securenow 5.12.2 → 5.15.0

package/firewall.js

@@ -17,6 +17,15 @@ let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
 let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
+let _localhostFallbackTried = false;
+
+// Allowlist state
+let _allowlistMatcher = null;
+let _allowlistRawIps = [];
+let _lastAllowlistModified = null;
+let _lastAllowlistVersion = null;
+let _lastAllowlistSyncEtag = null;
+let _allowlistVersionTimer = null;
 
 // ────── Blocklist Sync ──────
 
@@ -87,6 +96,136 @@ function notifyLayers(ips) {
   }
 }
 
+// ────── Allowlist Sync ──────
+
+function syncAllowlist(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const reqOptions = {
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${_options.apiKey}`,
+      'User-Agent': 'securenow-firewall-sdk',
+    },
+    timeout: 10000,
+  };
+
+  if (_lastAllowlistSyncEtag) {
+    reqOptions.headers['If-None-Match'] = _lastAllowlistSyncEtag;
+  } else if (_lastAllowlistModified) {
+    reqOptions.headers['If-Modified-Since'] = _lastAllowlistModified;
+  }
+
+  const req = mod.request(reqOptions, (res) => {
+    if (res.statusCode === 304) {
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+        return;
+      }
+      try {
+        const body = JSON.parse(data);
+        const ips = body.ips || [];
+        _allowlistRawIps = ips;
+        _allowlistMatcher = createMatcher(ips);
+        _lastAllowlistModified = res.headers['last-modified'] || null;
+        if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
+        callback(null, true, _allowlistMatcher.stats());
+      } catch (e) {
+        callback(new Error(`Failed to parse allowlist response: ${e.message}`));
+      }
+    });
+  });
+
+  req.on('error', (err) => callback(err));
+  req.on('timeout', () => { req.destroy(); callback(new Error('Allowlist sync request timed out')); });
+  req.end();
+}
+
+function checkAllowlistVersion(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const headers = {
+    'Authorization': `Bearer ${_options.apiKey}`,
+    'User-Agent': 'securenow-firewall-sdk',
+  };
+  if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
+
+  const req = mod.request({
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers,
+    timeout: 5000,
+  }, (res) => {
+    if (res.statusCode === 304) {
+      res.resume();
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        callback(null, false);
+        return;
+      }
+      try {
+        const body = JSON.parse(data);
+        const version = body.version || null;
+        const changed = version !== _lastAllowlistVersion;
+        if (changed) _lastAllowlistVersion = version;
+        callback(null, changed);
+      } catch (_e) { callback(null, false); }
+    });
+  });
+
+  req.on('error', () => { callback(null, false); });
+  req.on('timeout', () => { req.destroy(); callback(null, false); });
+  req.end();
+}
+
+function doFullAllowlistSync() {
+  syncAllowlist((err, changed, stats) => {
+    if (err) {
+      if (_options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
+    } else if (changed && stats && _options.log) {
+      console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+    }
+  });
+}
+
+function scheduleNextAllowlistVersionCheck() {
+  const baseMs = (_options.versionCheckInterval || 10) * 1000;
+  const delayMs = jitter(baseMs);
+
+  _allowlistVersionTimer = setTimeout(() => {
+    checkAllowlistVersion((_err, changed) => {
+      if (changed) {
+        if (_options.log) console.log('[securenow] Firewall: allowlist version changed, syncing…');
+        doFullAllowlistSync();
+      }
+      scheduleNextAllowlistVersionCheck();
+    });
+  }, delayMs);
+  if (_allowlistVersionTimer.unref) _allowlistVersionTimer.unref();
+}
+
 function checkVersion(callback) {
   const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
   const mod = url.startsWith('https') ? https : http;
@@ -178,6 +317,16 @@ function startSyncLoop() {
   function initialSync() {
     syncBlocklist((err, changed, stats) => {
       if (err) {
+        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
+        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
+          _localhostFallbackTried = true;
+          const origUrl = _options.apiUrl;
+          _options.apiUrl = 'http://localhost:4000';
+          if (_options.log) console.log('[securenow] Firewall: %s unreachable, trying http://localhost:4000', origUrl);
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
         if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
         if (_options.failMode === 'closed') {
           _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
@@ -193,11 +342,27 @@ function startSyncLoop() {
     });
   }
 
+  function initialAllowlistSync() {
+    syncAllowlist((err, changed, stats) => {
+      if (err) {
+        if (_options.log) console.warn('[securenow] Firewall: initial allowlist sync failed:', err.message);
+        const retryTimer = setTimeout(initialAllowlistSync, RETRY_DELAY);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      if (changed && stats && stats.total > 0) {
+        if (_options.log) console.log('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+      }
+    });
+  }
+
   initialSync();
+  initialAllowlistSync();
 
   scheduleNextVersionCheck();
+  scheduleNextAllowlistVersionCheck();
 
-  _syncTimer = setInterval(() => { doFullSync(); }, fullSyncIntervalMs);
+  _syncTimer = setInterval(() => { doFullSync(); doFullAllowlistSync(); }, fullSyncIntervalMs);
   if (_syncTimer.unref) _syncTimer.unref();
 }
 
@@ -255,24 +420,41 @@ function wrapListener(originalListener) {
   };
 }
 
+function sendBlockResponse(req, res, ip) {
+  const code = (_options && _options.statusCode) || 403;
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
+    res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
+    res.end(blockedHtml(ip));
+  } else {
+    res.writeHead(code, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Forbidden', ip }));
+  }
+}
+
 function firewallRequestHandler(req, res) {
-  if (_matcher) {
-    const ip = resolveClientIp(req);
-    if (_matcher.isBlocked(ip)) {
+  const ip = resolveClientIp(req);
+
+  // Allowlist check: if active, only listed IPs are allowed through
+  if (_allowlistMatcher && _allowlistMatcher.stats().total > 0) {
+    if (!_allowlistMatcher.isBlocked(ip)) {
       _stats.blocked++;
-      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
-      const code = (_options && _options.statusCode) || 403;
-      const accept = req.headers['accept'] || '';
-      if (accept.includes('text/html')) {
-        res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
-        res.end(blockedHtml(ip));
-      } else {
-        res.writeHead(code, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Forbidden', ip }));
-      }
+      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP (not in allowlist)', ip);
+      sendBlockResponse(req, res, ip);
       return true;
     }
+    // IP is on the allowlist — skip blocklist check, allow through
+    return false;
   }
+
+  // Blocklist check
+  if (_matcher && _matcher.isBlocked(ip)) {
+    _stats.blocked++;
+    if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+    sendBlockResponse(req, res, ip);
+    return true;
+  }
+
   return false;
 }
 
@@ -330,7 +512,7 @@ function init(options) {
   if (_options.tcp) {
     try {
       const tcpLayer = require('./firewall-tcp');
-      tcpLayer.init(() => _matcher, _options);
+      tcpLayer.init(() => _matcher, _options, () => _allowlistMatcher);
       _layers.push(tcpLayer);
       if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       active');
     } catch (e) {
@@ -373,6 +555,7 @@ function init(options) {
 
 function shutdown() {
   if (_versionTimer) { clearTimeout(_versionTimer); _versionTimer = null; }
+  if (_allowlistVersionTimer) { clearTimeout(_allowlistVersionTimer); _allowlistVersionTimer = null; }
   if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
 
   for (const layer of _layers) {
@@ -392,9 +575,15 @@ function shutdown() {
 }
 
 function getStats() {
-  return { ..._stats, matcher: _matcher ? _matcher.stats() : null, initialized: _initialized };
+  return {
+    ..._stats,
+    matcher: _matcher ? _matcher.stats() : null,
+    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
+    initialized: _initialized,
+  };
 }
 
 function getMatcher() { return _matcher; }
+function getAllowlistMatcher() { return _allowlistMatcher; }
 
-module.exports = { init, shutdown, getStats, getMatcher };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher };

package/nextjs-webpack-config.js

@@ -1,33 +1,100 @@
+'use strict';
+
+/**
+ * Next.js configuration helpers for SecureNow
+ *
+ * Usage (recommended — zero-list approach):
+ *
+ *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
+ *   module.exports = withSecureNow({
+ *     // your existing next.config options
+ *   });
+ *
+ * Legacy webpack-only helper (still exported for backwards compat):
+ *
+ *   const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
+ *   module.exports = { webpack: (config, opts) => getSecureNowWebpackConfig(config, opts) };
+ */
+
+const EXTERNAL_PACKAGES = [
+  'securenow',
+  '@opentelemetry/sdk-node',
+  '@opentelemetry/auto-instrumentations-node',
+  '@opentelemetry/instrumentation-http',
+  '@opentelemetry/exporter-trace-otlp-http',
+  '@opentelemetry/exporter-logs-otlp-http',
+  '@opentelemetry/sdk-logs',
+  '@opentelemetry/instrumentation',
+  '@opentelemetry/resources',
+  '@opentelemetry/semantic-conventions',
+  '@opentelemetry/api',
+  '@opentelemetry/api-logs',
+  '@vercel/otel',
+];
+
+function detectNextMajor() {
+  try {
+    const pkg = require('next/package.json');
+    return parseInt(pkg.version, 10) || 14;
+  } catch {
+    return 14;
+  }
+}
+
 /**
- * Next.js webpack configuration for SecureNow
- * 
- * Add this to your next.config.js to suppress OpenTelemetry instrumentation warnings
- * 
- * Usage:
- * const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
- * 
- * module.exports = {
- *   webpack: (config, options) => {
- *     return getSecureNowWebpackConfig(config, options);
- *   }
- * };
+ * Wrap a Next.js config object to auto-externalize SecureNow + OTel
+ * packages and enable the instrumentation hook.
+ *
+ *   module.exports = withSecureNow({ reactStrictMode: true });
  */
+function withSecureNow(userConfig) {
+  if (typeof userConfig === 'function') {
+    return (...args) => withSecureNow(userConfig(...args));
+  }
+
+  const cfg = { ...userConfig };
+  const major = detectNextMajor();
+
+  if (major >= 15) {
+    cfg.serverExternalPackages = dedup([
+      ...(cfg.serverExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  } else {
+    cfg.experimental = { ...(cfg.experimental || {}) };
+    cfg.experimental.instrumentationHook = true;
+    cfg.experimental.serverComponentsExternalPackages = dedup([
+      ...(cfg.experimental.serverComponentsExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  }
+
+  const origWebpack = cfg.webpack;
+  cfg.webpack = (config, options) => {
+    const c = origWebpack ? origWebpack(config, options) : config;
+    return getSecureNowWebpackConfig(c, options);
+  };
+
+  return cfg;
+}
 
+function dedup(arr) {
+  return [...new Set(arr)];
+}
+
+/**
+ * Legacy: suppress OTel webpack warnings and add externals.
+ */
 function getSecureNowWebpackConfig(config, options) {
   const { isServer } = options;
-  
-  // Only apply to server-side builds
+
   if (isServer) {
-    // Suppress warnings for OpenTelemetry instrumentations
     config.ignoreWarnings = config.ignoreWarnings || [];
-    
     config.ignoreWarnings.push(
-      // Ignore "Critical dependency" warnings from instrumentations
       {
         module: /@opentelemetry\/instrumentation/,
         message: /Critical dependency: the request of a dependency is an expression/,
       },
-      // Ignore missing optional peer dependencies
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/winston-transport/,
@@ -35,43 +102,11 @@ function getSecureNowWebpackConfig(config, options) {
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/exporter-jaeger/,
-      }
+      },
     );
-    
-    // Externalize problematic packages (don't bundle them)
-    config.externals = config.externals || [];
-    
-    // Add OpenTelemetry packages as externals
-    if (typeof config.externals === 'function') {
-      const originalExternals = config.externals;
-      config.externals = async (...args) => {
-        const result = await originalExternals(...args);
-        if (result) return result;
-        
-        const [context, request] = args;
-        
-        // Externalize OpenTelemetry instrumentation packages
-        if (request.startsWith('@opentelemetry/')) {
-          return `commonjs ${request}`;
-        }
-        
-        return undefined;
-      };
-    } else if (Array.isArray(config.externals)) {
-      config.externals.push(/@opentelemetry\//);
-    } else {
-      config.externals = [/@opentelemetry\//];
-    }
   }
-  
+
   return config;
 }
 
-module.exports = { getSecureNowWebpackConfig };
-
-
-
-
-
-
-
+module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };

package/nuxt-server-plugin.mjs

@@ -324,11 +324,34 @@ export default defineNitroPlugin((nitroApp) => {
     // not critical
   }
 
+  // ── Firewall — runs independently from OTel ──
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      const { init: fwInit } = await import('./firewall.js');
+      fwInit({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
+
   // ── Graceful shutdown ──
   const shutdown = async (sig) => {
     try {
       await sdk.shutdown?.();
       if (loggerProvider) await loggerProvider.shutdown?.();
+      try { const fw = await import('./firewall.js'); fw.shutdown?.(); } catch {}
       console.log(`[securenow] Shut down on ${sig}`);
     } catch {
       // swallow

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.12.2",
+  "version": "5.15.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -81,6 +81,9 @@
     "./firewall": {
       "default": "./firewall.js"
     },
+    "./firewall-only": {
+      "default": "./firewall-only.js"
+    },
     "./cidr": {
       "default": "./cidr.js"
     },
@@ -117,6 +120,7 @@
     "resolve-ip.js",
     "cidr.js",
     "firewall.js",
+    "firewall-only.js",
     "firewall-tcp.js",
     "firewall-iptables.js",
     "firewall-cloud.js",
@@ -127,7 +131,9 @@
     "docs/",
     "README.md",
     "NPM_README.md",
-    "CONSUMING-APPS-GUIDE.md"
+    "CONSUMING-APPS-GUIDE.md",
+    "SKILL-CLI.md",
+    "SKILL-API.md"
   ],
   "dependencies": {
     "@opentelemetry/api": "1.7.0",