securenow 5.18.0 → 6.0.0

package/register.js

@@ -1,49 +1,14 @@
-// securenow/register.js — the only preload customers need:
-//   node --require securenow/register app.js
-//
-// For ESM apps ("type": "module"), this file auto-registers the
-// OpenTelemetry ESM loader hook via module.register() (Node >=20.6).
-// On older Node versions it falls back to a warning.
+// securenow/preload.js
 'use strict';
 
-// 1. load .env before anything else
+// load .env into process.env before anything else
 try {
   require('dotenv').config();
   console.log('[securenow] dotenv loaded from', process.env.DOTENV_CONFIG_PATH || '.env');
 } catch (e) {
+  // dotenv is optional — only warn if it’s missing
   console.warn('[securenow] dotenv not found or failed to load');
 }
 
-// 2. Auto-register the ESM loader hook so customers never need --import
-(() => {
-  try {
-    const fs = require('fs');
-    const path = require('path');
-    const pkgPath = path.resolve(process.cwd(), 'package.json');
-    if (!fs.existsSync(pkgPath)) return;
-
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-    if (pkg.type !== 'module') return;
-
-    // Already registered via --import?
-    const execArgv = process.execArgv.join(' ');
-    if (execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle')) return;
-
-    // Node >=20.6 exposes module.register() for programmatic ESM hooks
-    const mod = require('node:module');
-    if (typeof mod.register !== 'function') {
-      console.warn('[securenow] ESM app detected but Node %s lacks module.register().', process.version);
-      console.warn('[securenow]    Upgrade to Node >=20.6 or add: --import @opentelemetry/instrumentation/hook.mjs');
-      return;
-    }
-
-    const { pathToFileURL } = require('node:url');
-    mod.register('@opentelemetry/instrumentation/hook.mjs', pathToFileURL(__filename));
-    console.log('[securenow] ESM loader hook auto-registered (module.register)');
-  } catch (_) {
-    // Non-fatal — tracing.js will show its own ESM warning if the hook is missing
-  }
-})();
-
-// 3. Run the OTel SDK setup
+// then run the real tracer preload
 require('./tracing');

package/tracing.d.ts

@@ -112,7 +112,7 @@ export interface LoggerProvider {
 }
 
 /**
- * Get a logger instance for sending structured logs to any OTLP-compatible backend
+ * Get a logger instance for sending structured logs to SigNoz
  * 
  * @param name - Logger name (e.g., 'my-service', 'auth-module')
  * @param version - Logger version (optional, defaults to '1.0.0')
@@ -178,6 +178,5 @@ export const loggerProvider: LoggerProvider | null;
  * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2
  * - OTEL_LOG_LEVEL=info|debug
  * - SECURENOW_TEST_SPAN=1
- * - SECURENOW_TRUSTED_PROXIES=ip1,ip2       # Additional trusted proxy IPs for X-Forwarded-For
  * - OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=...    # Override logs endpoint
  */

package/tracing.js

@@ -1,12 +1,7 @@
 'use strict';
 
 /**
- * Preload with: node --require securenow/register app.js
- *
- * Works for both CJS and ESM apps. On Node >=20.6 the ESM loader hook is
- * auto-registered via module.register() — no --import flag needed.
- * On Node 18 with "type": "module", add the hook manually:
- *   node --import @opentelemetry/instrumentation/hook.mjs --require securenow/register app.js
+ * Preload with: NODE_OPTIONS="-r securenow/register"
  *
  * Env:
  *   SECURENOW_APPID=logical-name              # or OTEL_SERVICE_NAME=logical-name
@@ -16,7 +11,6 @@
  *   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=...    # full traces URL
  *   OTEL_EXPORTER_OTLP_HEADERS="k=v,k2=v2"
  *   SECURENOW_DISABLE_INSTRUMENTATIONS="pkg1,pkg2"
- *   SECURENOW_CAPTURE_MULTIPART=1                # capture multipart/form-data fields & file metadata (streaming, no file content buffered)
  *   OTEL_LOG_LEVEL=info|debug
  *   SECURENOW_TEST_SPAN=1
  *
@@ -24,7 +18,7 @@
  *   SECURENOW_STRICT=1  -> if no appid/name is provided in cluster, exit(1) so PM2 restarts the worker
  */
 
-const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
+const { diag, DiagConsoleLogger, DiagLogLevel } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
 const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
@@ -32,7 +26,6 @@ const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-
 const { Resource } = require('@opentelemetry/resources');
 const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
 const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
-const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongodb');
 const { v4: uuidv4 } = require('uuid');
 
 const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
@@ -53,10 +46,6 @@ const DEFAULT_SENSITIVE_FIELDS = [
   'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
 ];
 
-function escapeRegex(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
 /**
  * Redact sensitive fields from an object
  */
@@ -65,7 +54,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key of Object.keys(redacted)) {
+  for (const key in redacted) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -88,10 +77,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   // Redact sensitive fields in GraphQL arguments and variables
   sensitiveFields.forEach(field => {
-    const escaped = escapeRegex(field);
+    // Match patterns: field: "value" or field: 'value' or field:"value"
     const patterns = [
-      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -108,155 +97,6 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
-// -------- Multipart streaming parser --------
-// Streams through the request without buffering file content.
-// Only part headers and text-field values are kept in memory,
-// so memory stays bounded (~few KB) regardless of upload size.
-
-function extractBoundary(contentType) {
-  const match = contentType.match(/boundary=(?:"([^"]+)"|([^\s;]+))/i);
-  return match ? (match[1] || match[2]) : null;
-}
-
-function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFieldSize, onComplete) {
-  const boundary = extractBoundary(contentType);
-  if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return; }
-
-  const result = { fields: Object.create(null), files: [] };
-  let totalSize = 0;
-  let buf = Buffer.alloc(0);
-
-  const MAX_PARTS = 100;
-  let partCount = 0;
-
-  const FIRST_DELIM = Buffer.from('--' + boundary);
-  const DELIM       = Buffer.from('\r\n--' + boundary);
-  const HDR_END     = Buffer.from('\r\n\r\n');
-
-  let initialized = false;
-  let inHeaders = true;
-  let isFile = false;
-  let fldName = '';
-  let fName = '';
-  let pCT = '';
-  let bodyBytes = 0;
-  let textVal = '';
-
-  function flushPart() {
-    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
-    if (isFile) {
-      result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
-    } else {
-      const lower = fldName.toLowerCase();
-      const redact = sensitiveFields.some(f => lower.includes(f.toLowerCase()));
-      result.fields[fldName] = redact ? '[REDACTED]' : textVal.substring(0, maxTextFieldSize);
-    }
-    fldName = ''; bodyBytes = 0; textVal = ''; partCount++;
-  }
-
-  function drain() {
-    if (!initialized) {
-      const i = buf.indexOf(FIRST_DELIM);
-      if (i === -1) {
-        if (buf.length > FIRST_DELIM.length + 4) buf = buf.slice(buf.length - FIRST_DELIM.length - 4);
-        return;
-      }
-      buf = buf.slice(i + FIRST_DELIM.length);
-      initialized = true;
-      inHeaders = true;
-    }
-
-    let guard = 200;
-    while (buf.length > 0 && guard-- > 0 && partCount < MAX_PARTS) {
-      if (inHeaders) {
-        if (buf.length >= 2 && buf[0] === 0x2D && buf[1] === 0x2D) { buf = Buffer.alloc(0); return; }
-        if (buf.length >= 2 && buf[0] === 0x0D && buf[1] === 0x0A) { buf = buf.slice(2); continue; }
-
-        const hi = buf.indexOf(HDR_END);
-        if (hi === -1) return;
-
-        const hdr = buf.slice(0, hi).toString('latin1');
-        buf = buf.slice(hi + 4);
-
-        const nm = hdr.match(/name="([^"]+)"/);
-        const fn = hdr.match(/filename="([^"]*)"/);
-        const ct = hdr.match(/Content-Type:\s*(.+)/i);
-        fldName = nm ? nm[1] : '';
-        fName   = fn ? fn[1] : '';
-        pCT     = ct ? ct[1].trim() : '';
-        isFile  = !!fn;
-        bodyBytes = 0;
-        textVal = '';
-        inHeaders = false;
-      }
-
-      const di = buf.indexOf(DELIM);
-      if (di === -1) {
-        const safe = Math.max(0, buf.length - DELIM.length - 2);
-        if (safe > 0) {
-          bodyBytes += safe;
-          if (!isFile && textVal.length < maxTextFieldSize) {
-            textVal += buf.slice(0, safe).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-          }
-          buf = buf.slice(safe);
-        }
-        return;
-      }
-
-      bodyBytes += di;
-      if (!isFile && textVal.length < maxTextFieldSize) {
-        textVal += buf.slice(0, di).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-      }
-      flushPart();
-      buf = buf.slice(di + DELIM.length);
-      inHeaders = true;
-    }
-  }
-
-  request.on('data', (chunk) => {
-    totalSize += chunk.length;
-    buf = Buffer.concat([buf, chunk]);
-    drain();
-  });
-
-  request.on('end', () => {
-    try {
-      if (!inHeaders && fldName) {
-        bodyBytes += buf.length;
-        if (!isFile) textVal += buf.toString('utf8').substring(0, maxTextFieldSize - textVal.length);
-        flushPart();
-      }
-      onComplete({ parsed: result, totalSize });
-    } catch (e) {
-      onComplete({ error: 'PARSE_ERROR' });
-    }
-  });
-}
-
-// -------- ESM detection --------
-// register.js auto-registers the hook via module.register() on Node >=20.6.
-// This warning only fires if BOTH --import AND module.register() were skipped
-// (e.g. Node 18, or require('securenow/tracing') called directly without register.js).
-(() => {
-  try {
-    const fs = require('fs');
-    const path = require('path');
-    const pkgPath = path.resolve(process.cwd(), 'package.json');
-    if (fs.existsSync(pkgPath)) {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-      if (pkg.type === 'module') {
-        const execArgv = process.execArgv.join(' ');
-        const hasCliHook = execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle');
-        const hasModuleRegister = typeof require('node:module').register === 'function';
-        if (!hasCliHook && !hasModuleRegister) {
-          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
-          console.warn('[securenow]    Upgrade to Node >=20.6 (recommended) or add: --import @opentelemetry/instrumentation/hook.mjs');
-        }
-      }
-    }
-  } catch (_) {}
-})();
-
 // -------- diagnostics --------
 (() => {
   const L = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
@@ -320,44 +160,21 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 
 // -------- Body Capture Configuration --------
 const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true';
-const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
+const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
-const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || String(env('SECURENOW_CAPTURE_MULTIPART')).toLowerCase() === 'true';
-
-// -------- Trusted proxy IP resolution --------
-const { resolveClientIp, isFromTrustedProxy, LOOPBACK_RE } = require('./resolve-ip');
-
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
 const httpInstrumentation = new HttpInstrumentation({
   requestHook: (span, request) => {
     try {
-      const clientIp = resolveClientIp(request);
-      if (clientIp) {
-        span.setAttribute('http.client_ip', clientIp);
-      }
-
-      if (request.headers) {
-        const SKIP_HEADERS = new Set(['cookie', 'authorization', 'proxy-authorization', 'set-cookie', 'x-api-key', 'x-auth-token']);
-        const safe = {};
-        for (const [k, v] of Object.entries(request.headers)) {
-          if (SKIP_HEADERS.has(k.toLowerCase())) { safe[k] = '[REDACTED]'; continue; }
-          safe[k] = typeof v === 'string' ? v.substring(0, 500) : String(v);
-        }
-        const serialized = JSON.stringify(safe);
-        if (serialized.length <= 8192) {
-          span.setAttribute('http.request.headers', serialized);
-        }
-      }
-
-      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+      if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
         
-        if (captureBody && (contentType.includes('application/json') || 
+        if (contentType.includes('application/json') || 
             contentType.includes('application/graphql') ||
-            contentType.includes('application/x-www-form-urlencoded'))) {
+            contentType.includes('application/x-www-form-urlencoded')) {
           
           let body = '';
           const chunks = [];
@@ -405,9 +222,9 @@ const httpInstrumentation = new HttpInstrumentation({
                   });
                 }
               } catch (e) {
-                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
+                // Parse error: capture as-is (truncated)
+                span.setAttribute('http.request.body', body.substring(0, 1000));
                 span.setAttribute('http.request.body.parse_error', true);
-                span.setAttribute('http.request.body.size', size);
               }
             } else if (size > maxBodySize) {
               span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
@@ -415,38 +232,10 @@ const httpInstrumentation = new HttpInstrumentation({
             }
           });
         } else if (contentType.includes('multipart/form-data')) {
-          if (captureMultipart) {
-            collectMultipartMeta(request, contentType, allSensitiveFields, 1000, ({ error, parsed, totalSize }) => {
-              try {
-                if (error === 'BOUNDARY_NOT_FOUND') {
-                  span.setAttribute('http.request.body', '[MULTIPART - BOUNDARY NOT FOUND]');
-                  span.setAttribute('http.request.body.type', 'multipart');
-                  return;
-                }
-                if (error) {
-                  span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
-                  span.setAttribute('http.request.body.type', 'multipart');
-                  span.setAttribute('http.request.body.parse_error', true);
-                  return;
-                }
-                span.setAttributes({
-                  'http.request.body': JSON.stringify(parsed).substring(0, maxBodySize),
-                  'http.request.body.type': 'multipart',
-                  'http.request.body.size': totalSize,
-                  'http.request.body.fields_count': Object.keys(parsed.fields).length,
-                  'http.request.body.files_count': parsed.files.length,
-                });
-              } catch (e) {
-                span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
-                span.setAttribute('http.request.body.type', 'multipart');
-                span.setAttribute('http.request.body.parse_error', true);
-              }
-            });
-          } else {
-            span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-            span.setAttribute('http.request.body.type', 'multipart');
-            span.setAttribute('http.request.body.note', 'Set SECURENOW_CAPTURE_MULTIPART=1 to enable');
-          }
+          // Multipart is NOT captured
+          span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+          span.setAttribute('http.request.body.type', 'multipart');
+          span.setAttribute('http.request.body.note', 'File uploads not captured by design');
         }
       }
     } catch (error) {
@@ -456,7 +245,7 @@ const httpInstrumentation = new HttpInstrumentation({
 });
 
 // -------- Logging Configuration --------
-const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) !== '0' && String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() !== 'false';
 
 // Create shared resource for both traces and logs
 const sharedResource = new Resource({
@@ -468,6 +257,7 @@ const sharedResource = new Resource({
 
 // Initialize LoggerProvider if logging is enabled
 let loggerProvider = null;
+let globalLogger = null;
 
 if (loggingEnabled) {
   const logExporter = new OTLPLogExporter({ 
@@ -475,35 +265,12 @@ if (loggingEnabled) {
     headers 
   });
   
-  const batchLogProcessor = new BatchLogRecordProcessor(logExporter);
   loggerProvider = new LoggerProvider({
     resource: sharedResource,
+    processors: [new BatchLogRecordProcessor(logExporter)],
   });
-  loggerProvider.addLogRecordProcessor(batchLogProcessor);
-
-  // Auto-patch console.* so every log/warn/error becomes an OTel log record
-  const _logger = loggerProvider.getLogger('console', '1.0.0');
-  const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
-  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-  function _emit(sn, st, args) {
-    try {
-      const activeCtx = context.active();
-      const spanCtx = trace.getSpanContext(activeCtx);
-      _logger.emit({
-        severityNumber: sn,
-        severityText: st,
-        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
-        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
-        ...(spanCtx && { context: activeCtx }),
-      });
-    } catch (_) {}
-  }
-  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
-  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
-  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
-  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
-  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
-  console.__securenow_patched = true;
+  
+  globalLogger = loggerProvider.getLogger('securenow', '1.0.0');
 }
 
 // -------- SDK --------
@@ -512,11 +279,9 @@ const sdk = new NodeSDK({
   traceExporter,
   instrumentations: [
     httpInstrumentation,
-    ...(disabledMap['@opentelemetry/instrumentation-mongodb'] ? [] : [new MongoDBInstrumentation()]),
     ...getNodeAutoInstrumentations({ 
       ...disabledMap,
-      '@opentelemetry/instrumentation-http': { enabled: false },
-      '@opentelemetry/instrumentation-mongodb': { enabled: false },
+      '@opentelemetry/instrumentation-http': { enabled: false }, // We use our custom one above
     }),
   ],
   resource: sharedResource,
@@ -535,52 +300,22 @@ const sdk = new NodeSDK({
     if (captureBody) {
       console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
     }
-    if (captureMultipart) {
-      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
-    }
     if (String(env('SECURENOW_TEST_SPAN')) === '1') {
       const api = require('@opentelemetry/api');
       const tracer = api.trace.getTracer('securenow-smoke');
       const span = tracer.startSpan('securenow.startup.smoke'); span.end();
     }
-
-    // Free trial banner
-    const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
-    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
-      patchHttpForBanner();
-    }
-
-    // Firewall — auto-activates when SECURENOW_API_KEY is set
-    const firewallApiKey = env('SECURENOW_API_KEY');
-    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
-      require('./firewall').init({
-        apiKey: firewallApiKey,
-        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-        log: env('SECURENOW_FIREWALL_LOG') !== '0',
-        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
-      });
-    }
   } catch (e) {
     console.error('[securenow] OTel start failed:', e && e.stack || e);
   }
 })();
 
-let shuttingDown = false;
 async function safeShutdown(sig) {
-  if (shuttingDown) return;
-  shuttingDown = true;
   try { 
     await Promise.resolve(sdk.shutdown?.()); 
     if (loggerProvider) {
       await Promise.resolve(loggerProvider.shutdown?.());
     }
-    try { require('./firewall').shutdown(); } catch (_) {}
     console.log(`[securenow] Tracing and logging terminated on ${sig}`); 
   }
   catch (e) { console.error('[securenow] Shutdown error:', e); }