(`  ${ui.c.dim('Test an IP:')} securenow firewall test-ip <ip>`);
     console.log('');
   } catch (err) {
@@ -63,14 +70,26 @@ async function testIp(args, flags) {
 
     console.log('');
     if (data.blocked) {
-      console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
-      if (data.matchedEntry && data.matchedEntry !== ip) {
-        console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+      if (data.allowlistActive && !data.allowlisted) {
+        console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is not on the allowlist`);
+        console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
+      } else {
+        console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
+        if (data.matchedEntry && data.matchedEntry !== ip) {
+          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+        }
       }
     } else {
-      console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is not in the blocklist`);
+      if (data.allowlisted) {
+        console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is on the allowlist`);
+      } else {
+        console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is not in the blocklist`);
+      }
     }
     console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    if (data.allowlistActive) {
+      console.log(`  ${ui.c.dim('Allowlist is active')}`);
+    }
     console.log('');
   } catch (err) {
     s.fail('Failed to test IP');

package/cli/init.js

@@ -4,97 +4,198 @@ const fs = require('fs');
 const path = require('path');
 const ui = require('./ui');
 
-const templates = {
-  typescript: `import { registerSecureNow } from 'securenow/nextjs';
+const INSTRUMENTATION_JS = `export async function register() {
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    const { registerSecureNow } = require('securenow/nextjs');
+    registerSecureNow();
+  }
+}
+`;
+
+const INSTRUMENTATION_TS = `export async function register() {
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    const { registerSecureNow } = require('securenow/nextjs');
+    registerSecureNow();
+  }
+}
+`;
+
+function detectProject(dir) {
+  const pkgPath = path.join(dir, 'package.json');
+  if (!fs.existsSync(pkgPath)) return { framework: 'unknown' };
 
-export function register() {
-  registerSecureNow();
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+  if (allDeps.next) return { framework: 'nextjs', pkg, pkgPath, nextVersion: allDeps.next };
+  if (allDeps.nuxt) return { framework: 'nuxt', pkg, pkgPath };
+  if (allDeps.express) return { framework: 'express', pkg, pkgPath };
+  if (allDeps.fastify) return { framework: 'fastify', pkg, pkgPath };
+  if (allDeps.koa) return { framework: 'koa', pkg, pkgPath };
+  if (allDeps.hapi || allDeps['@hapi/hapi']) return { framework: 'hapi', pkg, pkgPath };
+  return { framework: 'node', pkg, pkgPath };
 }
-`,
-  javascript: `const { registerSecureNow } = require('securenow/nextjs');
 
-export function register() {
-  registerSecureNow();
+function findInstrumentationFile(dir) {
+  for (const name of ['instrumentation.ts', 'instrumentation.js', 'src/instrumentation.ts', 'src/instrumentation.js']) {
+    const p = path.join(dir, name);
+    if (fs.existsSync(p)) return p;
+  }
+  return null;
 }
-`,
-  env: `# SecureNow Configuration
-SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://your-otlp-backend:4318
-# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=your-api-key-here"
-# OTEL_LOG_LEVEL=info
-`,
-};
-
-function isNextJsProject(dir) {
-  try {
-    const pkgPath = path.join(dir, 'package.json');
-    if (!fs.existsSync(pkgPath)) return false;
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-    const deps = { ...pkg.dependencies, ...pkg.devDependencies };
-    return !!deps.next;
-  } catch {
-    return false;
+
+function findNextConfig(dir) {
+  for (const name of ['next.config.js', 'next.config.mjs', 'next.config.ts']) {
+    const p = path.join(dir, name);
+    if (fs.existsSync(p)) return p;
   }
+  return null;
 }
 
-async function init(args, flags) {
-  const cwd = process.cwd();
+function hasTypeScript(dir) {
+  return fs.existsSync(path.join(dir, 'tsconfig.json'));
+}
 
-  console.log('');
-  ui.heading('SecureNow Setup');
-  console.log('');
+async function init(_args, flags) {
+  const dir = process.cwd();
+  const project = detectProject(dir);
 
-  const isNext = isNextJsProject(cwd);
-  if (!isNext && !flags.force) {
-    ui.warn("This doesn't appear to be a Next.js project.");
-    ui.info('Use --force to proceed anyway.');
+  ui.header('SecureNow Project Setup');
+
+  if (project.framework === 'unknown') {
+    ui.error('No package.json found. Run this command in your project root.');
     process.exit(1);
   }
 
-  const useTS = flags.typescript || flags.ts ||
-    (!flags.javascript && !flags.js && fs.existsSync(path.join(cwd, 'tsconfig.json')));
-  const useSrc = flags.src ||
-    (!flags.root && fs.existsSync(path.join(cwd, 'src')));
+  ui.info(`Detected framework: ${ui.bold(project.framework)}`);
+
+  if (project.framework === 'nextjs') {
+    await initNextJs(dir, project, flags);
+  } else if (project.framework === 'nuxt') {
+    initNuxt(dir, project);
+  } else {
+    initNode(dir, project);
+  }
 
-  const fileName = useTS ? 'instrumentation.ts' : 'instrumentation.js';
-  const filePath = useSrc ? path.join(cwd, 'src', fileName) : path.join(cwd, fileName);
+  initEnv(dir, flags);
 
-  if (fs.existsSync(filePath) && !flags.force) {
-    ui.error(`${useSrc ? 'src/' : ''}${fileName} already exists. Use --force to overwrite.`);
-    process.exit(1);
+  console.log('');
+  ui.success('Setup complete! Run your app to verify.');
+}
+
+async function initNextJs(dir, project, flags) {
+  const useTs = hasTypeScript(dir);
+  const ext = useTs ? 'ts' : 'js';
+
+  const existing = findInstrumentationFile(dir);
+  if (existing) {
+    ui.info(`instrumentation file already exists: ${path.relative(dir, existing)}`);
+  } else {
+    const filePath = path.join(dir, `instrumentation.${ext}`);
+    const content = useTs ? INSTRUMENTATION_TS : INSTRUMENTATION_JS;
+    fs.writeFileSync(filePath, content, 'utf8');
+    ui.success(`Created instrumentation.${ext}`);
   }
 
-  try {
-    const template = useTS ? templates.typescript : templates.javascript;
-    if (useSrc) fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(filePath, template, 'utf8');
-    ui.success(`Created ${useSrc ? 'src/' : ''}${fileName}`);
-  } catch (err) {
-    ui.error(`Failed to create instrumentation file: ${err.message}`);
-    process.exit(1);
+  const configPath = findNextConfig(dir);
+  if (configPath) {
+    const content = fs.readFileSync(configPath, 'utf8');
+    if (content.includes('withSecureNow')) {
+      ui.info('next.config already uses withSecureNow — skipping');
+    } else if (content.includes('serverExternalPackages') && content.includes('securenow')) {
+      ui.info('next.config already externalizes securenow — skipping');
+    } else if (content.includes('serverComponentsExternalPackages') && content.includes('securenow')) {
+      ui.info('next.config already externalizes securenow — skipping');
+    } else {
+      ui.warn(`Update your ${path.basename(configPath)} to use withSecureNow():`);
+      console.log('');
+      console.log(`  const { withSecureNow } = require('securenow/nextjs-webpack-config');`);
+      console.log(`  module.exports = withSecureNow({ /* your config */ });`);
+      console.log('');
+    }
+  } else {
+    const newConfigPath = path.join(dir, 'next.config.js');
+    fs.writeFileSync(newConfigPath, `const { withSecureNow } = require('securenow/nextjs-webpack-config');\n\nmodule.exports = withSecureNow({\n  reactStrictMode: true,\n});\n`, 'utf8');
+    ui.success('Created next.config.js with withSecureNow()');
   }
+}
 
-  const envPath = path.join(cwd, '.env.local');
-  if (!fs.existsSync(envPath) || flags.force) {
-    try {
-      fs.writeFileSync(envPath, templates.env, 'utf8');
-      ui.success('Created .env.local template');
-    } catch (err) {
-      ui.warn(`Could not create .env.local: ${err.message}`);
+function initNuxt(dir, project) {
+  const configPath = path.join(dir, 'nuxt.config.ts');
+  if (fs.existsSync(configPath)) {
+    const content = fs.readFileSync(configPath, 'utf8');
+    if (content.includes('securenow/nuxt')) {
+      ui.info('nuxt.config already references securenow/nuxt — skipping');
+    } else {
+      ui.warn('Add securenow/nuxt to your nuxt.config modules:');
+      console.log('');
+      console.log("  modules: ['securenow/nuxt'],");
+      console.log('');
     }
   } else {
-    ui.info('.env.local already exists (skipped)');
+    ui.warn('Add securenow/nuxt to your nuxt.config modules array.');
   }
+}
 
-  console.log('');
-  console.log(`  ${ui.c.bold('Next steps:')}`);
-  console.log('');
-  console.log(`  1. Edit ${ui.c.cyan('.env.local')} and set your SECURENOW_APPID`);
-  console.log(`  2. Run ${ui.c.cyan('npm run dev')} to start your app`);
-  console.log(`  3. Check traces in the SecureNow dashboard`);
-  console.log('');
-  ui.info(`Don't have an app key yet? Run ${ui.c.bold('securenow apps create <name>')}`);
-  console.log('');
+function initNode(dir, project) {
+  const pkg = project.pkg;
+  const scripts = pkg.scripts || {};
+
+  const startScript = scripts.start || '';
+  if (startScript.includes('securenow/register')) {
+    ui.info('start script already uses securenow/register — skipping');
+    return;
+  }
+
+  if (startScript) {
+    ui.warn('Update your start script to include the securenow preload:');
+    console.log('');
+    if (startScript.includes('node ')) {
+      const updated = startScript.replace('node ', 'node -r securenow/register ');
+      console.log(`  "start": "${updated}"`);
+    } else {
+      console.log(`  "start": "node -r securenow/register ${startScript.replace(/^node\s+/, '')}"`);
+    }
+    console.log('');
+  } else {
+    ui.warn('Add a start script with the securenow preload:');
+    console.log('');
+    console.log('  "start": "node -r securenow/register src/index.js"');
+    console.log('');
+  }
+}
+
+function initEnv(dir, flags) {
+  const envFiles = ['.env', '.env.local'];
+  let envPath = null;
+
+  for (const f of envFiles) {
+    const p = path.join(dir, f);
+    if (fs.existsSync(p)) {
+      const content = fs.readFileSync(p, 'utf8');
+      if (content.includes('SECURENOW_API_KEY')) {
+        ui.info(`SECURENOW_API_KEY already set in ${f}`);
+        return;
+      }
+      envPath = p;
+      break;
+    }
+  }
+
+  if (!envPath) envPath = path.join(dir, '.env.local');
+
+  const apiKey = flags.key || flags['api-key'] || '';
+  if (apiKey) {
+    const existing = fs.existsSync(envPath) ? fs.readFileSync(envPath, 'utf8') : '';
+    const sep = existing && !existing.endsWith('\n') ? '\n' : '';
+    fs.appendFileSync(envPath, `${sep}SECURENOW_API_KEY=${apiKey}\n`, 'utf8');
+    ui.success(`Added SECURENOW_API_KEY to ${path.basename(envPath)}`);
+  } else {
+    ui.warn(`Add your API key to ${path.basename(envPath)}:`);
+    console.log('');
+    console.log('  SECURENOW_API_KEY=snk_live_...');
+    console.log('');
+  }
 }
 
 module.exports = { init };

package/cli/security.js

@@ -197,6 +197,104 @@ async function blocklistStats(args, flags) {
   }
 }
 
+// ── Allowlist ──
+
+async function allowlistList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching allowlist');
+  try {
+    const data = await api.get('/allowlist');
+    const items = data.allowedIps || [];
+    s.stop(`Found ${items.length} allowed IP${items.length !== 1 ? 's' : ''}${data.total ? ` (${data.total} total)` : ''}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    console.log('');
+    const rows = items.map(a => [
+      ui.c.dim(ui.truncate(a._id, 12)),
+      ui.c.green(a.ip || '—'),
+      a.label || ui.c.dim('—'),
+      ui.truncate(a.reason || '', 40),
+      ui.timeAgo(a.createdAt),
+      a.expiresAt ? new Date(a.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
+    ]);
+    ui.table(['ID', 'IP/CIDR', 'Label', 'Reason', 'Added', 'Expires'], rows);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch allowlist');
+    throw err;
+  }
+}
+
+async function allowlistAdd(args, flags) {
+  requireAuth();
+  let ip = args[0];
+  if (!ip) {
+    ip = await ui.prompt('IP address or CIDR to allow');
+    if (!ip) { ui.error('IP is required'); process.exit(1); }
+  }
+
+  const body = { ip };
+  if (flags.label) body.label = flags.label;
+  if (flags.reason) body.reason = flags.reason;
+
+  const s = ui.spinner(`Allowing ${ip}`);
+  try {
+    await api.post('/allowlist', body);
+    s.stop(`${ip} added to allowlist`);
+  } catch (err) {
+    s.fail('Failed to add to allowlist');
+    throw err;
+  }
+}
+
+async function allowlistRemove(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) {
+    ui.error('Allowlist entry ID required. Usage: securenow allowlist remove <id>');
+    process.exit(1);
+  }
+
+  if (!flags.force && !flags.yes) {
+    const ok = await ui.confirm('Remove this IP from the allowlist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+
+  const s = ui.spinner('Removing from allowlist');
+  try {
+    await api.delete(`/allowlist/${id}`);
+    s.stop('Removed from allowlist');
+  } catch (err) {
+    s.fail('Failed to remove from allowlist');
+    throw err;
+  }
+}
+
+async function allowlistStats(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching allowlist stats');
+  try {
+    const data = await api.get('/allowlist/stats');
+    const stats = data.stats || data;
+    s.stop('Stats loaded');
+
+    if (flags.json) { ui.json(stats); return; }
+
+    console.log('');
+    ui.heading('Allowlist Statistics');
+    console.log('');
+    ui.keyValue([
+      ['Total Active', String(stats.totalActive ?? '—')],
+      ['Total Removed', String(stats.totalRemoved ?? '—')],
+    ]);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to fetch stats');
+    throw err;
+  }
+}
+
 // ── Trusted IPs ──
 
 async function trustedList(args, flags) {
@@ -810,6 +908,10 @@ module.exports = {
   blocklistAdd,
   blocklistRemove,
   blocklistStats,
+  allowlistList,
+  allowlistAdd,
+  allowlistRemove,
+  allowlistStats,
   trustedList,
   trustedAdd,
   trustedRemove,

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');
@@ -39,6 +39,12 @@ function parseArgs(argv) {
 // ── Command Registry ──
 
 const COMMANDS = {
+  init: {
+    desc: 'Set up SecureNow in the current project (instrumentation, config, env)',
+    usage: 'securenow init [--key <API_KEY>]',
+    flags: { key: 'API key to write to .env', 'api-key': 'Alias for --key' },
+    run: (a, f) => require('./cli/init').init(a, f),
+  },
   login: {
     desc: 'Authenticate with SecureNow',
     usage: 'securenow login [--token <TOKEN>]',
@@ -156,6 +162,17 @@ const COMMANDS = {
     },
     defaultSub: 'list',
   },
+  allowlist: {
+    desc: 'Manage IP allowlist (only allow listed IPs)',
+    usage: 'securenow allowlist <subcommand> [options]',
+    sub: {
+      list: { desc: 'List allowed IPs', run: (a, f) => require('./cli/security').allowlistList(a, f) },
+      add: { desc: 'Allow an IP', usage: 'securenow allowlist add <ip> [--label <label>] [--reason <reason>]', run: (a, f) => require('./cli/security').allowlistAdd(a, f) },
+      remove: { desc: 'Remove an allowed IP', usage: 'securenow allowlist remove <id>', run: (a, f) => require('./cli/security').allowlistRemove(a, f) },
+      stats: { desc: 'Allowlist statistics', run: (a, f) => require('./cli/security').allowlistStats(a, f) },
+    },
+    defaultSub: 'list',
+  },
   trusted: {
     desc: 'Manage trusted IPs',
     usage: 'securenow trusted <subcommand> [options]',
@@ -334,7 +351,7 @@ function showHelp(commandName) {
     'Detect & Respond': ['issues', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics', 'api-map'],
     'Firewall': ['firewall'],
-    'Remediation': ['blocklist', 'trusted'],
+    'Remediation': ['blocklist', 'allowlist', 'trusted'],
     'Settings': ['instances', 'config', 'version'],
   };
 

package/firewall-only.js

@@ -0,0 +1,38 @@
+'use strict';
+
+/**
+ * Standalone firewall preload — no OpenTelemetry, no tracing.
+ *
+ * Usage:
+ *   node -r securenow/firewall-only app.js
+ *   NODE_OPTIONS='-r securenow/firewall-only' next start
+ *
+ * Reads .env via dotenv (if installed), then initialises the HTTP-level
+ * firewall when SECURENOW_API_KEY is present.
+ */
+
+try { require('dotenv').config(); } catch (_) {}
+
+const env = (k) =>
+  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
+
+const firewallApiKey = env('SECURENOW_API_KEY');
+
+if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+  require('./firewall').init({
+    apiKey: firewallApiKey,
+    apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+    versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+    syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+    failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+    statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+    log: env('SECURENOW_FIREWALL_LOG') !== '0',
+    tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+    iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+    cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+  });
+
+  const shutdown = () => { try { require('./firewall').shutdown(); } catch (_) {} };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+}

package/firewall-tcp.js

@@ -13,20 +13,35 @@ const net = require('net');
 const { resolveSocketIp, isFromTrustedProxy } = require('./resolve-ip');
 
 let _getMatcher = null;
+let _getAllowlistMatcher = null;
 let _options = null;
 let _patched = false;
 const _origListen = net.Server.prototype.listen;
 
 function onConnection(socket) {
-  const matcher = _getMatcher();
-  if (!matcher) return;
-
   const ip = resolveSocketIp(socket);
 
   // Skip if the connection is from a trusted proxy — Layer 1 will handle it
   // with proper X-Forwarded-For resolution
   if (isFromTrustedProxy(ip) || isFromTrustedProxy('::ffff:' + ip)) return;
 
+  // Allowlist check: if active, only listed IPs pass
+  const allowlistMatcher = _getAllowlistMatcher ? _getAllowlistMatcher() : null;
+  if (allowlistMatcher && allowlistMatcher.stats().total > 0) {
+    if (!allowlistMatcher.isBlocked(ip)) {
+      if (_options && _options.log) {
+        console.log('[securenow] Firewall: blocked %s via TCP (not in allowlist)', ip);
+      }
+      socket.destroy();
+      return;
+    }
+    return; // on allowlist — allow
+  }
+
+  // Blocklist check
+  const matcher = _getMatcher();
+  if (!matcher) return;
+
   if (matcher.isBlocked(ip)) {
     if (_options && _options.log) {
       console.log('[securenow] Firewall: blocked %s via TCP (socket destroyed)', ip);
@@ -35,8 +50,9 @@ function onConnection(socket) {
   }
 }
 
-function init(getMatcher, options) {
+function init(getMatcher, options, getAllowlistMatcher) {
   _getMatcher = getMatcher;
+  _getAllowlistMatcher = getAllowlistMatcher || null;
   _options = options;
 
   if (_patched) return;

package/firewall.js

@@ -17,6 +17,15 @@ let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
 let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
+let _localhostFallbackTried = false;
+
+// Allowlist state
+let _allowlistMatcher = null;
+let _allowlistRawIps = [];
+let _lastAllowlistModified = null;
+let _lastAllowlistVersion = null;
+let _lastAllowlistSyncEtag = null;
+let _allowlistVersionTimer = null;
 
 // ────── Blocklist Sync ──────
 
@@ -87,6 +96,136 @@ function notifyLayers(ips) {
   }
 }
 
+// ────── Allowlist Sync ──────
+
+function syncAllowlist(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const reqOptions = {
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${_options.apiKey}`,
+      'User-Agent': 'securenow-firewall-sdk',
+    },
+    timeout: 10000,
+  };
+
+  if (_lastAllowlistSyncEtag) {
+    reqOptions.headers['If-None-Match'] = _lastAllowlistSyncEtag;
+  } else if (_lastAllowlistModified) {
+    reqOptions.headers['If-Modified-Since'] = _lastAllowlistModified;
+  }
+
+  const req = mod.request(reqOptions, (res) => {
+    if (res.statusCode === 304) {
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+        return;
+      }
+      try {
+        const body = JSON.parse(data);
+        const ips = body.ips || [];
+        _allowlistRawIps = ips;
+        _allowlistMatcher = createMatcher(ips);
+        _lastAllowlistModified = res.headers['last-modified'] || null;
+        if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
+        callback(null, true, _allowlistMatcher.stats());
+      } catch (e) {
+        callback(new Error(`Failed to parse allowlist response: ${e.message}`));
+      }
+    });
+  });
+
+  req.on('error', (err) => callback(err));
+  req.on('timeout', () => { req.destroy(); callback(new Error('Allowlist sync request timed out')); });
+  req.end();
+}
+
+function checkAllowlistVersion(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const headers = {
+    'Authorization': `Bearer ${_options.apiKey}`,
+    'User-Agent': 'securenow-firewall-sdk',
+  };
+  if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
+
+  const req = mod.request({
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers,
+    timeout: 5000,
+  }, (res) => {
+    if (res.statusCode === 304) {
+      res.resume();
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        callback(null, false);
+        return;
+      }
+      try {
+        const body = JSON.parse(data);
+        const version = body.version || null;
+        const changed = version !== _lastAllowlistVersion;
+        if (changed) _lastAllowlistVersion = version;
+        callback(null, changed);
+      } catch (_e) { callback(null, false); }
+    });
+  });
+
+  req.on('error', () => { callback(null, false); });
+  req.on('timeout', () => { req.destroy(); callback(null, false); });
+  req.end();
+}
+
+function doFullAllowlistSync() {
+  syncAllowlist((err, changed, stats) => {
+    if (err) {
+      if (_options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
+    } else if (changed && stats && _options.log) {
+      console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+    }
+  });
+}
+
+function scheduleNextAllowlistVersionCheck() {
+  const baseMs = (_options.versionCheckInterval || 10) * 1000;
+  const delayMs = jitter(baseMs);
+
+  _allowlistVersionTimer = setTimeout(() => {
+    checkAllowlistVersion((_err, changed) => {
+      if (changed) {
+        if (_options.log) console.log('[securenow] Firewall: allowlist version changed, syncing…');
+        doFullAllowlistSync();
+      }
+      scheduleNextAllowlistVersionCheck();
+    });
+  }, delayMs);
+  if (_allowlistVersionTimer.unref) _allowlistVersionTimer.unref();
+}
+
 function checkVersion(callback) {
   const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
   const mod = url.startsWith('https') ? https : http;
@@ -178,6 +317,16 @@ function startSyncLoop() {
   function initialSync() {
     syncBlocklist((err, changed, stats) => {
       if (err) {
+        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
+        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
+          _localhostFallbackTried = true;
+          const origUrl = _options.apiUrl;
+          _options.apiUrl = 'http://localhost:4000';
+          if (_options.log) console.log('[securenow] Firewall: %s unreachable, trying http://localhost:4000', origUrl);
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
         if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
         if (_options.failMode === 'closed') {
           _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
@@ -193,11 +342,27 @@ function startSyncLoop() {
     });
   }
 
+  function initialAllowlistSync() {
+    syncAllowlist((err, changed, stats) => {
+      if (err) {
+        if (_options.log) console.warn('[securenow] Firewall: initial allowlist sync failed:', err.message);
+        const retryTimer = setTimeout(initialAllowlistSync, RETRY_DELAY);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      if (changed && stats && stats.total > 0) {
+        if (_options.log) console.log('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+      }
+    });
+  }
+
   initialSync();
+  initialAllowlistSync();
 
   scheduleNextVersionCheck();
+  scheduleNextAllowlistVersionCheck();
 
-  _syncTimer = setInterval(() => { doFullSync(); }, fullSyncIntervalMs);
+  _syncTimer = setInterval(() => { doFullSync(); doFullAllowlistSync(); }, fullSyncIntervalMs);
   if (_syncTimer.unref) _syncTimer.unref();
 }
 
@@ -255,24 +420,41 @@ function wrapListener(originalListener) {
   };
 }
 
+function sendBlockResponse(req, res, ip) {
+  const code = (_options && _options.statusCode) || 403;
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
+    res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
+    res.end(blockedHtml(ip));
+  } else {
+    res.writeHead(code, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Forbidden', ip }));
+  }
+}
+
 function firewallRequestHandler(req, res) {
-  if (_matcher) {
-    const ip = resolveClientIp(req);
-    if (_matcher.isBlocked(ip)) {
+  const ip = resolveClientIp(req);
+
+  // Allowlist check: if active, only listed IPs are allowed through
+  if (_allowlistMatcher && _allowlistMatcher.stats().total > 0) {
+    if (!_allowlistMatcher.isBlocked(ip)) {
       _stats.blocked++;
-      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
-      const code = (_options && _options.statusCode) || 403;
-      const accept = req.headers['accept'] || '';
-      if (accept.includes('text/html')) {
-        res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
-        res.end(blockedHtml(ip));
-      } else {
-        res.writeHead(code, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Forbidden', ip }));
-      }
+      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP (not in allowlist)', ip);
+      sendBlockResponse(req, res, ip);
       return true;
     }
+    // IP is on the allowlist — skip blocklist check, allow through
+    return false;
   }
+
+  // Blocklist check
+  if (_matcher && _matcher.isBlocked(ip)) {
+    _stats.blocked++;
+    if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+    sendBlockResponse(req, res, ip);
+    return true;
+  }
+
   return false;
 }
 
@@ -330,7 +512,7 @@ function init(options) {
   if (_options.tcp) {
     try {
       const tcpLayer = require('./firewall-tcp');
-      tcpLayer.init(() => _matcher, _options);
+      tcpLayer.init(() => _matcher, _options, () => _allowlistMatcher);
       _layers.push(tcpLayer);
       if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       active');
     } catch (e) {
@@ -373,6 +555,7 @@ function init(options) {
 
 function shutdown() {
   if (_versionTimer) { clearTimeout(_versionTimer); _versionTimer = null; }
+  if (_allowlistVersionTimer) { clearTimeout(_allowlistVersionTimer); _allowlistVersionTimer = null; }
   if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
 
   for (const layer of _layers) {
@@ -392,9 +575,15 @@ function shutdown() {
 }
 
 function getStats() {
-  return { ..._stats, matcher: _matcher ? _matcher.stats() : null, initialized: _initialized };
+  return {
+    ..._stats,
+    matcher: _matcher ? _matcher.stats() : null,
+    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
+    initialized: _initialized,
+  };
 }
 
 function getMatcher() { return _matcher; }
+function getAllowlistMatcher() { return _allowlistMatcher; }
 
-module.exports = { init, shutdown, getStats, getMatcher };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher };

package/nextjs-webpack-config.js

@@ -1,33 +1,100 @@
+'use strict';
+
+/**
+ * Next.js configuration helpers for SecureNow
+ *
+ * Usage (recommended — zero-list approach):
+ *
+ *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
+ *   module.exports = withSecureNow({
+ *     // your existing next.config options
+ *   });
+ *
+ * Legacy webpack-only helper (still exported for backwards compat):
+ *
+ *   const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
+ *   module.exports = { webpack: (config, opts) => getSecureNowWebpackConfig(config, opts) };
+ */
+
+const EXTERNAL_PACKAGES = [
+  'securenow',
+  '@opentelemetry/sdk-node',
+  '@opentelemetry/auto-instrumentations-node',
+  '@opentelemetry/instrumentation-http',
+  '@opentelemetry/exporter-trace-otlp-http',
+  '@opentelemetry/exporter-logs-otlp-http',
+  '@opentelemetry/sdk-logs',
+  '@opentelemetry/instrumentation',
+  '@opentelemetry/resources',
+  '@opentelemetry/semantic-conventions',
+  '@opentelemetry/api',
+  '@opentelemetry/api-logs',
+  '@vercel/otel',
+];
+
+function detectNextMajor() {
+  try {
+    const pkg = require('next/package.json');
+    return parseInt(pkg.version, 10) || 14;
+  } catch {
+    return 14;
+  }
+}
+
 /**
- * Next.js webpack configuration for SecureNow
- * 
- * Add this to your next.config.js to suppress OpenTelemetry instrumentation warnings
- * 
- * Usage:
- * const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
- * 
- * module.exports = {
- *   webpack: (config, options) => {
- *     return getSecureNowWebpackConfig(config, options);
- *   }
- * };
+ * Wrap a Next.js config object to auto-externalize SecureNow + OTel
+ * packages and enable the instrumentation hook.
+ *
+ *   module.exports = withSecureNow({ reactStrictMode: true });
  */
+function withSecureNow(userConfig) {
+  if (typeof userConfig === 'function') {
+    return (...args) => withSecureNow(userConfig(...args));
+  }
+
+  const cfg = { ...userConfig };
+  const major = detectNextMajor();
+
+  if (major >= 15) {
+    cfg.serverExternalPackages = dedup([
+      ...(cfg.serverExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  } else {
+    cfg.experimental = { ...(cfg.experimental || {}) };
+    cfg.experimental.instrumentationHook = true;
+    cfg.experimental.serverComponentsExternalPackages = dedup([
+      ...(cfg.experimental.serverComponentsExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  }
+
+  const origWebpack = cfg.webpack;
+  cfg.webpack = (config, options) => {
+    const c = origWebpack ? origWebpack(config, options) : config;
+    return getSecureNowWebpackConfig(c, options);
+  };
+
+  return cfg;
+}
 
+function dedup(arr) {
+  return [...new Set(arr)];
+}
+
+/**
+ * Legacy: suppress OTel webpack warnings and add externals.
+ */
 function getSecureNowWebpackConfig(config, options) {
   const { isServer } = options;
-  
-  // Only apply to server-side builds
+
   if (isServer) {
-    // Suppress warnings for OpenTelemetry instrumentations
     config.ignoreWarnings = config.ignoreWarnings || [];
-    
     config.ignoreWarnings.push(
-      // Ignore "Critical dependency" warnings from instrumentations
       {
         module: /@opentelemetry\/instrumentation/,
         message: /Critical dependency: the request of a dependency is an expression/,
       },
-      // Ignore missing optional peer dependencies
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/winston-transport/,
@@ -35,43 +102,11 @@ function getSecureNowWebpackConfig(config, options) {
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/exporter-jaeger/,
-      }
+      },
     );
-    
-    // Externalize problematic packages (don't bundle them)
-    config.externals = config.externals || [];
-    
-    // Add OpenTelemetry packages as externals
-    if (typeof config.externals === 'function') {
-      const originalExternals = config.externals;
-      config.externals = async (...args) => {
-        const result = await originalExternals(...args);
-        if (result) return result;
-        
-        const [context, request] = args;
-        
-        // Externalize OpenTelemetry instrumentation packages
-        if (request.startsWith('@opentelemetry/')) {
-          return `commonjs ${request}`;
-        }
-        
-        return undefined;
-      };
-    } else if (Array.isArray(config.externals)) {
-      config.externals.push(/@opentelemetry\//);
-    } else {
-      config.externals = [/@opentelemetry\//];
-    }
   }
-  
+
   return config;
 }
 
-module.exports = { getSecureNowWebpackConfig };
-
-
-
-
-
-
-
+module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };

package/nextjs.js

@@ -541,28 +541,6 @@ function registerSecureNow(options = {}) {
       }
     } catch (_) {}
 
-    // Firewall — auto-activates when SECURENOW_API_KEY is set
-    const firewallApiKey = env('SECURENOW_API_KEY');
-    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
-      try {
-        require('./firewall').init({
-          apiKey: firewallApiKey,
-          apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-          versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-          failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-          statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-          log: env('SECURENOW_FIREWALL_LOG') !== '0',
-          tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-          iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-          cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
-        });
-      } catch (e) {
-        console.warn('[securenow] Firewall init failed:', e.message);
-      }
-    }
-
-    
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
     console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');
@@ -594,6 +572,27 @@ function registerSecureNow(options = {}) {
       console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
     }
   }
+
+  // Firewall — runs independently from OTel so it works even if tracing fails
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      require('./firewall').init({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
 }
 
 module.exports = {

package/nuxt-server-plugin.mjs

@@ -324,11 +324,34 @@ export default defineNitroPlugin((nitroApp) => {
     // not critical
   }
 
+  // ── Firewall — runs independently from OTel ──
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      const { init: fwInit } = await import('./firewall.js');
+      fwInit({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+
   // ── Graceful shutdown ──
   const shutdown = async (sig) => {
     try {
       await sdk.shutdown?.();
       if (loggerProvider) await loggerProvider.shutdown?.();
+      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
       console.log(`[securenow] Shut down on ${sig}`);
     } catch {
       // swallow

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.12.1",
+  "version": "5.14.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -81,6 +81,9 @@
     "./firewall": {
       "default": "./firewall.js"
     },
+    "./firewall-only": {
+      "default": "./firewall-only.js"
+    },
     "./cidr": {
       "default": "./cidr.js"
     },
@@ -117,6 +120,7 @@
     "resolve-ip.js",
     "cidr.js",
     "firewall.js",
+    "firewall-only.js",
     "firewall-tcp.js",
     "firewall-iptables.js",
     "firewall-cloud.js",