securenow 6.0.2 → 6.1.0

package/firewall.js

@@ -0,0 +1,720 @@
+'use strict';
+
+const http = require('http');
+const https = require('https');
+const { createMatcher } = require('./cidr');
+const { resolveClientIp } = require('./resolve-ip');
+
+let _options = null;
+let _matcher = null;
+let _syncTimer = null;
+let _pollTimer = null;
+let _lastModified = null;
+let _lastVersion = null;
+let _lastSyncEtag = null;
+let _initialized = false;
+let _consecutiveErrors = 0;
+let _layers = [];
+let _rawIps = [];
+let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
+let _localhostFallbackTried = false;
+
+// Allowlist state
+let _allowlistMatcher = null;
+let _allowlistRawIps = [];
+let _lastAllowlistModified = null;
+let _lastAllowlistVersion = null;
+let _lastAllowlistSyncEtag = null;
+
+// Circuit breaker
+const CIRCUIT_OPEN_THRESHOLD = 5;
+const CIRCUIT_OPEN_COOLDOWN_MS = 120_000;
+let _circuitState = 'closed';
+let _circuitOpenedAt = 0;
+
+// In-flight guard and 429 back-off
+let _pollInflight = false;
+let _retryAfterUntil = 0;
+
+// Keep-alive agents — reuse TCP connections across polls (TLS handshake once)
+const _httpAgent = new http.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
+const _httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
+
+// Unified sync uses /firewall/sync (v2). Falls back to legacy on 404.
+let _useUnifiedSync = true;
+
+// ────── Circuit Breaker ──────
+
+function maybeOpenCircuit() {
+  if (_circuitState === 'open') return;
+  if (_consecutiveErrors >= CIRCUIT_OPEN_THRESHOLD) {
+    _circuitState = 'open';
+    _circuitOpenedAt = Date.now();
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall: circuit breaker OPEN — pausing polling for %ds', CIRCUIT_OPEN_COOLDOWN_MS / 1000);
+    }
+  }
+}
+
+function resetCircuit() {
+  if (_circuitState !== 'closed') {
+    _circuitState = 'closed';
+    if (_options && _options.log) console.log('[securenow] Firewall: circuit breaker CLOSED — API healthy');
+  }
+  _consecutiveErrors = 0;
+}
+
+function shouldSkipRequest() {
+  if (Date.now() < _retryAfterUntil) return true;
+  if (_circuitState === 'closed') return false;
+  if (_circuitState === 'open') {
+    if (Date.now() - _circuitOpenedAt >= CIRCUIT_OPEN_COOLDOWN_MS) {
+      _circuitState = 'half-open';
+      return false;
+    }
+    return true;
+  }
+  return false; // half-open: allow one probe
+}
+
+function handleRetryAfter(res) {
+  const ra = res.headers['retry-after'];
+  if (!ra) return;
+  const secs = parseInt(ra, 10);
+  if (secs > 0 && secs <= 300) {
+    _retryAfterUntil = Date.now() + secs * 1000;
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall: API returned 429, backing off for %ds', secs);
+    }
+  }
+}
+
+// ────── HTTP helpers ──────
+
+function buildUrl(apiUrl, path) {
+  return apiUrl.replace(/\/+$/, '') + '/api/v1' + path;
+}
+
+function jitter(baseMs) {
+  return baseMs * (0.8 + Math.random() * 0.4);
+}
+
+function agentFor(url) {
+  return url.startsWith('https') ? _httpsAgent : _httpAgent;
+}
+
+function httpGet(url, extraHeaders, timeout, callback) {
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const req = mod.request({
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${_options.apiKey}`,
+      'User-Agent': 'securenow-firewall-sdk',
+      ...extraHeaders,
+    },
+    timeout,
+    agent: agentFor(url),
+  }, (res) => {
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => { callback(null, res, data); });
+  });
+
+  req.on('error', (err) => callback(err));
+  req.on('timeout', () => { req.destroy(); callback(new Error('Request timed out')); });
+  req.end();
+}
+
+// ────── Unified Sync (v2 — single request for everything) ──────
+
+function doUnifiedSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/sync');
+  const headers = {};
+  if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
+  if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
+
+  httpGet(url, headers, 8000, (err, res, data) => {
+    if (err) return callback(err);
+
+    _stats.versionChecks++;
+
+    if (res.statusCode === 304) {
+      return callback(null, { blChanged: false, alChanged: false });
+    }
+
+    if (res.statusCode === 404) {
+      _useUnifiedSync = false;
+      if (_options.log) console.log('[securenow] Firewall: /sync not available, using legacy endpoints');
+      return callback(null, { blChanged: false, alChanged: false, useLegacy: true });
+    }
+
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+
+    if (res.statusCode !== 200) {
+      return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+    }
+
+    try {
+      const body = JSON.parse(data);
+
+      let blChanged = false;
+      let alChanged = false;
+
+      // Update blocklist version + data
+      if (body.blocklist) {
+        const newVer = body.blocklist.version;
+        if (newVer !== _lastVersion) {
+          _lastVersion = newVer;
+          blChanged = true;
+        }
+      }
+
+      if (body.blocklistIps) {
+        _rawIps = body.blocklistIps;
+        _matcher = createMatcher(body.blocklistIps);
+        _stats.syncs++;
+        notifyLayers(body.blocklistIps);
+        blChanged = true;
+      }
+
+      // Update allowlist version + data
+      if (body.allowlist) {
+        const newVer = body.allowlist.version;
+        if (newVer !== _lastAllowlistVersion) {
+          _lastAllowlistVersion = newVer;
+          alChanged = true;
+        }
+      }
+
+      if (body.allowlistIps) {
+        _allowlistRawIps = body.allowlistIps;
+        _allowlistMatcher = createMatcher(body.allowlistIps);
+        alChanged = true;
+      }
+
+      callback(null, { blChanged, alChanged });
+    } catch (e) {
+      callback(new Error(`Failed to parse sync response: ${e.message}`));
+    }
+  });
+}
+
+// ────── Legacy Sync (v1 — separate endpoints, kept for backward compat) ──────
+
+function legacyBlocklistSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
+  const headers = {};
+  if (_lastSyncEtag) headers['If-None-Match'] = _lastSyncEtag;
+  else if (_lastModified) headers['If-Modified-Since'] = _lastModified;
+
+  httpGet(url, headers, 10000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      _rawIps = ips;
+      _matcher = createMatcher(ips);
+      _lastModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
+      _stats.syncs++;
+      notifyLayers(ips);
+      callback(null, true, _matcher.stats());
+    } catch (e) {
+      callback(new Error(`Failed to parse blocklist: ${e.message}`));
+    }
+  });
+}
+
+function legacyAllowlistSync(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist');
+  const headers = {};
+  if (_lastAllowlistSyncEtag) headers['If-None-Match'] = _lastAllowlistSyncEtag;
+  else if (_lastAllowlistModified) headers['If-Modified-Since'] = _lastAllowlistModified;
+
+  httpGet(url, headers, 10000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+
+    try {
+      const body = JSON.parse(data);
+      const ips = body.ips || [];
+      _allowlistRawIps = ips;
+      _allowlistMatcher = createMatcher(ips);
+      _lastAllowlistModified = res.headers['last-modified'] || null;
+      if (res.headers['etag']) _lastAllowlistSyncEtag = res.headers['etag'];
+      callback(null, true, _allowlistMatcher.stats());
+    } catch (e) {
+      callback(new Error(`Failed to parse allowlist: ${e.message}`));
+    }
+  });
+}
+
+function legacyVersionCheck(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
+  const headers = {};
+  if (_lastVersion) headers['If-None-Match'] = _lastVersion;
+
+  httpGet(url, headers, 5000, (err, res, data) => {
+    if (err) return callback(err);
+    _stats.versionChecks++;
+    if (res.statusCode === 304) return callback(null, false, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API ${res.statusCode}`));
+
+    try {
+      const body = JSON.parse(data);
+      const version = body.version || null;
+      const changed = version !== _lastVersion;
+      if (changed) _lastVersion = version;
+      callback(null, changed, false);
+    } catch (_e) { callback(null, false, false); }
+  });
+}
+
+function legacyAllowlistVersionCheck(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/allowlist/version');
+  const headers = {};
+  if (_lastAllowlistVersion) headers['If-None-Match'] = _lastAllowlistVersion;
+
+  httpGet(url, headers, 5000, (err, res, data) => {
+    if (err) return callback(err);
+    if (res.statusCode === 304) return callback(null, false);
+    if (res.statusCode === 429) { handleRetryAfter(res); }
+    if (res.statusCode !== 200) return callback(new Error(`API ${res.statusCode}`));
+
+    try {
+      const body = JSON.parse(data);
+      const version = body.version || null;
+      const changed = version !== _lastAllowlistVersion;
+      if (changed) _lastAllowlistVersion = version;
+      callback(null, changed);
+    } catch (_e) { callback(null, false); }
+  });
+}
+
+function doLegacyPoll(callback) {
+  let pending = 2;
+  let blChanged = false;
+  let alChanged = false;
+  let firstError = null;
+
+  function checkDone() {
+    if (--pending > 0) return;
+    if (firstError) return callback(firstError);
+
+    let syncsPending = 0;
+    if (blChanged) syncsPending++;
+    if (alChanged) syncsPending++;
+    if (syncsPending === 0) return callback(null, { blChanged: false, alChanged: false });
+
+    function syncDone() {
+      if (--syncsPending > 0) return;
+      callback(null, { blChanged, alChanged });
+    }
+
+    if (blChanged) {
+      legacyBlocklistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+        syncDone();
+      });
+    }
+    if (alChanged) {
+      legacyAllowlistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+        syncDone();
+      });
+    }
+  }
+
+  legacyVersionCheck((err, changed) => {
+    if (err) firstError = firstError || err;
+    blChanged = changed;
+    checkDone();
+  });
+
+  legacyAllowlistVersionCheck((err, changed) => {
+    if (err) firstError = firstError || err;
+    alChanged = changed;
+    checkDone();
+  });
+}
+
+// ────── Unified poll loop ──────
+
+function notifyLayers(ips) {
+  for (const layer of _layers) {
+    try { if (typeof layer.sync === 'function') layer.sync(ips); } catch (_) {}
+  }
+}
+
+function pollOnce(callback) {
+  if (_pollInflight || shouldSkipRequest()) return callback(null);
+  _pollInflight = true;
+
+  const done = (err, result) => {
+    _pollInflight = false;
+    if (err) {
+      _consecutiveErrors++;
+      _stats.errors++;
+      maybeOpenCircuit();
+      if (_options.log) console.warn('[securenow] Firewall: poll failed:', err.message);
+      return callback(err);
+    }
+    _consecutiveErrors = 0;
+    resetCircuit();
+    if (result) {
+      if (result.blChanged && _options.log && _matcher) {
+        const s = _matcher.stats();
+        console.log('[securenow] Firewall: re-synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (result.alChanged && _options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        console.log('[securenow] Firewall: re-synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+    }
+    callback(null);
+  };
+
+  if (_useUnifiedSync) {
+    doUnifiedSync((err, result) => {
+      if (err) return done(err);
+      if (result && result.useLegacy) {
+        doLegacyPoll(done);
+      } else {
+        done(null, result);
+      }
+    });
+  } else {
+    doLegacyPoll(done);
+  }
+}
+
+function scheduleNextPoll() {
+  const baseMs = (_options.versionCheckInterval || 10) * 1000;
+  const backoffMs = Math.min(baseMs * Math.pow(2, _consecutiveErrors), 120_000);
+  const delayMs = jitter(backoffMs);
+
+  _pollTimer = setTimeout(() => {
+    pollOnce(() => { scheduleNextPoll(); });
+  }, delayMs);
+  if (_pollTimer.unref) _pollTimer.unref();
+}
+
+function startSyncLoop() {
+  const fullSyncIntervalMs = (_options.syncInterval || 300) * 1000;
+  const BASE_RETRY = 5000;
+  const MAX_RETRY = 120_000;
+  let _initAttempt = 0;
+
+  function initialSync() {
+    // Use unified endpoint for initial sync too
+    const syncFn = _useUnifiedSync ? doUnifiedSync : (cb) => doLegacyPoll(cb);
+
+    syncFn((err, result) => {
+      if (err) {
+        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
+        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
+          _localhostFallbackTried = true;
+          const origUrl = _options.apiUrl;
+          _options.apiUrl = 'http://localhost:4000';
+          if (_options.log) console.log('[securenow] Firewall: %s unreachable, trying http://localhost:4000', origUrl);
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
+        if (result && result.useLegacy) {
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
+        if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
+        if (_options.failMode === 'closed') {
+          _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
+        }
+        _initAttempt++;
+        const delay = Math.min(BASE_RETRY * Math.pow(2, _initAttempt), MAX_RETRY);
+        const retryTimer = setTimeout(initialSync, jitter(delay));
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+
+      if (result && result.useLegacy) {
+        const retryTimer = setTimeout(initialSync, 1000);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+
+      _initialized = true;
+      if (_options.log && _matcher) {
+        const s = _matcher.stats();
+        console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+      if (_options.log && _allowlistMatcher) {
+        const s = _allowlistMatcher.stats();
+        if (s.total > 0) console.log('[securenow] Firewall: synced %d allowed IPs (%d exact + %d CIDR ranges)', s.total, s.exact, s.cidr);
+      }
+    });
+  }
+
+  initialSync();
+  scheduleNextPoll();
+
+  // Safety-net full sync timer (less frequent, uses same path)
+  _syncTimer = setInterval(() => {
+    if (shouldSkipRequest()) return;
+    // Force a full re-fetch by clearing versions so unified endpoint returns full data
+    const savedBlVer = _lastVersion;
+    const savedAlVer = _lastAllowlistVersion;
+    _lastVersion = null;
+    _lastAllowlistVersion = null;
+    pollOnce((err) => {
+      if (err) {
+        _lastVersion = savedBlVer;
+        _lastAllowlistVersion = savedAlVer;
+      }
+    });
+  }, fullSyncIntervalMs);
+  if (_syncTimer.unref) _syncTimer.unref();
+}
+
+// ────── Layer 1: HTTP Handler ──────
+
+const _origHttpCreate = http.createServer;
+const _origHttpsCreate = https.createServer;
+let _httpPatched = false;
+
+function blockedHtml(ip) {
+  const maskedIp = ip || 'unknown';
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Access Blocked — Security Alert</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{min-height:100vh;display:flex;align-items:center;justify-content:center;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0a0a0a;color:#e5e5e5}
+.wrap{text-align:center;max-width:540px;padding:2.5rem 2rem}
+.icon{width:64px;height:64px;margin:0 auto 1.5rem;border-radius:50%;background:rgba(220,38,38,.12);display:flex;align-items:center;justify-content:center}
+.icon svg{width:32px;height:32px;fill:none;stroke:#dc2626;stroke-width:2;stroke-linecap:round;stroke-linejoin:round}
+.badge{display:inline-block;padding:.25rem .75rem;border-radius:999px;background:rgba(220,38,38,.15);color:#f87171;font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;margin-bottom:1.25rem}
+h1{font-size:1.6rem;font-weight:700;margin-bottom:.6rem;color:#fff}
+.sub{font-size:1rem;color:#f87171;font-weight:600;margin-bottom:1.25rem}
+p{font-size:.9rem;line-height:1.7;color:#a1a1aa;margin-bottom:.5rem}
+.ip-box{display:inline-block;margin:1rem 0;padding:.6rem 1.5rem;border-radius:8px;background:rgba(255,255,255,.04);border:1px solid rgba(220,38,38,.25);font-family:"SF Mono",SFMono-Regular,Consolas,"Liberation Mono",Menlo,monospace;font-size:.95rem;color:#fca5a5;letter-spacing:.03em}
+.divider{width:48px;height:2px;background:rgba(220,38,38,.3);margin:1.5rem auto}
+.contact{font-size:.85rem;color:#71717a;line-height:1.7}
+.contact a{color:#f87171;text-decoration:none;font-weight:500}
+.contact a:hover{text-decoration:underline}
+.footer{margin-top:2rem;font-size:.7rem;color:#3f3f46}
+.powered{margin-top:1.5rem;font-size:.75rem;color:#52525b}.powered a{color:#a1a1aa;text-decoration:none;font-weight:600;transition:color .2s}.powered a:hover{color:#f87171;text-decoration:underline}
+</style>
+</head>
+<body>
+<div class="wrap">
+<div class="icon"><svg viewBox="0 0 24 24"><path d="M12 9v4m0 4h.01M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/></svg></div>
+<span class="badge">Security Alert</span>
+<h1>Access Blocked</h1>
+<p class="sub">Malicious activity detected from your IP address</p>
+<p>Your IP has been flagged and blocked due to suspicious or malicious behavior originating from your network. Our security team has been notified and is actively investigating.</p>
+<div class="ip-box">${maskedIp}</div>
+<div class="divider"></div>
+<p class="contact">If you believe this is a mistake, please contact us at<br><a href="mailto:contact@securenow.ai?subject=Blocked%20IP%20Appeal%20-%20${encodeURIComponent(maskedIp)}&body=IP:%20${encodeURIComponent(maskedIp)}%0ATimestamp:%20${encodeURIComponent(new Date().toISOString())}%0A%0APlease%20describe%20why%20you%20believe%20this%20block%20is%20incorrect:">contact@securenow.ai</a><br>Include your IP address and the time of this incident.</p>
+<p class="footer">Ref: ${maskedIp} &mdash; ${new Date().toISOString()} &mdash; HTTP 403</p>
+<p class="powered">Protected by <a href="https://securenow.ai" rel="dofollow" target="_blank">SecureNow</a></p>
+</div>
+</body>
+</html>`;
+}
+
+function wrapListener(originalListener) {
+  return function firewallGuard(req, res) {
+    _stats.allowed++;
+    return originalListener.call(this, req, res);
+  };
+}
+
+function sendBlockResponse(req, res, ip) {
+  const code = (_options && _options.statusCode) || 403;
+  const accept = req.headers['accept'] || '';
+  if (accept.includes('text/html')) {
+    res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
+    res.end(blockedHtml(ip));
+  } else {
+    res.writeHead(code, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Forbidden', ip }));
+  }
+}
+
+function firewallRequestHandler(req, res) {
+  const ip = resolveClientIp(req);
+
+  // Allowlist check: if active, only listed IPs are allowed through
+  if (_allowlistMatcher && _allowlistMatcher.stats().total > 0) {
+    if (!_allowlistMatcher.isBlocked(ip)) {
+      _stats.blocked++;
+      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP (not in allowlist)', ip);
+      sendBlockResponse(req, res, ip);
+      return true;
+    }
+    return false;
+  }
+
+  // Blocklist check
+  if (_matcher && _matcher.isBlocked(ip)) {
+    _stats.blocked++;
+    if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+    sendBlockResponse(req, res, ip);
+    return true;
+  }
+
+  return false;
+}
+
+const _origEmit = http.Server.prototype.emit;
+let _emitPatched = false;
+
+function patchEmitLayer() {
+  if (_emitPatched) return;
+  _emitPatched = true;
+
+  http.Server.prototype.emit = function(event, req, res, ...rest) {
+    if (event === 'request' && req && res && !res.headersSent) {
+      if (firewallRequestHandler(req, res)) return true;
+    }
+    return _origEmit.call(this, event, req, res, ...rest);
+  };
+}
+
+function patchHttpLayer() {
+  if (_httpPatched) return;
+  _httpPatched = true;
+
+  patchEmitLayer();
+
+  http.createServer = function(...args) {
+    if (typeof args[args.length - 1] === 'function') {
+      args[args.length - 1] = wrapListener(args[args.length - 1]);
+    }
+    return _origHttpCreate.apply(this, args);
+  };
+  Object.assign(http.createServer, _origHttpCreate);
+
+  https.createServer = function(...args) {
+    if (typeof args[args.length - 1] === 'function') {
+      args[args.length - 1] = wrapListener(args[args.length - 1]);
+    }
+    return _origHttpsCreate.apply(this, args);
+  };
+  Object.assign(https.createServer, _origHttpsCreate);
+}
+
+// ────── Init ──────
+
+function init(options) {
+  _options = options;
+
+  if (_options.log) console.log('[securenow] Firewall: ENABLED');
+
+  patchHttpLayer();
+  if (_options.log) console.log('[securenow] Firewall: Layer 1 (HTTP 403)      active');
+
+  if (_options.tcp) {
+    try {
+      const tcpLayer = require('./firewall-tcp');
+      tcpLayer.init(() => _matcher, _options, () => _allowlistMatcher);
+      _layers.push(tcpLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       active');
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 2 (TCP drop)       failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       disabled (set SECURENOW_FIREWALL_TCP=1)');
+  }
+
+  if (_options.iptables) {
+    try {
+      const iptablesLayer = require('./firewall-iptables');
+      iptablesLayer.init(_options);
+      _layers.push(iptablesLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       active');
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 3 (iptables)       failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       disabled (set SECURENOW_FIREWALL_IPTABLES=1)');
+  }
+
+  if (_options.cloud) {
+    try {
+      const cloudLayer = require('./firewall-cloud');
+      cloudLayer.init(_options);
+      _layers.push(cloudLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      active (%s)', _options.cloud);
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 4 (Cloud WAF)      failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      disabled (set SECURENOW_FIREWALL_CLOUD=cloudflare|aws|gcp)');
+  }
+
+  startSyncLoop();
+}
+
+function shutdown() {
+  if (_pollTimer) { clearTimeout(_pollTimer); _pollTimer = null; }
+  if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
+
+  _circuitState = 'closed';
+  _circuitOpenedAt = 0;
+  _consecutiveErrors = 0;
+  _pollInflight = false;
+  _retryAfterUntil = 0;
+
+  _httpAgent.destroy();
+  _httpsAgent.destroy();
+
+  for (const layer of _layers) {
+    try { if (typeof layer.shutdown === 'function') layer.shutdown(); } catch (_) {}
+  }
+  _layers = [];
+
+  if (_emitPatched) {
+    http.Server.prototype.emit = _origEmit;
+    _emitPatched = false;
+  }
+  if (_httpPatched) {
+    http.createServer = _origHttpCreate;
+    https.createServer = _origHttpsCreate;
+    _httpPatched = false;
+  }
+}
+
+function getStats() {
+  return {
+    ..._stats,
+    matcher: _matcher ? _matcher.stats() : null,
+    allowlistMatcher: _allowlistMatcher ? _allowlistMatcher.stats() : null,
+    initialized: _initialized,
+    circuitState: _circuitState,
+    consecutiveErrors: _consecutiveErrors,
+    unifiedSync: _useUnifiedSync,
+  };
+}
+
+function getMatcher() { return _matcher; }
+function getAllowlistMatcher() { return _allowlistMatcher; }
+
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher };