securenow 6.0.1 → 6.1.0

package/tracing.js

@@ -1,7 +1,12 @@
 'use strict';
 
 /**
- * Preload with: NODE_OPTIONS="-r securenow/register"
+ * Preload with: node --require securenow/register app.js
+ *
+ * Works for both CJS and ESM apps. On Node >=20.6 the ESM loader hook is
+ * auto-registered via module.register() — no --import flag needed.
+ * On Node 18 with "type": "module", add the hook manually:
+ *   node --import @opentelemetry/instrumentation/hook.mjs --require securenow/register app.js
  *
  * Env:
  *   SECURENOW_APPID=logical-name              # or OTEL_SERVICE_NAME=logical-name
@@ -11,6 +16,7 @@
  *   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=...    # full traces URL
  *   OTEL_EXPORTER_OTLP_HEADERS="k=v,k2=v2"
  *   SECURENOW_DISABLE_INSTRUMENTATIONS="pkg1,pkg2"
+ *   SECURENOW_CAPTURE_MULTIPART=1                # capture multipart/form-data fields & file metadata (streaming, no file content buffered)
  *   OTEL_LOG_LEVEL=info|debug
  *   SECURENOW_TEST_SPAN=1
  *
@@ -18,15 +24,15 @@
  *   SECURENOW_STRICT=1  -> if no appid/name is provided in cluster, exit(1) so PM2 restarts the worker
  */
 
-const { diag, DiagConsoleLogger, DiagLogLevel } = require('@opentelemetry/api');
+const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
 const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
 const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
-const { logs: apiLogs } = require('@opentelemetry/api-logs');
 const { Resource } = require('@opentelemetry/resources');
 const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
 const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
+const { MongoDBInstrumentation } = require('@opentelemetry/instrumentation-mongodb');
 const { v4: uuidv4 } = require('uuid');
 
 const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
@@ -47,6 +53,10 @@ const DEFAULT_SENSITIVE_FIELDS = [
   'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
 ];
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive fields from an object
  */
@@ -55,7 +65,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -78,10 +88,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   // Redact sensitive fields in GraphQL arguments and variables
   sensitiveFields.forEach(field => {
-    // Match patterns: field: "value" or field: 'value' or field:"value"
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -98,13 +108,162 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
+// -------- Multipart streaming parser --------
+// Streams through the request without buffering file content.
+// Only part headers and text-field values are kept in memory,
+// so memory stays bounded (~few KB) regardless of upload size.
+
+function extractBoundary(contentType) {
+  const match = contentType.match(/boundary=(?:"([^"]+)"|([^\s;]+))/i);
+  return match ? (match[1] || match[2]) : null;
+}
+
+function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFieldSize, onComplete) {
+  const boundary = extractBoundary(contentType);
+  if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return; }
+
+  const result = { fields: Object.create(null), files: [] };
+  let totalSize = 0;
+  let buf = Buffer.alloc(0);
+
+  const MAX_PARTS = 100;
+  let partCount = 0;
+
+  const FIRST_DELIM = Buffer.from('--' + boundary);
+  const DELIM       = Buffer.from('\r\n--' + boundary);
+  const HDR_END     = Buffer.from('\r\n\r\n');
+
+  let initialized = false;
+  let inHeaders = true;
+  let isFile = false;
+  let fldName = '';
+  let fName = '';
+  let pCT = '';
+  let bodyBytes = 0;
+  let textVal = '';
+
+  function flushPart() {
+    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
+    if (isFile) {
+      result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
+    } else {
+      const lower = fldName.toLowerCase();
+      const redact = sensitiveFields.some(f => lower.includes(f.toLowerCase()));
+      result.fields[fldName] = redact ? '[REDACTED]' : textVal.substring(0, maxTextFieldSize);
+    }
+    fldName = ''; bodyBytes = 0; textVal = ''; partCount++;
+  }
+
+  function drain() {
+    if (!initialized) {
+      const i = buf.indexOf(FIRST_DELIM);
+      if (i === -1) {
+        if (buf.length > FIRST_DELIM.length + 4) buf = buf.slice(buf.length - FIRST_DELIM.length - 4);
+        return;
+      }
+      buf = buf.slice(i + FIRST_DELIM.length);
+      initialized = true;
+      inHeaders = true;
+    }
+
+    let guard = 200;
+    while (buf.length > 0 && guard-- > 0 && partCount < MAX_PARTS) {
+      if (inHeaders) {
+        if (buf.length >= 2 && buf[0] === 0x2D && buf[1] === 0x2D) { buf = Buffer.alloc(0); return; }
+        if (buf.length >= 2 && buf[0] === 0x0D && buf[1] === 0x0A) { buf = buf.slice(2); continue; }
+
+        const hi = buf.indexOf(HDR_END);
+        if (hi === -1) return;
+
+        const hdr = buf.slice(0, hi).toString('latin1');
+        buf = buf.slice(hi + 4);
+
+        const nm = hdr.match(/name="([^"]+)"/);
+        const fn = hdr.match(/filename="([^"]*)"/);
+        const ct = hdr.match(/Content-Type:\s*(.+)/i);
+        fldName = nm ? nm[1] : '';
+        fName   = fn ? fn[1] : '';
+        pCT     = ct ? ct[1].trim() : '';
+        isFile  = !!fn;
+        bodyBytes = 0;
+        textVal = '';
+        inHeaders = false;
+      }
+
+      const di = buf.indexOf(DELIM);
+      if (di === -1) {
+        const safe = Math.max(0, buf.length - DELIM.length - 2);
+        if (safe > 0) {
+          bodyBytes += safe;
+          if (!isFile && textVal.length < maxTextFieldSize) {
+            textVal += buf.slice(0, safe).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+          }
+          buf = buf.slice(safe);
+        }
+        return;
+      }
+
+      bodyBytes += di;
+      if (!isFile && textVal.length < maxTextFieldSize) {
+        textVal += buf.slice(0, di).toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+      }
+      flushPart();
+      buf = buf.slice(di + DELIM.length);
+      inHeaders = true;
+    }
+  }
+
+  request.on('data', (chunk) => {
+    totalSize += chunk.length;
+    buf = Buffer.concat([buf, chunk]);
+    drain();
+  });
+
+  request.on('end', () => {
+    try {
+      if (!inHeaders && fldName) {
+        bodyBytes += buf.length;
+        if (!isFile) textVal += buf.toString('utf8').substring(0, maxTextFieldSize - textVal.length);
+        flushPart();
+      }
+      onComplete({ parsed: result, totalSize });
+    } catch (e) {
+      onComplete({ error: 'PARSE_ERROR' });
+    }
+  });
+}
+
+// -------- ESM detection --------
+// register.js auto-registers the hook via module.register() on Node >=20.6.
+// This warning only fires if BOTH --import AND module.register() were skipped
+// (e.g. Node 18, or require('securenow/tracing') called directly without register.js).
+(() => {
+  try {
+    const fs = require('fs');
+    const path = require('path');
+    const pkgPath = path.resolve(process.cwd(), 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      if (pkg.type === 'module') {
+        const execArgv = process.execArgv.join(' ');
+        const hasCliHook = execArgv.includes('hook.mjs') || execArgv.includes('import-in-the-middle');
+        const hasModuleRegister = typeof require('node:module').register === 'function';
+        if (!hasCliHook && !hasModuleRegister) {
+          console.warn('[securenow] ⚠️  ESM app detected ("type": "module") but no ESM loader hook available.');
+          console.warn('[securenow]    Upgrade to Node >=20.6 (recommended) or add: --import @opentelemetry/instrumentation/hook.mjs');
+        }
+      }
+    }
+  } catch (_) {}
+})();
+
 // -------- diagnostics --------
+const diagLevel = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
 (() => {
-  const L = (env('OTEL_LOG_LEVEL') || '').toLowerCase();
-  const level = L === 'debug' ? DiagLogLevel.DEBUG :
-                L === 'info'  ? DiagLogLevel.INFO  :
-                L === 'warn'  ? DiagLogLevel.WARN  :
-                L === 'error' ? DiagLogLevel.ERROR : DiagLogLevel.NONE;
+  const level = diagLevel === 'debug' ? DiagLogLevel.DEBUG :
+                diagLevel === 'info'  ? DiagLogLevel.INFO  :
+                diagLevel === 'warn'  ? DiagLogLevel.WARN  :
+                diagLevel === 'error' ? DiagLogLevel.ERROR : DiagLogLevel.NONE;
   diag.setLogger(new DiagConsoleLogger(), level);
   console.log('[securenow] preload loaded pid=%d', process.pid);
 })();
@@ -161,21 +320,44 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 
 // -------- Body Capture Configuration --------
 const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true';
-const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
+const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || String(env('SECURENOW_CAPTURE_MULTIPART')).toLowerCase() === 'true';
+
+// -------- Trusted proxy IP resolution --------
+const { resolveClientIp, isFromTrustedProxy, LOOPBACK_RE } = require('./resolve-ip');
+
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
 const httpInstrumentation = new HttpInstrumentation({
   requestHook: (span, request) => {
     try {
-      if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+      const clientIp = resolveClientIp(request);
+      if (clientIp) {
+        span.setAttribute('http.client_ip', clientIp);
+      }
+
+      if (request.headers) {
+        const SKIP_HEADERS = new Set(['cookie', 'authorization', 'proxy-authorization', 'set-cookie', 'x-api-key', 'x-auth-token']);
+        const safe = {};
+        for (const [k, v] of Object.entries(request.headers)) {
+          if (SKIP_HEADERS.has(k.toLowerCase())) { safe[k] = '[REDACTED]'; continue; }
+          safe[k] = typeof v === 'string' ? v.substring(0, 500) : String(v);
+        }
+        const serialized = JSON.stringify(safe);
+        if (serialized.length <= 8192) {
+          span.setAttribute('http.request.headers', serialized);
+        }
+      }
+
+      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
         
-        if (contentType.includes('application/json') || 
+        if (captureBody && (contentType.includes('application/json') || 
             contentType.includes('application/graphql') ||
-            contentType.includes('application/x-www-form-urlencoded')) {
+            contentType.includes('application/x-www-form-urlencoded'))) {
           
           let body = '';
           const chunks = [];
@@ -223,9 +405,9 @@ const httpInstrumentation = new HttpInstrumentation({
                   });
                 }
               } catch (e) {
-                // Parse error: capture as-is (truncated)
-                span.setAttribute('http.request.body', body.substring(0, 1000));
+                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
                 span.setAttribute('http.request.body.parse_error', true);
+                span.setAttribute('http.request.body.size', size);
               }
             } else if (size > maxBodySize) {
               span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
@@ -233,10 +415,38 @@ const httpInstrumentation = new HttpInstrumentation({
             }
           });
         } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured
-          span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-          span.setAttribute('http.request.body.type', 'multipart');
-          span.setAttribute('http.request.body.note', 'File uploads not captured by design');
+          if (captureMultipart) {
+            collectMultipartMeta(request, contentType, allSensitiveFields, 1000, ({ error, parsed, totalSize }) => {
+              try {
+                if (error === 'BOUNDARY_NOT_FOUND') {
+                  span.setAttribute('http.request.body', '[MULTIPART - BOUNDARY NOT FOUND]');
+                  span.setAttribute('http.request.body.type', 'multipart');
+                  return;
+                }
+                if (error) {
+                  span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+                  span.setAttribute('http.request.body.type', 'multipart');
+                  span.setAttribute('http.request.body.parse_error', true);
+                  return;
+                }
+                span.setAttributes({
+                  'http.request.body': JSON.stringify(parsed).substring(0, maxBodySize),
+                  'http.request.body.type': 'multipart',
+                  'http.request.body.size': totalSize,
+                  'http.request.body.fields_count': Object.keys(parsed.fields).length,
+                  'http.request.body.files_count': parsed.files.length,
+                });
+              } catch (e) {
+                span.setAttribute('http.request.body', '[MULTIPART - PARSE ERROR]');
+                span.setAttribute('http.request.body.type', 'multipart');
+                span.setAttribute('http.request.body.parse_error', true);
+              }
+            });
+          } else {
+            span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+            span.setAttribute('http.request.body.type', 'multipart');
+            span.setAttribute('http.request.body.note', 'Set SECURENOW_CAPTURE_MULTIPART=1 to enable');
+          }
         }
       }
     } catch (error) {
@@ -246,7 +456,7 @@ const httpInstrumentation = new HttpInstrumentation({
 });
 
 // -------- Logging Configuration --------
-const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) !== '0' && String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() !== 'false';
+const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
 
 // Create shared resource for both traces and logs
 const sharedResource = new Resource({
@@ -258,7 +468,6 @@ const sharedResource = new Resource({
 
 // Initialize LoggerProvider if logging is enabled
 let loggerProvider = null;
-let globalLogger = null;
 
 if (loggingEnabled) {
   const logExporter = new OTLPLogExporter({ 
@@ -266,27 +475,90 @@ if (loggingEnabled) {
     headers 
   });
   
+  const batchLogProcessor = new BatchLogRecordProcessor(logExporter);
   loggerProvider = new LoggerProvider({
     resource: sharedResource,
   });
-  // sdk-logs 0.47.x ignores the `processors` constructor option (added in 0.52),
-  // so the provider would silently keep a NoopLogRecordProcessor and drop every
-  // emit(). Register the processor explicitly instead.
-  loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
-  apiLogs.setGlobalLoggerProvider(loggerProvider);
+  loggerProvider.addLogRecordProcessor(batchLogProcessor);
 
-  globalLogger = loggerProvider.getLogger('securenow', '1.0.0');
+  // Auto-patch console.* so every log/warn/error becomes an OTel log record
+  const _logger = loggerProvider.getLogger('console', '1.0.0');
+  const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
+  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+  function _emit(sn, st, args) {
+    try {
+      const activeCtx = context.active();
+      const spanCtx = trace.getSpanContext(activeCtx);
+      _logger.emit({
+        severityNumber: sn,
+        severityText: st,
+        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
+        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+        ...(spanCtx && { context: activeCtx }),
+      });
+    } catch (_) {}
+  }
+  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
+  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
+  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
+  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
+  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
+  console.__securenow_patched = true;
+}
+
+// -------- Guard against OTLP exporter socket errors --------
+// The OTLP HTTP exporter uses keep-alive connections that can be reset by the
+// remote end (ECONNRESET / "socket hang up"). These transient errors sometimes
+// escape as unhandled exceptions or rejections because the underlying HTTP
+// request's error path isn't fully covered by the OTel library. We install
+// targeted process-level handlers to catch them and log at debug level instead
+// of crashing the host app.
+const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+function _isOtlpTransientError(err) {
+  if (!err) return false;
+  if (_TRANSIENT_CODES.has(err.code)) return true;
+  if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+  return false;
+}
+function _looksLikeOtlpStack(err) {
+  const s = err && err.stack;
+  if (!s) return false;
+  return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
+    || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
 }
 
+process.on('uncaughtException', (err, origin) => {
+  if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
+    if (diagLevel === 'debug') {
+      console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
+    }
+    return; // swallow — do not crash
+  }
+  // Not ours — re-throw so the default handler (or the app's own handler) fires
+  throw err;
+});
+process.on('unhandledRejection', (reason) => {
+  if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
+    if (diagLevel === 'debug') {
+      console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
+    }
+    return; // swallow
+  }
+  // Not ours — re-throw as unhandled so Node's default behaviour applies
+  throw reason;
+});
+
 // -------- SDK --------
 const traceExporter = new OTLPTraceExporter({ url: tracesUrl, headers });
 const sdk = new NodeSDK({
   traceExporter,
   instrumentations: [
     httpInstrumentation,
+    ...(disabledMap['@opentelemetry/instrumentation-mongodb'] ? [] : [new MongoDBInstrumentation()]),
     ...getNodeAutoInstrumentations({ 
       ...disabledMap,
-      '@opentelemetry/instrumentation-http': { enabled: false }, // We use our custom one above
+      '@opentelemetry/instrumentation-http': { enabled: false },
+      '@opentelemetry/instrumentation-mongodb': { enabled: false },
     }),
   ],
   resource: sharedResource,
@@ -305,22 +577,52 @@ const sdk = new NodeSDK({
     if (captureBody) {
       console.log('[securenow] 📝 Request body capture: ENABLED (max: %d bytes, redacting %d sensitive fields)', maxBodySize, allSensitiveFields.length);
     }
+    if (captureMultipart) {
+      console.log('[securenow] 📎 Multipart body capture: ENABLED (streaming — file content not buffered)');
+    }
     if (String(env('SECURENOW_TEST_SPAN')) === '1') {
       const api = require('@opentelemetry/api');
       const tracer = api.trace.getTracer('securenow-smoke');
       const span = tracer.startSpan('securenow.startup.smoke'); span.end();
     }
+
+    // Free trial banner
+    const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
+    if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+      patchHttpForBanner();
+    }
+
+    // Firewall — auto-activates when SECURENOW_API_KEY is set
+    const firewallApiKey = env('SECURENOW_API_KEY');
+    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+      require('./firewall').init({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    }
   } catch (e) {
     console.error('[securenow] OTel start failed:', e && e.stack || e);
   }
 })();
 
+let shuttingDown = false;
 async function safeShutdown(sig) {
+  if (shuttingDown) return;
+  shuttingDown = true;
   try { 
     await Promise.resolve(sdk.shutdown?.()); 
     if (loggerProvider) {
       await Promise.resolve(loggerProvider.shutdown?.());
     }
+    try { require('./firewall').shutdown(); } catch (_) {}
     console.log(`[securenow] Tracing and logging terminated on ${sig}`); 
   }
   catch (e) { console.error('[securenow] Shutdown error:', e); }