securenow 5.16.1 → 5.16.3

package/SKILL-CLI.md

@@ -336,7 +336,7 @@ securenow instances test <id>                # test connection
 
 ```bash
 securenow notifications list --limit 5 --json
-securenow issues show <issue-id> --json
+# IMPORTANT: parse the ipInvestigations array for each notification — see statuses below
 securenow ip <attacker-ip> --json
 securenow ip traces <attacker-ip> --json
 securenow traces show <trace-id> --json
@@ -345,6 +345,19 @@ securenow traces analyze <trace-id> --json
 securenow blocklist add <attacker-ip> --reason "Automated: SQL injection from issue #<id>"
 ```
 
+#### Notification IP Investigation Statuses
+
+Each notification contains an `ipInvestigations` array. **Every IP has its own `status` field** that you MUST check before taking action or raising flags. Do not rely only on top-level notification fields — always cross-reference each IP's individual investigation status.
+
+| Status | Meaning | Action |
+|--------|---------|--------|
+| `open` | Still needs review — no determination yet | Investigate: run `securenow ip <ip>`, check traces, decide to block or dismiss |
+| `false_positive` | Trusted/dismissed by exclusion rule, verified bot, or trusted IP list | **Skip** — greyed out in UI, no action needed |
+| `blocked` | Already on the user's blocklist | **Skip** — already handled |
+| `clean` | Pipeline analyzed and cleared as benign | **Skip** — verified safe |
+
+**Critical workflow rule:** When investigating notifications, iterate `ipInvestigations[]` and **only flag or act on IPs with `status: "open"`**. IPs marked `false_positive`, `blocked`, or `clean` have already been triaged — do not re-flag them.
+
 ### Triage and Suppress a False Positive
 
 ```bash

package/cli/auth.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const http = require('http');
+const crypto = require('crypto');
 const { execFileSync } = require('child_process');
 const config = require('./config');
 const { api, CLIError } = require('./client');
@@ -39,16 +40,20 @@ function decodeJwtPayload(token) {
 
 async function loginWithBrowser() {
   const appUrl = config.getAppUrl();
+  const nonce = crypto.randomBytes(24).toString('base64url');
 
   return new Promise((resolve, reject) => {
+    let pendingToken = null;
+
     const server = http.createServer((req, res) => {
-      const url = new URL(req.url, `http://localhost`);
+      const url = new URL(req.url, `http://127.0.0.1`);
 
       if (url.pathname === '/callback') {
         const token = url.searchParams.get('token');
         const error = url.searchParams.get('error');
+        const returnedState = url.searchParams.get('state');
 
-        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
 
         if (error) {
           res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Authentication Failed</h2><p>You can close this window.</p></body></html>');
@@ -57,19 +62,53 @@ async function loginWithBrowser() {
           return;
         }
 
+        if (returnedState !== nonce) {
+          res.end('<html><body style="font-family:system-ui;text-align:center;padding:60px"><h2>Security Error</h2><p>State mismatch — this request may not have originated from your CLI. Please try again.</p></body></html>');
+          server.close();
+          reject(new CLIError('State mismatch on callback — possible CSRF. Please retry `securenow login`.'));
+          return;
+        }
+
         if (token) {
+          pendingToken = token;
           const payload = decodeJwtPayload(token);
-          const email = payload?.email || '';
-          const emailHtml = email
-            ? `<p style="font-size:18px;margin:16px 0 4px">Signed in as <strong>${email.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</strong></p>`
-            : '';
-          res.end(`<html><body style="font-family:system-ui;text-align:center;padding:60px">` +
-            `<h2 style="color:#22c55e">\u2713 Logged in to SecureNow</h2>` +
-            emailHtml +
-            `<p style="color:#666">You can close this window and return to the terminal.</p>` +
-            `</body></html>`);
-          server.close();
-          resolve(token);
+          const email = payload?.email || 'unknown account';
+          const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+          const port = server.address().port;
+          const switchUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}&force_login=1`;
+
+          res.end([
+            '<!DOCTYPE html><html><head><meta charset="utf-8"><title>SecureNow CLI Login</title></head>',
+            '<body style="font-family:system-ui,sans-serif;text-align:center;padding:60px;margin:0;background:#fafafa">',
+            '<div style="max-width:420px;margin:0 auto;background:#fff;border-radius:12px;padding:40px 32px;box-shadow:0 2px 12px rgba(0,0,0,.08)">',
+            '<div style="width:56px;height:56px;margin:0 auto 20px;background:#f0fdf4;border-radius:50%;display:flex;align-items:center;justify-content:center">',
+            '<svg width="28" height="28" fill="none" viewBox="0 0 24 24"><path d="M12 2a5 5 0 015 5v1a2 2 0 012 2v8a2 2 0 01-2 2H7a2 2 0 01-2-2v-8a2 2 0 012-2V7a5 5 0 015-5zm0 2a3 3 0 00-3 3v1h6V7a3 3 0 00-3-3z" fill="#22c55e"/></svg>',
+            '</div>',
+            '<h2 style="margin:0 0 8px;font-size:22px;color:#111">Connect to SecureNow CLI</h2>',
+            `<p style="margin:0 0 24px;color:#666;font-size:15px">You are signing in as</p>`,
+            `<div style="background:#f8fafc;border:1px solid #e2e8f0;border-radius:8px;padding:14px 18px;margin:0 0 28px">`,
+            `<span style="font-size:17px;font-weight:600;color:#0f172a">${safeEmail}</span>`,
+            '</div>',
+            '<button id="confirm-btn" style="width:100%;padding:13px 24px;font-size:16px;font-weight:600;color:#fff;background:#22c55e;border:none;border-radius:8px;cursor:pointer;transition:background .15s" ',
+            'onmouseover="this.style.background=\'#16a34a\'" onmouseout="this.style.background=\'#22c55e\'">',
+            'Confirm &amp; Continue</button>',
+            `<p style="margin:20px 0 0"><a href="${switchUrl}" style="color:#6366f1;font-size:14px;text-decoration:none" `,
+            'onmouseover="this.style.textDecoration=\'underline\'" onmouseout="this.style.textDecoration=\'none\'">Use a different account</a></p>',
+            '<div id="done-msg" style="display:none;margin-top:24px">',
+            '<p style="color:#22c55e;font-weight:600;font-size:17px">\u2713 Connected! You can close this window.</p>',
+            '</div>',
+            '</div>',
+            '<script>',
+            'document.getElementById("confirm-btn").addEventListener("click", function(){',
+            '  this.disabled=true;this.textContent="Connecting\u2026";this.style.background="#86efac";this.style.cursor="default";',
+            `  fetch("/confirm?nonce=${encodeURIComponent(nonce)}").then(function(){`,
+            '    document.getElementById("confirm-btn").style.display="none";',
+            '    document.getElementById("done-msg").style.display="block";',
+            '  });',
+            '});',
+            '</script>',
+            '</body></html>',
+          ].join(''));
           return;
         }
 
@@ -79,13 +118,28 @@ async function loginWithBrowser() {
         return;
       }
 
+      if (url.pathname === '/confirm' && pendingToken) {
+        if (url.searchParams.get('nonce') !== nonce) {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end('{"error":"invalid nonce"}');
+          return;
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end('{"ok":true}');
+        const token = pendingToken;
+        pendingToken = null;
+        server.close();
+        resolve(token);
+        return;
+      }
+
       res.writeHead(404);
       res.end();
     });
 
     server.listen(0, '127.0.0.1', () => {
       const port = server.address().port;
-      const authUrl = `${appUrl}/cli/auth?callback=http://localhost:${port}/callback`;
+      const authUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}`;
 
       console.log('');
       ui.info('Opening browser for authentication...');

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');

package/firewall.js

@@ -26,6 +26,76 @@ let _lastAllowlistModified = null;
 let _lastAllowlistVersion = null;
 let _lastAllowlistSyncEtag = null;
 let _allowlistVersionTimer = null;
+let _allowlistConsecutiveErrors = 0;
+
+// Circuit breaker: stops all outbound polling when the API is persistently down.
+// Opens after CIRCUIT_OPEN_THRESHOLD consecutive errors across both lists,
+// stays open for CIRCUIT_OPEN_COOLDOWN_MS, then half-opens (single probe).
+const CIRCUIT_OPEN_THRESHOLD = 5;
+const CIRCUIT_OPEN_COOLDOWN_MS = 120_000;
+let _circuitState = 'closed';          // 'closed' | 'open' | 'half-open'
+let _circuitOpenedAt = 0;
+
+// In-flight guards — prevent overlapping requests when the API is slow
+let _versionCheckInflight = false;
+let _allowlistVersionCheckInflight = false;
+let _blocklistSyncInflight = false;
+let _allowlistSyncInflight = false;
+
+// 429 global back-off: if the API returns 429 with Retry-After, all polling
+// pauses until this timestamp.
+let _retryAfterUntil = 0;
+
+// ────── Circuit Breaker ──────
+
+function totalConsecutiveErrors() {
+  return _consecutiveErrors + _allowlistConsecutiveErrors;
+}
+
+function maybeOpenCircuit() {
+  if (_circuitState === 'open') return;
+  if (totalConsecutiveErrors() >= CIRCUIT_OPEN_THRESHOLD) {
+    _circuitState = 'open';
+    _circuitOpenedAt = Date.now();
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall: circuit breaker OPEN — pausing polling for %ds', CIRCUIT_OPEN_COOLDOWN_MS / 1000);
+    }
+  }
+}
+
+function resetCircuit() {
+  if (_circuitState !== 'closed') {
+    _circuitState = 'closed';
+    if (_options && _options.log) console.log('[securenow] Firewall: circuit breaker CLOSED — API healthy');
+  }
+  _consecutiveErrors = 0;
+  _allowlistConsecutiveErrors = 0;
+}
+
+function shouldSkipRequest() {
+  if (Date.now() < _retryAfterUntil) return true;
+  if (_circuitState === 'closed') return false;
+  if (_circuitState === 'open') {
+    if (Date.now() - _circuitOpenedAt >= CIRCUIT_OPEN_COOLDOWN_MS) {
+      _circuitState = 'half-open';
+      return false;
+    }
+    return true;
+  }
+  return false; // half-open: allow one probe
+}
+
+function handleRetryAfter(res) {
+  const ra = res.headers['retry-after'];
+  if (!ra) return;
+  const secs = parseInt(ra, 10);
+  if (secs > 0 && secs <= 300) {
+    _retryAfterUntil = Date.now() + secs * 1000;
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall: API returned 429, backing off for %ds', secs);
+    }
+  }
+}
 
 // ────── Blocklist Sync ──────
 
@@ -34,6 +104,11 @@ function buildUrl(apiUrl, path) {
 }
 
 function syncBlocklist(callback) {
+  if (_blocklistSyncInflight) { callback(null, false); return; }
+  _blocklistSyncInflight = true;
+
+  const done = (...args) => { _blocklistSyncInflight = false; callback(...args); };
+
   const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
@@ -58,15 +133,16 @@ function syncBlocklist(callback) {
 
   const req = mod.request(reqOptions, (res) => {
     if (res.statusCode === 304) {
-      callback(null, false);
+      done(null, false);
       return;
     }
+    if (res.statusCode === 429) { handleRetryAfter(res); }
 
     let data = '';
     res.on('data', (chunk) => { data += chunk; });
     res.on('end', () => {
       if (res.statusCode !== 200) {
-        callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+        done(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
         return;
       }
       try {
@@ -78,15 +154,15 @@ function syncBlocklist(callback) {
         if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
         _stats.syncs++;
         notifyLayers(ips);
-        callback(null, true, _matcher.stats());
+        done(null, true, _matcher.stats());
       } catch (e) {
-        callback(new Error(`Failed to parse blocklist response: ${e.message}`));
+        done(new Error(`Failed to parse blocklist response: ${e.message}`));
       }
     });
   });
 
-  req.on('error', (err) => callback(err));
-  req.on('timeout', () => { req.destroy(); callback(new Error('Sync request timed out')); });
+  req.on('error', (err) => done(err));
+  req.on('timeout', () => { req.destroy(); done(new Error('Sync request timed out')); });
   req.end();
 }
 
@@ -99,6 +175,11 @@ function notifyLayers(ips) {
 // ────── Allowlist Sync ──────
 
 function syncAllowlist(callback) {
+  if (_allowlistSyncInflight) { callback(null, false); return; }
+  _allowlistSyncInflight = true;
+
+  const done = (...args) => { _allowlistSyncInflight = false; callback(...args); };
+
   const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
@@ -123,15 +204,16 @@ function syncAllowlist(callback) {
 
   const req = mod.request(reqOptions, (res) => {
     if (res.statusCode === 304) {
-      callback(null, false);
+      done(null, false);
       return;
     }
+    if (res.statusCode === 429) { handleRetryAfter(res); }
 
     let data = '';
     res.on('data', (chunk) => { data += chunk; });
     res.on('end', () => {
       if (res.statusCode !== 200) {
-        callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+        done(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
         return;
       }
       try {
@@ -141,19 +223,24 @@ function syncAllowlist(callback) {
         _allowlistMatcher = createMatcher(ips);
         _lastAllowlistModified = res.headers['last-modified'] || null;
         if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
-        callback(null, true, _allowlistMatcher.stats());
+        done(null, true, _allowlistMatcher.stats());
       } catch (e) {
-        callback(new Error(`Failed to parse allowlist response: ${e.message}`));
+        done(new Error(`Failed to parse allowlist response: ${e.message}`));
       }
     });
   });
 
-  req.on('error', (err) => callback(err));
-  req.on('timeout', () => { req.destroy(); callback(new Error('Allowlist sync request timed out')); });
+  req.on('error', (err) => done(err));
+  req.on('timeout', () => { req.destroy(); done(new Error('Allowlist sync request timed out')); });
   req.end();
 }
 
 function checkAllowlistVersion(callback) {
+  if (_allowlistVersionCheckInflight || shouldSkipRequest()) { callback(null, false); return; }
+  _allowlistVersionCheckInflight = true;
+
+  const done = (...args) => { _allowlistVersionCheckInflight = false; callback(...args); };
+
   const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
@@ -173,30 +260,38 @@ function checkAllowlistVersion(callback) {
     timeout: 5000,
   }, (res) => {
     if (res.statusCode === 304) {
+      _allowlistConsecutiveErrors = 0;
+      resetCircuit();
       res.resume();
-      callback(null, false);
+      done(null, false);
       return;
     }
+    if (res.statusCode === 429) { handleRetryAfter(res); }
 
     let data = '';
     res.on('data', (chunk) => { data += chunk; });
     res.on('end', () => {
       if (res.statusCode !== 200) {
-        callback(null, false);
+        _allowlistConsecutiveErrors++;
+        _stats.errors++;
+        maybeOpenCircuit();
+        done(null, false);
         return;
       }
+      _allowlistConsecutiveErrors = 0;
+      resetCircuit();
       try {
         const body = JSON.parse(data);
         const version = body.version || null;
         const changed = version !== _lastAllowlistVersion;
         if (changed) _lastAllowlistVersion = version;
-        callback(null, changed);
-      } catch (_e) { callback(null, false); }
+        done(null, changed);
+      } catch (_e) { done(null, false); }
     });
   });
 
-  req.on('error', () => { callback(null, false); });
-  req.on('timeout', () => { req.destroy(); callback(null, false); });
+  req.on('error', () => { _allowlistConsecutiveErrors++; _stats.errors++; maybeOpenCircuit(); done(null, false); });
+  req.on('timeout', () => { req.destroy(); _allowlistConsecutiveErrors++; _stats.errors++; maybeOpenCircuit(); done(null, false); });
   req.end();
 }
 
@@ -212,7 +307,8 @@ function doFullAllowlistSync() {
 
 function scheduleNextAllowlistVersionCheck() {
   const baseMs = (_options.versionCheckInterval || 10) * 1000;
-  const delayMs = jitter(baseMs);
+  const backoffMs = Math.min(baseMs * Math.pow(2, _allowlistConsecutiveErrors), 120_000);
+  const delayMs = jitter(backoffMs);
 
   _allowlistVersionTimer = setTimeout(() => {
     checkAllowlistVersion((_err, changed) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.16.1",
+  "version": "5.16.3",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",