securenow 6.0.1 → 6.1.0

package/examples/nextjs-instrumentation.js

@@ -21,7 +21,7 @@ export function register() {
  *   SECURENOW_APPID=my-nextjs-app
  * 
  * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   SECURENOW_INSTANCE=http://your-otlp-collector:4318
  *   SECURENOW_NO_UUID=1                    # Don't append UUID to service name
  *   OTEL_LOG_LEVEL=info                    # debug|info|warn|error
  *   SECURENOW_DISABLE_INSTRUMENTATIONS=fs  # Comma-separated list

package/examples/nextjs-instrumentation.ts

@@ -21,7 +21,7 @@ export function register() {
  *   SECURENOW_APPID=my-nextjs-app
  * 
  * Optional:
- *   SECURENOW_INSTANCE=http://your-signoz-server:4318
+ *   SECURENOW_INSTANCE=http://your-otlp-collector:4318
  *   SECURENOW_NO_UUID=1                    # Don't append UUID to service name
  *   OTEL_LOG_LEVEL=info                    # debug|info|warn|error
  *   SECURENOW_DISABLE_INSTRUMENTATIONS=fs  # Comma-separated list

package/examples/nextjs-with-logging-example.md

@@ -39,9 +39,9 @@ SECURENOW_LOGGING_ENABLED=1
 SECURENOW_APPID=my-nextjs-app
 SECURENOW_INSTANCE=http://localhost:4318
 
-# For SigNoz Cloud:
-# SECURENOW_INSTANCE=https://ingest.<region>.signoz.cloud:443
-# OTEL_EXPORTER_OTLP_HEADERS="signoz-ingestion-key=<your-key>"
+# For SecureNow or managed OTLP (example):
+# SECURENOW_INSTANCE=https://ingest.<region>.securenow.ai:443
+# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=<your-key>"
 ```
 
 ### 4. Enable Instrumentation in `next.config.js`
@@ -239,9 +239,9 @@ You should see in the console:
 SecureNow initialized with logging enabled
 ```
 
-## View Logs in SigNoz
+## View Logs in SecureNow
 
-1. Open your SigNoz dashboard
+1. Open your SecureNow dashboard
 2. Navigate to **Logs** section
 3. Filter by `service.name = my-nextjs-app`
 4. See all your application logs with:
@@ -298,4 +298,4 @@ await import('securenow/console-instrumentation');  // Second
 
 - [Complete Logging Guide](../docs/LOGGING-GUIDE.md)
 - [Next.js Complete Guide](../docs/NEXTJS-GUIDE.md)
-- [View Logs in SigNoz](https://signoz.io/docs/logs-management/overview/)
+- [SecureNow](https://securenow.ai/)

package/examples/nextjs-with-options.ts

@@ -10,7 +10,7 @@ import { registerSecureNow } from 'securenow/nextjs';
 export function register() {
   registerSecureNow({
     serviceName: 'my-nextjs-app',
-    endpoint: 'http://your-signoz-server:4318',
+    endpoint: 'http://your-otlp-collector:4318',
     noUuid: false,
     disableInstrumentations: ['fs', 'dns'],
     headers: {

package/examples/test-nextjs-setup.js

@@ -58,7 +58,7 @@ setTimeout(() => {
   console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
   console.log('✅ All tests passed!');
   console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
-  console.log('\nCheck your SigNoz dashboard for traces from "test-nextjs-app"\n');
+  console.log('\nCheck your SecureNow dashboard for traces from "test-nextjs-app"\n');
   process.exit(0);
 }, 2000);
 

package/firewall-cloud.js

@@ -0,0 +1,212 @@
+'use strict';
+
+/**
+ * Layer 4: Cloud/Edge WAF integration.
+ * Pushes the blocklist to the customer's cloud WAF provider so traffic is
+ * blocked at the CDN/edge before it ever reaches the origin server.
+ *
+ * Supported providers: cloudflare, aws, gcp
+ * Cloud SDKs are optional peer dependencies — only required when enabled.
+ * Cloud credentials are never logged.
+ */
+
+const https = require('https');
+
+let _options = null;
+let _active = false;
+let _provider = null;
+let _lastPushTime = 0;
+
+const MIN_PUSH_INTERVAL_MS = 30000;
+
+// ────── Cloudflare ──────
+
+async function cloudflareSync(ips) {
+  const token = process.env.CLOUDFLARE_API_TOKEN;
+  const accountId = process.env.CLOUDFLARE_ACCOUNT_ID;
+  if (!token || !accountId) throw new Error('Missing CLOUDFLARE_API_TOKEN or CLOUDFLARE_ACCOUNT_ID');
+
+  const listName = 'securenow-blocklist';
+
+  const lists = await cfApi('GET', `/accounts/${accountId}/rules/lists`, token);
+  let list = lists.result?.find(l => l.name === listName);
+
+  if (!list) {
+    const created = await cfApi('POST', `/accounts/${accountId}/rules/lists`, token, {
+      name: listName,
+      kind: 'ip',
+      description: 'Managed by SecureNow firewall SDK',
+    });
+    list = created.result;
+  }
+
+  const items = ips.map(ip => ({ ip: ip.includes('/') ? ip : ip + '/32' }));
+
+  await cfApi('PUT', `/accounts/${accountId}/rules/lists/${list.id}/items`, token, items);
+}
+
+function cfApi(method, path, token, body) {
+  return new Promise((resolve, reject) => {
+    const data = body ? JSON.stringify(body) : null;
+    const req = https.request({
+      hostname: 'api.cloudflare.com',
+      path: '/client/v4' + path,
+      method,
+      headers: {
+        'Authorization': `Bearer ${token}`,
+        'Content-Type': 'application/json',
+        ...(data ? { 'Content-Length': Buffer.byteLength(data) } : {}),
+      },
+      timeout: 15000,
+    }, (res) => {
+      let chunks = '';
+      res.on('data', c => chunks += c);
+      res.on('end', () => {
+        try { resolve(JSON.parse(chunks)); } catch (e) { reject(new Error(`CF parse error: ${chunks.slice(0, 200)}`)); }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Cloudflare API timeout')); });
+    if (data) req.write(data);
+    req.end();
+  });
+}
+
+// ────── AWS WAF ──────
+
+async function awsSync(ips) {
+  let WAFV2;
+  try {
+    WAFV2 = require('@aws-sdk/client-wafv2');
+  } catch {
+    throw new Error('AWS WAF requires @aws-sdk/client-wafv2 — install it: npm i @aws-sdk/client-wafv2');
+  }
+
+  const ipSetId = process.env.AWS_WAF_IP_SET_ID;
+  const ipSetName = process.env.AWS_WAF_IP_SET_NAME || 'securenow-blocklist';
+  const scope = process.env.AWS_WAF_SCOPE || 'REGIONAL';
+  if (!ipSetId) throw new Error('Missing AWS_WAF_IP_SET_ID');
+
+  const client = new WAFV2.WAFV2Client({});
+
+  const { IPSet, LockToken } = await client.send(new WAFV2.GetIPSetCommand({
+    Name: ipSetName,
+    Scope: scope,
+    Id: ipSetId,
+  }));
+
+  const addresses = ips.map(ip => ip.includes('/') ? ip : ip + '/32');
+
+  await client.send(new WAFV2.UpdateIPSetCommand({
+    Name: ipSetName,
+    Scope: scope,
+    Id: ipSetId,
+    Addresses: addresses,
+    LockToken,
+    Description: 'Managed by SecureNow firewall SDK',
+  }));
+}
+
+// ────── GCP Cloud Armor ──────
+
+async function gcpSync(ips) {
+  let compute;
+  try {
+    compute = require('@google-cloud/compute');
+  } catch {
+    throw new Error('GCP Cloud Armor requires @google-cloud/compute — install it: npm i @google-cloud/compute');
+  }
+
+  const project = process.env.GCP_PROJECT_ID;
+  const policyName = process.env.GCP_SECURITY_POLICY;
+  if (!project || !policyName) throw new Error('Missing GCP_PROJECT_ID or GCP_SECURITY_POLICY');
+
+  const client = new compute.SecurityPoliciesClient();
+  const rulePriority = 2000;
+
+  const srcRanges = ips.map(ip => ip.includes('/') ? ip : ip + '/32');
+
+  try {
+    await client.patchRule({
+      project,
+      securityPolicy: policyName,
+      priority: String(rulePriority),
+      securityPolicyRuleResource: {
+        priority: rulePriority,
+        action: 'deny(403)',
+        match: { versionedExpr: 'SRC_IPS_V1', config: { srcIpRanges: srcRanges } },
+        description: 'Managed by SecureNow firewall SDK',
+      },
+    });
+  } catch (e) {
+    if (e.code === 404 || e.message?.includes('not found')) {
+      await client.addRule({
+        project,
+        securityPolicy: policyName,
+        securityPolicyRuleResource: {
+          priority: rulePriority,
+          action: 'deny(403)',
+          match: { versionedExpr: 'SRC_IPS_V1', config: { srcIpRanges: srcRanges } },
+          description: 'Managed by SecureNow firewall SDK',
+        },
+      });
+    } else {
+      throw e;
+    }
+  }
+}
+
+// ────── Provider dispatch ──────
+
+const PROVIDERS = {
+  cloudflare: cloudflareSync,
+  aws: awsSync,
+  gcp: gcpSync,
+};
+
+// ────── Public API ──────
+
+function init(options) {
+  _options = options;
+  const provider = (options.cloud || '').toLowerCase();
+
+  if (!PROVIDERS[provider]) {
+    if (_options.log) console.warn('[securenow] Firewall cloud: unknown provider "%s", expected cloudflare|aws|gcp', provider);
+    return;
+  }
+
+  _provider = provider;
+  _active = true;
+}
+
+/**
+ * Called by the firewall core after each successful blocklist sync.
+ * Throttled to max 1 push per MIN_PUSH_INTERVAL_MS.
+ * @param {string[]} ips - Array of IPs and CIDRs to push
+ */
+async function sync(ips) {
+  if (!_active || !_provider) return;
+
+  const now = Date.now();
+  if (now - _lastPushTime < MIN_PUSH_INTERVAL_MS) return;
+  _lastPushTime = now;
+
+  const dryRun = process.env.SECURENOW_FIREWALL_CLOUD_DRY_RUN === '1';
+  if (dryRun) {
+    if (_options.log) console.log('[securenow] Firewall cloud: dry-run — would push %d IPs to %s', ips.length, _provider);
+    return;
+  }
+
+  try {
+    await PROVIDERS[_provider](ips);
+    if (_options.log) console.log('[securenow] Firewall cloud: pushed %d IPs to %s', ips.length, _provider);
+  } catch (e) {
+    if (_options.log) console.warn('[securenow] Firewall cloud: push to %s failed:', _provider, e.message);
+  }
+}
+
+function shutdown() {
+  _active = false;
+}
+
+module.exports = { init, sync, shutdown };

package/firewall-iptables.js

@@ -0,0 +1,139 @@
+'use strict';
+
+/**
+ * Layer 3: OS-level firewall via iptables/nftables.
+ * Manages a dedicated SECURENOW_BLOCK chain — never touches customer rules.
+ * Linux only, requires root or CAP_NET_ADMIN. Falls back gracefully otherwise.
+ */
+
+const { execSync } = require('child_process');
+const os = require('os');
+
+const CHAIN_NAME = 'SECURENOW_BLOCK';
+
+let _options = null;
+let _active = false;
+let _useNft = false;
+
+function exec(cmd) {
+  return execSync(cmd, { stdio: 'pipe', timeout: 10000 }).toString().trim();
+}
+
+function canRun(cmd) {
+  try { exec(cmd); return true; } catch { return false; }
+}
+
+function detectBackend() {
+  if (canRun('nft --version')) return 'nft';
+  if (canRun('iptables --version')) return 'iptables';
+  return null;
+}
+
+// ────── iptables backend ──────
+
+function iptablesSetup() {
+  try { exec(`iptables -N ${CHAIN_NAME}`); } catch (_) {} // chain may already exist
+  try { exec(`iptables -C INPUT -j ${CHAIN_NAME}`); } catch (_) {
+    exec(`iptables -I INPUT 1 -j ${CHAIN_NAME}`);
+  }
+}
+
+function iptablesSync(ips) {
+  exec(`iptables -F ${CHAIN_NAME}`);
+  for (const ip of ips) {
+    exec(`iptables -A ${CHAIN_NAME} -s ${ip} -j DROP`);
+  }
+}
+
+function iptablesCleanup() {
+  try { exec(`iptables -D INPUT -j ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`iptables -F ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`iptables -X ${CHAIN_NAME}`); } catch (_) {}
+}
+
+// ────── nftables backend ──────
+
+function nftSetup() {
+  try { exec(`nft list chain ip filter ${CHAIN_NAME}`); } catch (_) {
+    exec(`nft add chain ip filter ${CHAIN_NAME}`);
+  }
+  try { exec(`nft insert rule ip filter INPUT jump ${CHAIN_NAME}`); } catch (_) {}
+}
+
+function nftSync(ips) {
+  exec(`nft flush chain ip filter ${CHAIN_NAME}`);
+  for (const ip of ips) {
+    exec(`nft add rule ip filter ${CHAIN_NAME} ip saddr ${ip} drop`);
+  }
+}
+
+function nftCleanup() {
+  try { exec(`nft flush chain ip filter ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`nft delete chain ip filter ${CHAIN_NAME}`); } catch (_) {}
+}
+
+// ────── Public API ──────
+
+let _syncCallback = null;
+
+function init(options) {
+  _options = options;
+
+  if (os.platform() !== 'linux') {
+    if (_options.log) console.warn('[securenow] Firewall iptables: only supported on Linux, skipping');
+    return;
+  }
+
+  const backend = detectBackend();
+  if (!backend) {
+    if (_options.log) console.warn('[securenow] Firewall iptables: neither iptables nor nft found, skipping');
+    return;
+  }
+
+  _useNft = backend === 'nft';
+  const label = _useNft ? 'nftables' : 'iptables';
+
+  try {
+    if (_useNft) nftSetup(); else iptablesSetup();
+    _active = true;
+    if (_options.log) console.log('[securenow] Firewall iptables: %s chain %s ready', label, CHAIN_NAME);
+  } catch (e) {
+    if (_options.log) console.warn('[securenow] Firewall iptables: setup failed (need root or CAP_NET_ADMIN):', e.message);
+  }
+}
+
+/**
+ * Called by the firewall core after each successful blocklist sync.
+ * @param {string[]} ips - Array of IPs and CIDRs to block
+ */
+function sync(ips) {
+  if (!_active) return;
+
+  const maxRules = (_options && _options.iptablesMax) || 10000;
+  const limited = ips.length > maxRules ? ips.slice(0, maxRules) : ips;
+
+  if (ips.length > maxRules && _options.log) {
+    console.warn('[securenow] Firewall iptables: truncated to %d rules (max %d)', maxRules, maxRules);
+  }
+
+  try {
+    if (_useNft) nftSync(limited); else iptablesSync(limited);
+  } catch (e) {
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall iptables: sync failed:', e.message);
+    }
+  }
+}
+
+function shutdown() {
+  if (!_active) return;
+  try {
+    if (_useNft) nftCleanup(); else iptablesCleanup();
+    if (_options && _options.log) console.log('[securenow] Firewall iptables: chain %s cleaned up', CHAIN_NAME);
+  } catch (e) {
+    if (_options && _options.log) console.warn('[securenow] Firewall iptables: cleanup failed:', e.message);
+  }
+  _active = false;
+}
+
+module.exports = { init, sync, shutdown };

package/firewall-only.js

@@ -0,0 +1,38 @@
+'use strict';
+
+/**
+ * Standalone firewall preload — no OpenTelemetry, no tracing.
+ *
+ * Usage:
+ *   node -r securenow/firewall-only app.js
+ *   NODE_OPTIONS='-r securenow/firewall-only' next start
+ *
+ * Reads .env via dotenv (if installed), then initialises the HTTP-level
+ * firewall when SECURENOW_API_KEY is present.
+ */
+
+try { require('dotenv').config(); } catch (_) {}
+
+const env = (k) =>
+  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
+
+const firewallApiKey = env('SECURENOW_API_KEY');
+
+if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+  require('./firewall').init({
+    apiKey: firewallApiKey,
+    apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+    versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+    syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+    failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+    statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+    log: env('SECURENOW_FIREWALL_LOG') !== '0',
+    tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+    iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+    cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+  });
+
+  const shutdown = () => { try { require('./firewall').shutdown(); } catch (_) {} };
+  process.on('SIGINT', shutdown);
+  process.on('SIGTERM', shutdown);
+}

package/firewall-tcp.js

@@ -0,0 +1,74 @@
+'use strict';
+
+/**
+ * Layer 2: TCP-level blocking via net.Server connection event.
+ * Destroys the socket before HTTP parsing starts. Zero bytes sent back.
+ *
+ * Caveat: only sees socket.remoteAddress (direct connection IP).
+ * If behind a reverse proxy, the proxy IP is seen instead.
+ * Proxy IPs are skipped (let through to Layer 1 for proper header-based resolution).
+ */
+
+const net = require('net');
+const { resolveSocketIp, isFromTrustedProxy } = require('./resolve-ip');
+
+let _getMatcher = null;
+let _getAllowlistMatcher = null;
+let _options = null;
+let _patched = false;
+const _origListen = net.Server.prototype.listen;
+
+function onConnection(socket) {
+  const ip = resolveSocketIp(socket);
+
+  // Skip if the connection is from a trusted proxy — Layer 1 will handle it
+  // with proper X-Forwarded-For resolution
+  if (isFromTrustedProxy(ip) || isFromTrustedProxy('::ffff:' + ip)) return;
+
+  // Allowlist check: if active, only listed IPs pass
+  const allowlistMatcher = _getAllowlistMatcher ? _getAllowlistMatcher() : null;
+  if (allowlistMatcher && allowlistMatcher.stats().total > 0) {
+    if (!allowlistMatcher.isBlocked(ip)) {
+      if (_options && _options.log) {
+        console.log('[securenow] Firewall: blocked %s via TCP (not in allowlist)', ip);
+      }
+      socket.destroy();
+      return;
+    }
+    return; // on allowlist — allow
+  }
+
+  // Blocklist check
+  const matcher = _getMatcher();
+  if (!matcher) return;
+
+  if (matcher.isBlocked(ip)) {
+    if (_options && _options.log) {
+      console.log('[securenow] Firewall: blocked %s via TCP (socket destroyed)', ip);
+    }
+    socket.destroy();
+  }
+}
+
+function init(getMatcher, options, getAllowlistMatcher) {
+  _getMatcher = getMatcher;
+  _getAllowlistMatcher = getAllowlistMatcher || null;
+  _options = options;
+
+  if (_patched) return;
+  _patched = true;
+
+  net.Server.prototype.listen = function(...args) {
+    this.on('connection', onConnection);
+    return _origListen.apply(this, args);
+  };
+}
+
+function shutdown() {
+  if (_patched) {
+    net.Server.prototype.listen = _origListen;
+    _patched = false;
+  }
+}
+
+module.exports = { init, shutdown };