npm - securenow - Versions diffs - 5.16.3 → 5.17.1 - Mend

securenow 5.16.3 → 5.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/SKILL-API.md CHANGED Viewed

@@ -460,6 +460,7 @@ Add custom fields via `SECURENOW_SENSITIVE_FIELDS=field1,field2`.
 | `SECURENOW_API_KEY` | API key (`snk_live_...`); activates firewall when set | — |
 | `SECURENOW_API_URL` | SecureNow API base URL | `https://api.securenow.ai` |
 | `SECURENOW_FIREWALL_ENABLED` | Master kill-switch (`0` to disable) | `1` |
+| `SECURENOW_FIREWALL_VERSION_INTERVAL` | Seconds between lightweight version checks | `10` |
 | `SECURENOW_FIREWALL_SYNC_INTERVAL` | Full blocklist refresh interval in seconds | `300` |
 | `SECURENOW_FIREWALL_FAIL_MODE` | `open` (allow all when unavailable) or `closed` | `open` |
 | `SECURENOW_FIREWALL_STATUS_CODE` | HTTP status for blocked requests | `403` |
@@ -470,6 +471,8 @@ Add custom fields via `SECURENOW_SENSITIVE_FIELDS=field1,field2`.
 | `SECURENOW_FIREWALL_CLOUD_DRY_RUN` | `1` to log cloud pushes without applying | `0` |
 | `SECURENOW_TRUSTED_PROXIES` | Comma-separated trusted proxy IPs | — |
+**Resilience:** The firewall SDK includes a circuit breaker (opens after 5 consecutive errors, 2-min cooldown), in-flight request guards (prevents overlapping requests), 429 Retry-After support, and exponential backoff on both version checks and initial sync retries.
 ### Cloud WAF Provider Variables
 | Provider | Variables |

package/cli/config.js CHANGED Viewed

@@ -62,12 +62,18 @@ function getAuthSource() {
 function loadConfig() {
   const global = loadJSON(CONFIG_FILE);
   const local = fs.existsSync(LOCAL_CONFIG_FILE) ? loadJSON(LOCAL_CONFIG_FILE) : {};
+  if (hasLocalCredentials()) {
+    const { defaultApp: _ignored, ...globalWithoutAccountScoped } = global;
+    return { ...DEFAULTS, ...globalWithoutAccountScoped, ...local };
+  }
   return { ...DEFAULTS, ...global, ...local };
 }
-function saveConfig(config) {
-  const existing = loadJSON(CONFIG_FILE);
-  saveJSON(CONFIG_FILE, { ...existing, ...config });
+function saveConfig(config, { local } = {}) {
+  const useLocal = local === true || (local == null && hasLocalCredentials());
+  const targetFile = useLocal ? LOCAL_CONFIG_FILE : CONFIG_FILE;
+  const existing = loadJSON(targetFile);
+  saveJSON(targetFile, { ...existing, ...config });
 }
 function getConfigValue(key) {

package/cli/monitor.js CHANGED Viewed

@@ -163,6 +163,24 @@ async function tracesAnalyze(args, flags) {
 // ── Logs ──
+// Parse a duration string like "6h", "30m", "2d", "90s" into minutes.
+// Returns null on unparseable input so the caller can error out clearly
+// instead of silently falling through to a default.
+function parseDurationToMinutes(value) {
+  if (value == null || value === '') return null;
+  const m = String(value).trim().match(/^(\d+)\s*(s|m|h|d)?$/i);
+  if (!m) return null;
+  const n = parseInt(m[1], 10);
+  const unit = (m[2] || 'm').toLowerCase();
+  if (unit === 's') return Math.max(1, Math.round(n / 60));
+  if (unit === 'm') return n;
+  if (unit === 'h') return n * 60;
+  if (unit === 'd') return n * 60 * 24;
+  return null;
+}
+const LOG_LEVELS = ['TRACE', 'DEBUG', 'INFO', 'WARN', 'WARNING', 'ERROR', 'FATAL'];
 async function logsList(args, flags) {
   requireAuth();
   const appKey = resolveApp(flags);
@@ -171,17 +189,42 @@ async function logsList(args, flags) {
     process.exit(1);
   }
+  let minutes = 60;
+  if (flags.since != null) {
+    const parsed = parseDurationToMinutes(flags.since);
+    if (parsed == null) {
+      ui.error(`Invalid --since value "${flags.since}". Expected e.g. 30m, 6h, 2d.`);
+      process.exit(1);
+    }
+    minutes = parsed;
+  } else if (flags.minutes != null) {
+    const n = parseInt(flags.minutes, 10);
+    if (isNaN(n) || n <= 0) {
+      ui.error(`Invalid --minutes value "${flags.minutes}".`);
+      process.exit(1);
+    }
+    minutes = n;
+  }
+  let severity = null;
+  if (flags.level) {
+    severity = String(flags.level).toUpperCase();
+    if (!LOG_LEVELS.includes(severity)) {
+      ui.error(`Invalid --level "${flags.level}". Expected one of: ${LOG_LEVELS.join(', ').toLowerCase()}.`);
+      process.exit(1);
+    }
+  }
   const s = ui.spinner('Fetching logs');
   try {
-    const minutes = parseInt(flags.minutes || '60', 10);
     const now = Date.now();
     const query = {
       appKeys: appKey,
-      limit: flags.limit || 50,
+      limit: flags.limit || 200,
       from: flags.start || new Date(now - minutes * 60 * 1000).toISOString(),
       to: flags.end || new Date(now).toISOString(),
     };
-    if (flags.level) query.severity = flags.level;
+    if (severity) query.severity = severity;
     const data = await api.get('/logs', { query });
     const logs = data.logs || [];
@@ -193,11 +236,12 @@ async function logsList(args, flags) {
     for (const log of logs) {
       const level = (log.severityText || log.level || 'INFO').toUpperCase();
       const levelColor = {
-        ERROR: ui.c.red, WARN: ui.c.yellow, WARNING: ui.c.yellow,
-        INFO: ui.c.cyan, DEBUG: ui.c.dim,
+        ERROR: ui.c.red, FATAL: ui.c.red, WARN: ui.c.yellow, WARNING: ui.c.yellow,
+        INFO: ui.c.cyan, DEBUG: ui.c.dim, TRACE: ui.c.dim,
       }[level] || ui.c.white;
-      const time = ui.c.dim(log.timestamp ? new Date(log.timestamp).toLocaleTimeString() : '');
+      const parsedTime = ui.parseTimestamp(log.timestamp);
+      const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
       const body = log.body || log.message || log.severityText || '';
       console.log(`  ${time} ${levelColor(level.padEnd(7))} ${body}`);
@@ -233,11 +277,12 @@ async function logsTrace(args, flags) {
     for (const log of logs) {
       const level = (log.severityText || log.level || 'INFO').toUpperCase();
       const levelColor = {
-        ERROR: ui.c.red, WARN: ui.c.yellow, WARNING: ui.c.yellow,
-        INFO: ui.c.cyan, DEBUG: ui.c.dim,
+        ERROR: ui.c.red, FATAL: ui.c.red, WARN: ui.c.yellow, WARNING: ui.c.yellow,
+        INFO: ui.c.cyan, DEBUG: ui.c.dim, TRACE: ui.c.dim,
       }[level] || ui.c.white;
-      const time = ui.c.dim(log.timestamp ? new Date(log.timestamp).toLocaleTimeString() : '');
+      const parsedTime = ui.parseTimestamp(log.timestamp);
+      const time = ui.c.dim(parsedTime ? parsedTime.toLocaleTimeString() : '');
       console.log(`  ${time} ${levelColor(level.padEnd(7))} ${log.body || log.message || ''}`);
     }
     console.log('');

package/cli/ui.js CHANGED Viewed

@@ -266,9 +266,36 @@ function hr() {
   console.log(c.dim('─'.repeat(width)));
 }
+// Parses timestamps the backend returns in multiple formats:
+//   - UInt64 nanoseconds as a string (signoz logs) → "1775856777891000000"
+//   - ClickHouse DateTime64 string (signoz traces)  → "2026-04-10 21:34:51.133000000" (UTC, no Z)
+//   - ISO 8601                                       → "2026-04-10T21:34:51.133Z"
+//   - number (ms) / Date                              → passthrough
+function parseTimestamp(ts) {
+  if (ts == null || ts === '') return null;
+  if (ts instanceof Date) return isNaN(ts.getTime()) ? null : ts;
+  if (typeof ts === 'number') {
+    const d = new Date(ts);
+    return isNaN(d.getTime()) ? null : d;
+  }
+  const s = String(ts).trim();
+  if (/^\d{16,}$/.test(s)) {
+    const d = new Date(Number(s) / 1e6);
+    return isNaN(d.getTime()) ? null : d;
+  }
+  if (/^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}/.test(s) && !/[zZ]|[+-]\d{2}:?\d{2}$/.test(s)) {
+    const isoish = s.replace(' ', 'T').replace(/\.(\d{3})\d*$/, '.$1') + 'Z';
+    const d = new Date(isoish);
+    if (!isNaN(d.getTime())) return d;
+  }
+  const d = new Date(s);
+  return isNaN(d.getTime()) ? null : d;
+}
 function timeAgo(dateStr) {
-  if (!dateStr) return '—';
-  const diff = Date.now() - new Date(dateStr).getTime();
+  const date = parseTimestamp(dateStr);
+  if (!date) return '—';
+  const diff = Date.now() - date.getTime();
   const seconds = Math.floor(diff / 1000);
   if (seconds < 60) return 'just now';
   const minutes = Math.floor(seconds / 60);
@@ -277,7 +304,7 @@ function timeAgo(dateStr) {
   if (hours < 24) return `${hours}h ago`;
   const days = Math.floor(hours / 24);
   if (days < 30) return `${days}d ago`;
-  return new Date(dateStr).toLocaleDateString();
+  return date.toLocaleDateString();
 }
 function truncate(str, len = 50) {
@@ -351,6 +378,7 @@ module.exports = {
   json,
   hr,
   timeAgo,
+  parseTimestamp,
   truncate,
   statusBadge,
   httpStatusColor,

package/cli.js CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 const ui = require('./cli/ui');
@@ -90,7 +90,7 @@ const COMMANDS = {
     desc: 'View application logs',
     usage: 'securenow logs [options]',
     sub: {
-      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results', minutes: 'Time window in minutes', level: 'Filter by level' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
+      list: { desc: 'List recent logs', flags: { app: 'App key', limit: 'Max results (default 200)', since: 'Time window (e.g. 30m, 6h, 2d)', minutes: 'Time window in minutes (alias for --since Nm)', level: 'Filter by level (error, warn, info, debug)', start: 'Start time (ISO 8601)', end: 'End time (ISO 8601)' }, run: (a, f) => require('./cli/monitor').logsList(a, f) },
       trace: { desc: 'Show logs for a trace', usage: 'securenow logs trace <traceId>', run: (a, f) => require('./cli/monitor').logsTrace(a, f) },
     },
     defaultSub: 'list',

package/docs/FIREWALL-GUIDE.md CHANGED Viewed

@@ -345,6 +345,21 @@ The firewall uses the same trusted-proxy-aware IP resolution as SecureNow tracin
 - Store it in environment variables or `.env` — never commit it to source control
 - The key is hashed (SHA-256) on the server — SecureNow never stores the plaintext
+### Sync Architecture
+The SDK uses a unified sync endpoint (`/firewall/sync`) that combines version checking and data fetching into a single request:
+1. **One request per poll** — The SDK sends its current blocklist and allowlist versions. The API responds with version info and only includes full IP lists for lists that have changed.
+2. **HTTP Keep-Alive** — TCP connections are reused across polls. TLS handshake happens once; subsequent requests reuse the socket (~5-10ms vs ~100-200ms per request).
+3. **Automatic fallback** — If the unified endpoint is not available (older API), the SDK falls back to legacy separate endpoints.
+### Circuit Breaker & Back-Pressure
+- **Circuit breaker** — After 5 consecutive errors, the SDK pauses all polling for 2 minutes. After cooldown, a single probe is sent. If it succeeds, normal polling resumes.
+- **In-flight guard** — Only one poll can be in-flight at a time. If the API is slow, the next scheduled poll is skipped.
+- **429 Retry-After** — When the API returns HTTP 429, all polling pauses for the `Retry-After` duration.
+- **Exponential backoff** — Poll interval doubles on each consecutive error (10s → 20s → 40s → 80s, capped at 120s).
 ### Cleanup on Shutdown
 All layers clean up on process exit (SIGINT/SIGTERM):

package/firewall.js CHANGED Viewed

@@ -8,7 +8,7 @@ const { resolveClientIp } = require('./resolve-ip');
 let _options = null;
 let _matcher = null;
 let _syncTimer = null;
-let _versionTimer = null;
+let _pollTimer = null;
 let _lastModified = null;
 let _lastVersion = null;
 let _lastSyncEtag = null;
@@ -25,36 +25,29 @@ let _allowlistRawIps = [];
 let _lastAllowlistModified = null;
 let _lastAllowlistVersion = null;
 let _lastAllowlistSyncEtag = null;
-let _allowlistVersionTimer = null;
-let _allowlistConsecutiveErrors = 0;
-// Circuit breaker: stops all outbound polling when the API is persistently down.
-// Opens after CIRCUIT_OPEN_THRESHOLD consecutive errors across both lists,
-// stays open for CIRCUIT_OPEN_COOLDOWN_MS, then half-opens (single probe).
+// Circuit breaker
 const CIRCUIT_OPEN_THRESHOLD = 5;
 const CIRCUIT_OPEN_COOLDOWN_MS = 120_000;
-let _circuitState = 'closed';          // 'closed' | 'open' | 'half-open'
+let _circuitState = 'closed';
 let _circuitOpenedAt = 0;
-// In-flight guards — prevent overlapping requests when the API is slow
-let _versionCheckInflight = false;
-let _allowlistVersionCheckInflight = false;
-let _blocklistSyncInflight = false;
-let _allowlistSyncInflight = false;
-// 429 global back-off: if the API returns 429 with Retry-After, all polling
-// pauses until this timestamp.
+// In-flight guard and 429 back-off
+let _pollInflight = false;
 let _retryAfterUntil = 0;
-// ────── Circuit Breaker ──────
+// Keep-alive agents — reuse TCP connections across polls (TLS handshake once)
+const _httpAgent = new http.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
+const _httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
-function totalConsecutiveErrors() {
-  return _consecutiveErrors + _allowlistConsecutiveErrors;
-}
+// Unified sync uses /firewall/sync (v2). Falls back to legacy on 404.
+let _useUnifiedSync = true;
+// ────── Circuit Breaker ──────
 function maybeOpenCircuit() {
   if (_circuitState === 'open') return;
-  if (totalConsecutiveErrors() >= CIRCUIT_OPEN_THRESHOLD) {
+  if (_consecutiveErrors >= CIRCUIT_OPEN_THRESHOLD) {
     _circuitState = 'open';
     _circuitOpenedAt = Date.now();
     if (_options && _options.log) {
@@ -69,7 +62,6 @@ function resetCircuit() {
     if (_options && _options.log) console.log('[securenow] Firewall: circuit breaker CLOSED — API healthy');
   }
   _consecutiveErrors = 0;
-  _allowlistConsecutiveErrors = 0;
 }
 function shouldSkipRequest() {
@@ -97,23 +89,25 @@ function handleRetryAfter(res) {
   }
 }
-// ────── Blocklist Sync ──────
+// ────── HTTP helpers ──────
 function buildUrl(apiUrl, path) {
   return apiUrl.replace(/\/+$/, '') + '/api/v1' + path;
 }
-function syncBlocklist(callback) {
-  if (_blocklistSyncInflight) { callback(null, false); return; }
-  _blocklistSyncInflight = true;
+function jitter(baseMs) {
+  return baseMs * (0.8 + Math.random() * 0.4);
+}
-  const done = (...args) => { _blocklistSyncInflight = false; callback(...args); };
+function agentFor(url) {
+  return url.startsWith('https') ? _httpsAgent : _httpAgent;
+}
-  const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
+function httpGet(url, extraHeaders, timeout, callback) {
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
-  const reqOptions = {
+  const req = mod.request({
     hostname: parsed.hostname,
     port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
     path: parsed.pathname + parsed.search,
@@ -121,297 +115,315 @@ function syncBlocklist(callback) {
     headers: {
       'Authorization': `Bearer ${_options.apiKey}`,
       'User-Agent': 'securenow-firewall-sdk',
+      ...extraHeaders,
     },
-    timeout: 10000,
-  };
-  if (_lastSyncEtag) {
-    reqOptions.headers['If-None-Match'] = _lastSyncEtag;
-  } else if (_lastModified) {
-    reqOptions.headers['If-Modified-Since'] = _lastModified;
-  }
-  const req = mod.request(reqOptions, (res) => {
-    if (res.statusCode === 304) {
-      done(null, false);
-      return;
-    }
-    if (res.statusCode === 429) { handleRetryAfter(res); }
+    timeout,
+    agent: agentFor(url),
+  }, (res) => {
     let data = '';
     res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => {
-      if (res.statusCode !== 200) {
-        done(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
-        return;
-      }
-      try {
-        const body = JSON.parse(data);
-        const ips = body.ips || [];
-        _rawIps = ips;
-        _matcher = createMatcher(ips);
-        _lastModified = res.headers['last-modified'] || null;
-        if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
-        _stats.syncs++;
-        notifyLayers(ips);
-        done(null, true, _matcher.stats());
-      } catch (e) {
-        done(new Error(`Failed to parse blocklist response: ${e.message}`));
-      }
-    });
+    res.on('end', () => { callback(null, res, data); });
   });
-  req.on('error', (err) => done(err));
-  req.on('timeout', () => { req.destroy(); done(new Error('Sync request timed out')); });
+  req.on('error', (err) => callback(err));
+  req.on('timeout', () => { req.destroy(); callback(new Error('Request timed out')); });
   req.end();
 }
-function notifyLayers(ips) {
-  for (const layer of _layers) {
-    try { if (typeof layer.sync === 'function') layer.sync(ips); } catch (_) {}
-  }
-}
+// ────── Unified Sync (v2 — single request for everything) ──────
-// ────── Allowlist Sync ──────
+function doUnifiedSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/sync');
+  const headers = {};
+  if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
+  if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
-function syncAllowlist(callback) {
-  if (_allowlistSyncInflight) { callback(null, false); return; }
-  _allowlistSyncInflight = true;
+  httpGet(url, headers, 8000, (err, res, data) => {
+    if (err) return callback(err);
-  const done = (...args) => { _allowlistSyncInflight = false; callback(...args); };
+    _stats.versionChecks++;
-  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
-  const mod = url.startsWith('https') ? https : http;
-  const parsed = new URL(url);
+    if (res.statusCode === 304) {
+      return callback(null, { blChanged: false, alChanged: false });
+    }
-  const reqOptions = {
-    hostname: parsed.hostname,
-    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
-    path: parsed.pathname + parsed.search,
-    method: 'GET',
-    headers: {
-      'Authorization': `Bearer ${_options.apiKey}`,
-      'User-Agent': 'securenow-firewall-sdk',
-    },
-    timeout: 10000,
-  };
+    if (res.statusCode === 404) {
+      _useUnifiedSync = false;
+      if (_options.log) console.log('[securenow] Firewall: /sync not available, using legacy endpoints');
+      return callback(null, { blChanged: false, alChanged: false, useLegacy: true });
+    }
-  if (_lastAllowlistSyncEtag) {
-    reqOptions.headers['If-None-Match'] = _lastAllowlistSyncEtag;
-  } else if (_lastAllowlistModified) {
-    reqOptions.headers['If-Modified-Since'] = _lastAllowlistModified;
-  }
+    if (res.statusCode === 429) { handleRetryAfter(res); }
-  const req = mod.request(reqOptions, (res) => {
-    if (res.statusCode === 304) {
-      done(null, false);
-      return;
+    if (res.statusCode !== 200) {
+      return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
     }
-    if (res.statusCode === 429) { handleRetryAfter(res); }
-    let data = '';
-    res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => {
-      if (res.statusCode !== 200) {
-        done(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
-        return;
+    try {
+      const body = JSON.parse(data);
+      let blChanged = false;
+      let alChanged = false;
+      // Update blocklist version + data
+      if (body.blocklist) {
+        const newVer = body.blocklist.version;
+        if (newVer !== _lastVersion) {
+          _lastVersion = newVer;
+          blChanged = true;
+        }
       }
-      try {
-        const body = JSON.parse(data);
-        const ips = body.ips || [];
-        _allowlistRawIps = ips;
-        _allowlistMatcher = createMatcher(ips);
-        _lastAllowlistModified = res.headers['last-modified'] || null;
-        if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
-        done(null, true, _allowlistMatcher.stats());
-      } catch (e) {
-        done(new Error(`Failed to parse allowlist response: ${e.message}`));
+      if (body.blocklistIps) {
+        _rawIps = body.blocklistIps;
+        _matcher = createMatcher(body.blocklistIps);
+        _stats.syncs++;
+        notifyLayers(body.blocklistIps);
+        blChanged = true;
       }
-    });
-  });
-  req.on('error', (err) => done(err));
-  req.on('timeout', () => { req.destroy(); done(new Error('Allowlist sync request timed out')); });
-  req.end();
-}
+      // Update allowlist version + data
+      if (body.allowlist) {
+        const newVer = body.allowlist.version;
+        if (newVer !== _lastAllowlistVersion) {
+          _lastAllowlistVersion = newVer;
+          alChanged = true;
+        }
+      }
-function checkAllowlistVersion(callback) {
-  if (_allowlistVersionCheckInflight || shouldSkipRequest()) { callback(null, false); return; }
-  _allowlistVersionCheckInflight = true;
+      if (body.allowlistIps) {
+        _allowlistRawIps = body.allowlistIps;
+        _allowlistMatcher = createMatcher(body.allowlistIps);
+        alChanged = true;
+      }
-  const done = (...args) => { _allowlistVersionCheckInflight = false; callback(...args); };
+      callback(null, { blChanged, alChanged });
+    } catch (e) {
+      callback(new Error(`Failed to parse sync response: ${e.message}`));
+    }
+  });
+}
-  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
-  const mod = url.startsWith('https') ? https : http;
-  const parsed = new URL(url);
+// ────── Legacy Sync (v1 — separate endpoints, kept for backward compat) ──────
-  const headers = {
-    'Authorization': `Bearer ${_options.apiKey}`,
-    'User-Agent': 'securenow-firewall-sdk',
-  };
-  if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
+function legacyBlocklistSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
+  const headers = {};
+  if (_lastSyncEtag) headers['If-None-Match'] = _lastSyncEtag;
+  else if (_lastModified) headers['If-Modified-Since'] = _lastModified;
-  const req = mod.request({
-    hostname: parsed.hostname,
-    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
-    path: parsed.pathname + parsed.search,
-    method: 'GET',
-    headers,
-    timeout: 5000,
-  }, (res) => {
-    if (res.statusCode === 304) {
-      _allowlistConsecutiveErrors = 0;
-      resetCircuit();
-      res.resume();
-      done(null, false);
-      return;
-    }
+  httpGet(url, headers, 10000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
     if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
-    let data = '';
-    res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => {
-      if (res.statusCode !== 200) {
-        _allowlistConsecutiveErrors++;
-        _stats.errors++;
-        maybeOpenCircuit();
-        done(null, false);
-        return;
-      }
-      _allowlistConsecutiveErrors = 0;
-      resetCircuit();
-      try {
-        const body = JSON.parse(data);
-        const version = body.version || null;
-        const changed = version !== _lastAllowlistVersion;
-        if (changed) _lastAllowlistVersion = version;
-        done(null, changed);
-      } catch (_e) { done(null, false); }
-    });
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      _rawIps = ips;
+      _matcher = createMatcher(ips);
+      _lastModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
+      _stats.syncs++;
+      notifyLayers(ips);
+      callback(null, true, _matcher.stats());
+    } catch (e) {
+      callback(new Error(`Failed to parse blocklist: ${e.message}`));
+    }
   });
-  req.on('error', () => { _allowlistConsecutiveErrors++; _stats.errors++; maybeOpenCircuit(); done(null, false); });
-  req.on('timeout', () => { req.destroy(); _allowlistConsecutiveErrors++; _stats.errors++; maybeOpenCircuit(); done(null, false); });
-  req.end();
 }
-function doFullAllowlistSync() {
-  syncAllowlist((err, changed, stats) => {
-    if (err) {
-      if (_options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
-    } else if (changed && stats && _options.log) {
-      console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+function legacyAllowlistSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
+  const headers = {};
+  if (_lastAllowlistSyncEtag) headers['If-None-Match'] = _lastAllowlistSyncEtag;
+  else if (_lastAllowlistModified) headers['If-Modified-Since'] = _lastAllowlistModified;
+  httpGet(url, headers, 10000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      _allowlistRawIps = ips;
+      _allowlistMatcher = createMatcher(ips);
+      _lastAllowlistModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
+      callback(null, true, _allowlistMatcher.stats());
+    } catch (e) {
+      callback(new Error(`Failed to parse allowlist: ${e.message}`));
     }
   });
 }
-function scheduleNextAllowlistVersionCheck() {
-  const baseMs = (_options.versionCheckInterval || 10) * 1000;
-  const backoffMs = Math.min(baseMs * Math.pow(2, _allowlistConsecutiveErrors), 120_000);
-  const delayMs = jitter(backoffMs);
+function legacyVersionCheck(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
+  const headers = {};
+  if (_lastVersion) headers['If-None-Match'] = _lastVersion;
-  _allowlistVersionTimer = setTimeout(() => {
-    checkAllowlistVersion((_err, changed) => {
-      if (changed) {
-        if (_options.log) console.log('[securenow] Firewall: allowlist version changed, syncing…');
-        doFullAllowlistSync();
-      }
-      scheduleNextAllowlistVersionCheck();
-    });
-  }, delayMs);
-  if (_allowlistVersionTimer.unref) _allowlistVersionTimer.unref();
+  httpGet(url, headers, 5000, (err, res, data) => {
+    if (err) return callback(err);
+    _stats.versionChecks++;
+    if (res.statusCode === 304) return callback(null, false, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API ${res.statusCode}`));
+    try {
+      const body = JSON.parse(data);
+      const version = body.version || null;
+      const changed = version !== _lastVersion;
+      if (changed) _lastVersion = version;
+      callback(null, changed, false);
+    } catch (_e) { callback(null, false, false); }
+  });
 }
-function checkVersion(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
-  const mod = url.startsWith('https') ? https : http;
-  const parsed = new URL(url);
+function legacyAllowlistVersionCheck(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
+  const headers = {};
+  if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
-  const headers = {
-    'Authorization': `Bearer ${_options.apiKey}`,
-    'User-Agent': 'securenow-firewall-sdk',
-  };
-  if (_lastVersion) headers['If-None-Match'] = _lastVersion;
+  httpGet(url, headers, 5000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API ${res.statusCode}`));
-  const req = mod.request({
-    hostname: parsed.hostname,
-    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
-    path: parsed.pathname + parsed.search,
-    method: 'GET',
-    headers,
-    timeout: 5000,
-  }, (res) => {
-    _stats.versionChecks++;
+    try {
+      const body = JSON.parse(data);
+      const version = body.version || null;
+      const changed = version !== _lastAllowlistVersion;
+      if (changed) _lastAllowlistVersion = version;
+      callback(null, changed);
+    } catch (_e) { callback(null, false); }
+  });
+}
-    if (res.statusCode === 304) {
-      _consecutiveErrors = 0;
-      res.resume();
-      callback(null, false);
-      return;
+function doLegacyPoll(callback) {
+  let pending = 2;
+  let blChanged = false;
+  let alChanged = false;
+  let firstError = null;
+  function checkDone() {
+    if (--pending > 0) return;
+    if (firstError) return callback(firstError);
+    let syncsPending = 0;
+    if (blChanged) syncsPending++;
+    if (alChanged) syncsPending++;
+    if (syncsPending === 0) return callback(null, { blChanged: false, alChanged: false });
+    function syncDone() {
+      if (--syncsPending > 0) return;
+      callback(null, { blChanged, alChanged });
     }
-    let data = '';
-    res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => {
-      if (res.statusCode !== 200) {
-        _consecutiveErrors++;
-        _stats.errors++;
-        callback(null, false);
-        return;
-      }
-      _consecutiveErrors = 0;
-      try {
-        const body = JSON.parse(data);
-        const version = body.version || null;
-        const changed = version !== _lastVersion;
-        if (changed) _lastVersion = version;
-        callback(null, changed);
-      } catch (_e) { callback(null, false); }
-    });
+    if (blChanged) {
+      legacyBlocklistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+        syncDone();
+      });
+    }
+    if (alChanged) {
+      legacyAllowlistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+        syncDone();
+      });
+    }
+  }
+  legacyVersionCheck((err, changed) => {
+    if (err) firstError = firstError || err;
+    blChanged = changed;
+    checkDone();
   });
-  req.on('error', () => { _consecutiveErrors++; _stats.errors++; callback(null, false); });
-  req.on('timeout', () => { req.destroy(); _consecutiveErrors++; _stats.errors++; callback(null, false); });
-  req.end();
+  legacyAllowlistVersionCheck((err, changed) => {
+    if (err) firstError = firstError || err;
+    alChanged = changed;
+    checkDone();
+  });
+}
+// ────── Unified poll loop ──────
+function notifyLayers(ips) {
+  for (const layer of _layers) {
+    try { if (typeof layer.sync === 'function') layer.sync(ips); } catch (_) {}
+  }
 }
-function doFullSync() {
-  syncBlocklist((err, changed, stats) => {
+function pollOnce(callback) {
+  if (_pollInflight || shouldSkipRequest()) return callback(null);
+  _pollInflight = true;
+  const done = (err, result) => {
+    _pollInflight = false;
     if (err) {
-      if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
-    } else if (changed && stats && _options.log) {
-      console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+      _consecutiveErrors++;
+      _stats.errors++;
+      maybeOpenCircuit();
+      if (_options.log) console.warn('[securenow] Firewall: poll failed:', err.message);
+      return callback(err);
     }
-  });
-}
+    _consecutiveErrors = 0;
+    resetCircuit();
+    if (result) {
+      if (result.blChanged && _options.log && _matcher) {
+        const s = _matcher.stats();
+        console.log('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (result.alChanged && _options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        console.log('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+    }
+    callback(null);
+  };
-function jitter(baseMs) {
-  return baseMs * (0.8 + Math.random() * 0.4);
+  if (_useUnifiedSync) {
+    doUnifiedSync((err, result) => {
+      if (err) return done(err);
+      if (result && result.useLegacy) {
+        doLegacyPoll(done);
+      } else {
+        done(null, result);
+      }
+    });
+  } else {
+    doLegacyPoll(done);
+  }
 }
-function scheduleNextVersionCheck() {
+function scheduleNextPoll() {
   const baseMs = (_options.versionCheckInterval || 10) * 1000;
   const backoffMs = Math.min(baseMs * Math.pow(2, _consecutiveErrors), 120_000);
   const delayMs = jitter(backoffMs);
-  _versionTimer = setTimeout(() => {
-    checkVersion((_err, changed) => {
-      if (changed) {
-        if (_options.log) console.log('[securenow] Firewall: blocklist version changed, syncing…');
-        doFullSync();
-      }
-      scheduleNextVersionCheck();
-    });
+  _pollTimer = setTimeout(() => {
+    pollOnce(() => { scheduleNextPoll(); });
   }, delayMs);
-  if (_versionTimer.unref) _versionTimer.unref();
+  if (_pollTimer.unref) _pollTimer.unref();
 }
 function startSyncLoop() {
   const fullSyncIntervalMs = (_options.syncInterval || 300) * 1000;
-  const RETRY_DELAY = 5000;
+  const BASE_RETRY = 5000;
+  const MAX_RETRY = 120_000;
+  let _initAttempt = 0;
   function initialSync() {
-    syncBlocklist((err, changed, stats) => {
+    // Use unified endpoint for initial sync too
+    const syncFn = _useUnifiedSync ? doUnifiedSync : (cb) => doLegacyPoll(cb);
+    syncFn((err, result) => {
       if (err) {
         const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
         if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
@@ -423,42 +435,58 @@ function startSyncLoop() {
           if (retryTimer.unref) retryTimer.unref();
           return;
         }
+        if (result && result.useLegacy) {
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
         if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
         if (_options.failMode === 'closed') {
           _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
         }
-        const retryTimer = setTimeout(initialSync, RETRY_DELAY);
+        _initAttempt++;
+        const delay = Math.min(BASE_RETRY * Math.pow(2, _initAttempt), MAX_RETRY);
+        const retryTimer = setTimeout(initialSync, jitter(delay));
         if (retryTimer.unref) retryTimer.unref();
         return;
       }
-      if (changed && stats) {
-        if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
-      }
-      _initialized = true;
-    });
-  }
-  function initialAllowlistSync() {
-    syncAllowlist((err, changed, stats) => {
-      if (err) {
-        if (_options.log) console.warn('[securenow] Firewall: initial allowlist sync failed:', err.message);
-        const retryTimer = setTimeout(initialAllowlistSync, RETRY_DELAY);
+      if (result && result.useLegacy) {
+        const retryTimer = setTimeout(initialSync, 1000);
         if (retryTimer.unref) retryTimer.unref();
         return;
       }
-      if (changed && stats && stats.total > 0) {
-        if (_options.log) console.log('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+      _initialized = true;
+      if (_options.log && _matcher) {
+        const s = _matcher.stats();
+        console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (_options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        if (s.total > 0) console.log('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
       }
     });
   }
   initialSync();
-  initialAllowlistSync();
-  scheduleNextVersionCheck();
-  scheduleNextAllowlistVersionCheck();
-  _syncTimer = setInterval(() => { doFullSync(); doFullAllowlistSync(); }, fullSyncIntervalMs);
+  scheduleNextPoll();
+  // Safety-net full sync timer (less frequent, uses same path)
+  _syncTimer = setInterval(() => {
+    if (shouldSkipRequest()) return;
+    // Force a full re-fetch by clearing versions so unified endpoint returns full data
+    const savedBlVer = _lastVersion;
+    const savedAlVer = _lastAllowlistVersion;
+    _lastVersion = null;
+    _lastAllowlistVersion = null;
+    pollOnce((err) => {
+      if (err) {
+        _lastVersion = savedBlVer;
+        _lastAllowlistVersion = savedAlVer;
+      }
+    });
+  }, fullSyncIntervalMs);
   if (_syncTimer.unref) _syncTimer.unref();
 }
@@ -541,7 +569,6 @@ function firewallRequestHandler(req, res) {
       sendBlockResponse(req, res, ip);
       return true;
     }
-    // IP is on the allowlist — skip blocklist check, allow through
     return false;
   }
@@ -575,7 +602,6 @@ function patchHttpLayer() {
   if (_httpPatched) return;
   _httpPatched = true;
-  // Patch Server.prototype.emit to intercept requests on already-created servers
   patchEmitLayer();
   http.createServer = function(...args) {
@@ -602,11 +628,9 @@ function init(options) {
   if (_options.log) console.log('[securenow] Firewall: ENABLED');
-  // Layer 1: HTTP (always on)
   patchHttpLayer();
   if (_options.log) console.log('[securenow] Firewall: Layer 1 (HTTP 403)      active');
-  // Layer 2: TCP
   if (_options.tcp) {
     try {
       const tcpLayer = require('./firewall-tcp');
@@ -620,7 +644,6 @@ function init(options) {
     if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       disabled (set SECURENOW_FIREWALL_TCP=1)');
   }
-  // Layer 3: iptables
   if (_options.iptables) {
     try {
       const iptablesLayer = require('./firewall-iptables');
@@ -634,7 +657,6 @@ function init(options) {
     if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       disabled (set SECURENOW_FIREWALL_IPTABLES=1)');
   }
-  // Layer 4: Cloud WAF
   if (_options.cloud) {
     try {
       const cloudLayer = require('./firewall-cloud');
@@ -652,10 +674,18 @@ function init(options) {
 }
 function shutdown() {
-  if (_versionTimer) { clearTimeout(_versionTimer); _versionTimer = null; }
-  if (_allowlistVersionTimer) { clearTimeout(_allowlistVersionTimer); _allowlistVersionTimer = null; }
+  if (_pollTimer) { clearTimeout(_pollTimer); _pollTimer = null; }
   if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
+  _circuitState = 'closed';
+  _circuitOpenedAt = 0;
+  _consecutiveErrors = 0;
+  _pollInflight = false;
+  _retryAfterUntil = 0;
+  _httpAgent.destroy();
+  _httpsAgent.destroy();
   for (const layer of _layers) {
     try { if (typeof layer.shutdown === 'function') layer.shutdown(); } catch (_) {}
   }
@@ -678,6 +708,9 @@ function getStats() {
     matcher: _matcher ? _matcher.stats() : null,
     allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
     initialized: _initialized,
+    circuitState: _circuitState,
+    consecutiveErrors: _consecutiveErrors,
+    unifiedSync: _useUnifiedSync,
   };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.16.3",
+  "version": "5.17.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",