securenow 7.2.0 → 7.3.0

package/app-config.js

@@ -157,6 +157,30 @@ function resolveAll() {
   };
 }
 
+// Decide whether to append a per-worker UUID suffix to service.name.
+//
+// The dashboard filters traces with an exact match on service.name
+// (`resource_string_service$$name IN (...)`), so when appId IS the routing
+// UUID (customer is logged in → credentials file provides app.key), the
+// suffix guarantees a miss. Per-worker disambiguation still happens via
+// service.instance.id, which is never used for filtering.
+//
+// Precedence:
+//   1. Explicit opts.noUuid (caller passed it)                  — wins
+//   2. Explicit SECURENOW_NO_UUID env var (0/1/true/false)      — wins
+//   3. appKey resolved (logged-in, appId is routing UUID)       → true
+//   4. Otherwise (pre-login, appId = package.json#name)         → false
+function resolveNoUuid(opts = {}) {
+  if (opts.noUuid !== undefined && opts.noUuid !== null) return !!opts.noUuid;
+
+  const raw = process.env.SECURENOW_NO_UUID;
+  if (raw !== undefined && raw !== '') {
+    return /^(1|true)$/i.test(String(raw).trim());
+  }
+
+  return !!resolveAppKey();
+}
+
 module.exports = {
   FREE_TRIAL_INSTANCE,
   resolveAppKey,
@@ -165,6 +189,7 @@ module.exports = {
   resolveApiKey,
   resolveInstance,
   resolveAll,
+  resolveNoUuid,
   loadCredentials,
   loadLocalCredentials,
   loadGlobalCredentials,

package/cli/diagnostics.js

@@ -8,12 +8,20 @@ const config = require('./config');
 // ── Config resolution (mirrors tracing.js priority order) ──
 
 function resolvedConfig() {
-  const serviceName =
-    process.env.OTEL_SERVICE_NAME ||
-    process.env.SECURENOW_APPID ||
-    '(auto-generated)';
+  // Mirror the SDK's resolution: env → credentials file → package.json#name.
+  // Doing it here means `securenow doctor` reports what the SDK will actually
+  // send — critical for diagnosing "my traces don't show up" (the common
+  // cause is a service.name mismatch with the dashboard's exact-match filter).
+  const appConfig = require('../app-config');
+  const resolvedApp = appConfig.resolveAll();
+  const noUuid = appConfig.resolveNoUuid();
+
+  const baseName = (process.env.OTEL_SERVICE_NAME || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '') || null;
+  const serviceName = baseName
+    ? (noUuid ? baseName : `${baseName}-<uuid-per-worker>`)
+    : '(auto-generated)';
   const instance =
-    process.env.SECURENOW_INSTANCE || 'https://freetrial.securenow.ai:4318';
+    resolvedApp.instance || 'https://freetrial.securenow.ai:4318';
   const tracesEndpoint =
     process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT ||
     (process.env.OTEL_EXPORTER_OTLP_ENDPOINT
@@ -297,7 +305,7 @@ function env(_args, flags) {
     SECURENOW_API_URL: cfg.apiUrl,
     SECURENOW_LOGGING_ENABLED: cfg.loggingEnabled ? '1' : '0',
     SECURENOW_CAPTURE_BODY: cfg.captureBody ? '1' : '0',
-    SECURENOW_NO_UUID: process.env.SECURENOW_NO_UUID || '0',
+    SECURENOW_NO_UUID: process.env.SECURENOW_NO_UUID || `(auto: ${require('../app-config').resolveNoUuid() ? '1' : '0'})`,
     SECURENOW_FIREWALL_TCP: process.env.SECURENOW_FIREWALL_TCP || '0',
     SECURENOW_FIREWALL_IPTABLES: process.env.SECURENOW_FIREWALL_IPTABLES || '0',
     SECURENOW_FIREWALL_CLOUD: process.env.SECURENOW_FIREWALL_CLOUD || null,

package/cli/firewall.js

@@ -97,4 +97,78 @@ async function testIp(args, flags) {
   }
 }
 
-module.exports = { status, testIp };
+async function resolveAppKey(flags) {
+  if (flags && flags.app) return String(flags.app);
+  try {
+    const { resolveAppKey: r } = require('../app-config');
+    const k = r();
+    if (k) return k;
+  } catch (_) {}
+  return null;
+}
+
+async function setEnabled(args, flags, enabled) {
+  requireAuth();
+  const appKey = await resolveAppKey(flags);
+  if (!appKey) {
+    ui.error('No app selected. Pass --app <key> or run `securenow login` / `securenow apps default <key>`.');
+    process.exit(1);
+  }
+
+  const verb = enabled ? 'Enabling' : 'Disabling';
+  const s = ui.spinner(`${verb} firewall for ${appKey}`);
+  try {
+    const data = await api.patch(`/firewall/app/${encodeURIComponent(appKey)}`, { enabled });
+    s.stop(`Firewall ${enabled ? 'enabled' : 'disabled'}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    const app = data.app || {};
+    console.log('');
+    console.log(`  ${ui.c.bold(enabled ? ui.c.green('Firewall: ENABLED') : ui.c.yellow('Firewall: DISABLED'))} — ${app.name || appKey}`);
+    console.log(`  ${ui.c.dim('App key:')} ${app.key || appKey}`);
+    console.log('');
+    console.log(`  ${ui.c.dim('Running SDK instances pick up the change within ~10s.')}`);
+    console.log('');
+  } catch (err) {
+    s.fail(`Failed to ${enabled ? 'enable' : 'disable'} firewall`);
+    throw err;
+  }
+}
+
+async function enable(args, flags) { return setEnabled(args, flags, true); }
+async function disable(args, flags) { return setEnabled(args, flags, false); }
+
+async function appsList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Loading apps');
+  try {
+    const data = await api.get('/firewall/apps');
+    s.stop('Apps loaded');
+
+    if (flags.json) { ui.json(data); return; }
+
+    const apps = data.apps || [];
+    if (apps.length === 0) {
+      console.log('');
+      console.log(`  ${ui.c.dim('No apps yet. Create one with `securenow apps create <name>`.')}`);
+      console.log('');
+      return;
+    }
+
+    console.log('');
+    for (const a of apps) {
+      const tag = a.firewallEnabled ? ui.c.green('ON ') : ui.c.yellow('OFF');
+      console.log(`  ${tag}  ${ui.c.bold(a.name)}  ${ui.c.dim(a.key)}`);
+    }
+    console.log('');
+    console.log(`  ${ui.c.dim('Toggle:')} securenow firewall enable --app <key>`);
+    console.log(`  ${ui.c.dim('       :')} securenow firewall disable --app <key>`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to list apps');
+    throw err;
+  }
+}
+
+module.exports = { status, testIp, enable, disable, appsList };

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');
@@ -178,10 +178,14 @@ const COMMANDS = {
     defaultSub: 'list',
   },
   firewall: {
-    desc: 'Firewall status and IP testing',
+    desc: 'Firewall status, per-app toggle, and IP testing',
     usage: 'securenow firewall <subcommand> [options]',
+    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
       status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
+      apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
+      enable: { desc: 'Turn the firewall ON for an app', usage: 'securenow firewall enable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
+      disable: { desc: 'Turn the firewall OFF for an app', usage: 'securenow firewall disable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
       'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',

package/docs/ENVIRONMENT-VARIABLES.md

@@ -25,7 +25,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_DISABLE_INSTRUMENTATIONS** | Optional | - | Comma-separated list of OTel instrumentations to disable |
 | **SECURENOW_TEST_SPAN** | Optional | `0` | Emit a single test span on startup (prefer `npx securenow test-span`) |
 | **SECURENOW_HIDE_BANNER** | Optional | `0` | Hide the free-trial banner |
-| **SECURENOW_FIREWALL_ENABLED** | Optional | `1` (on when API key is set) | Firewall master switch |
+| **SECURENOW_FIREWALL_ENABLED** | Optional | (dashboard toggle) | Local override only — set to `0` to force-off regardless of dashboard. Primary control is the per-app toggle at `/dashboard/firewall` (≥ 7.3.0). |
 | **SECURENOW_ENABLE_MONGODB_INSTRUMENTATION** | Optional | `0` | Opt in to MongoDB instrumentation (off by default since a cursor bug on mongodb@6.6+; safe since SDK v6.0.2) |
 | **OTEL_SERVICE_NAME** | Optional | - | Alternative to SECURENOW_APPID (label only, no routing) |
 | **OTEL_EXPORTER_OTLP_ENDPOINT** | Optional | - | Alternative to SECURENOW_INSTANCE |

package/firewall-only.js

@@ -16,12 +16,17 @@ try { require('dotenv').config(); } catch (_) {}
 const env = (k) =>
   process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
 
-const { resolveApiKey } = require('./app-config');
+const { resolveApiKey, resolveAppKey } = require('./app-config');
 const firewallApiKey = resolveApiKey();
+const appKey = resolveAppKey();
 
+// SECURENOW_FIREWALL_ENABLED=0 is a hard local override (ops escape hatch).
+// In all other cases the toggle lives in the dashboard; default ON when an
+// API key is present.
 if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
   require('./firewall').init({
     apiKey: firewallApiKey,
+    appKey: appKey || null,
     apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
     versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
     syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/firewall.js

@@ -16,9 +16,16 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
+let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 
+// Remote toggle — set by /firewall/sync when an appKey is in scope. Default
+// true so a missing/unreachable backend fails open (matches pre-7.3 behavior).
+// When the dashboard / CLI flips this off, the next poll suppresses
+// enforcement without restarting the host process.
+let _remoteEnabled = true;
+let _lastRemoteEnabled = null;
+
 // Allowlist state
 let _allowlistMatcher = null;
 let _allowlistRawIps = [];
@@ -133,7 +140,8 @@ function httpGet(url, extraHeaders, timeout, callback) {
 // ────── Unified Sync (v2 — single request for everything) ──────
 
 function doUnifiedSync(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/sync');
+  const appQuery = _options.appKey ? `?app=${encodeURIComponent(_options.appKey)}` : '';
+  const url = buildUrl(_options.apiUrl, '/firewall/sync') + appQuery;
   const headers = {};
   if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
   if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
@@ -165,6 +173,21 @@ function doUnifiedSync(callback) {
       let blChanged = false;
       let alChanged = false;
 
+      // Apply remote per-app toggle. Absent body.app means the backend either
+      // doesn't know about appKey-scoped sync (older API) or no appKey was
+      // sent — leave the previous value untouched (default true on first run).
+      if (body.app && typeof body.app.firewallEnabled === 'boolean') {
+        const next = body.app.firewallEnabled;
+        if (next !== _lastRemoteEnabled) {
+          _remoteEnabled = next;
+          if (_options.log) {
+            console.log('[securenow] Firewall: remote toggle → %s (app=%s)',
+              next ? 'ENABLED' : 'DISABLED', body.app.key || _options.appKey);
+          }
+          _lastRemoteEnabled = next;
+        }
+      }
+
       // Update blocklist version + data
       if (body.blocklist) {
         const newVer = body.blocklist.version;
@@ -559,6 +582,14 @@ function sendBlockResponse(req, res, ip) {
 }
 
 function firewallRequestHandler(req, res) {
+  // Remote disable wins over everything: when the dashboard / CLI flips the
+  // toggle off, requests pass through the SDK as if the firewall weren't
+  // installed. The poll loop keeps running so we re-enable within seconds.
+  if (_remoteEnabled === false) {
+    _stats.suppressedDisabled++;
+    return false;
+  }
+
   const ip = resolveClientIp(req);
 
   // Allowlist check: if active, only listed IPs are allowed through
@@ -711,10 +742,16 @@ function getStats() {
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,
     unifiedSync: _useUnifiedSync,
+    remoteEnabled: _remoteEnabled,
+    appKey: _options ? _options.appKey || null : null,
   };
 }
 
-function getMatcher() { return _matcher; }
-function getAllowlistMatcher() { return _allowlistMatcher; }
+// Layers (TCP / iptables / cloud) read the matcher to populate kernel-level
+// rules. When the remote toggle is off, return null so they treat the policy
+// as "no IPs to block" without us mutating the cached matcher.
+function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
+function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function isRemoteEnabled() { return _remoteEnabled !== false; }
 
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, isRemoteEnabled };

package/nextjs.js

@@ -150,7 +150,10 @@ function registerSecureNow(options = {}) {
 
     const rawBase = (options.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
     const baseName = rawBase || null;
-    const noUuid = options.noUuid ?? (String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
+    // Default: auto-disable suffix when logged in (appId is the routing UUID
+    // and the dashboard does exact match). opts.noUuid or SECURENOW_NO_UUID
+    // override.
+    const noUuid = appConfig.resolveNoUuid({ noUuid: options.noUuid });
 
     // service.name
     let serviceName;
@@ -613,11 +616,14 @@ function registerSecureNow(options = {}) {
   // Firewall — runs independently from OTel so it works even if tracing fails.
   // Key comes from env OR .securenow/credentials.json (set via
   // `npx securenow api-key set snk_live_...`), so you don't need a .env entry.
-  const firewallApiKey = require('./app-config').resolveApiKey();
+  const appConfig = require('./app-config');
+  const firewallApiKey = appConfig.resolveApiKey();
+  const firewallAppKey = appConfig.resolveAppKey();
   if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
     try {
       require('./firewall').init({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey || null,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/nuxt-server-plugin.mjs

@@ -83,10 +83,10 @@ export default defineNitroPlugin((nitroApp) => {
   // ── Naming ──
   const rawBase = (opts.serviceName || resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
   const baseName = rawBase || null;
-  const noUuid =
-    opts.noUuid ??
-    (String(env('SECURENOW_NO_UUID')) === '1' ||
-      String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true');
+  // Default: auto-disable per-worker suffix when logged in (appId is the
+  // routing UUID and the dashboard does exact match). opts.noUuid or
+  // SECURENOW_NO_UUID override.
+  const noUuid = appConfig.resolveNoUuid({ noUuid: opts.noUuid });
 
   let serviceName;
   if (baseName) {
@@ -328,11 +328,13 @@ export default defineNitroPlugin((nitroApp) => {
 
   // ── Firewall — runs independently from OTel ──
   const firewallApiKey = env('SECURENOW_API_KEY');
+  const firewallAppKey = env('SECURENOW_APPID') || null;
   if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.2.0",
+  "version": "7.3.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -10,7 +10,11 @@
  *
  * Env:
  *   SECURENOW_APPID=logical-name              # or OTEL_SERVICE_NAME=logical-name
- *   SECURENOW_NO_UUID=1                       # one service.name across all workers
+ *   SECURENOW_NO_UUID=1|0                     # override. Default: auto — 1 when
+ *                                              logged in (appId is routing UUID,
+ *                                              dashboard does exact match),
+ *                                              0 pre-login (use suffix to
+ *                                              distinguish PM2 cluster workers).
  *   SECURENOW_INSTANCE=http://host:4318       # OTLP/HTTP base (default https://freetrial.securenow.ai:4318)
  *   OTEL_EXPORTER_OTLP_ENDPOINT=...           # alternative base
  *   OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=...    # full traces URL
@@ -288,7 +292,10 @@ const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
 // -------- naming rules --------
 const rawBase = (resolvedApp.appId || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
-const noUuid   = String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true';
+// Auto-disables the per-worker suffix when we resolved a routing UUID from
+// credentials — the dashboard does exact-match IN on service.name, so any
+// suffix breaks routing. Env SECURENOW_NO_UUID=0|1 still overrides.
+const noUuid   = appConfig.resolveNoUuid();
 const strict   = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
 const inPm2Cluster = !!(process.env.NODE_APP_INSTANCE || process.env.pm_id);
 
@@ -604,11 +611,15 @@ const sdk = new NodeSDK({
       patchHttpForBanner();
     }
 
-    // Firewall — auto-activates when SECURENOW_API_KEY is set
-    const firewallApiKey = env('SECURENOW_API_KEY');
+    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
+    // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
+    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
+    const firewallApiKey = appConfig.resolveApiKey();
+    const firewallAppKey = appConfig.resolveAppKey();
     if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
       require('./firewall').init({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey || null,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/web-vite.mjs

@@ -52,7 +52,15 @@ const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
 // ---- naming rules (mirrors tracing.js) ----
 const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');
 const baseName = rawBase || null;
-const noUuid = String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true';
+// Default to no suffix whenever a baseName is resolved: the dashboard filters
+// service.name by exact match, and browsers have no PM2 cluster problem
+// (each tab has its own service.instance.id). Explicit SECURENOW_NO_UUID=0
+// still re-enables the suffix if someone really wants it.
+const noUuidEnv = env('SECURENOW_NO_UUID');
+const noUuid =
+  (noUuidEnv !== undefined && noUuidEnv !== '')
+    ? /^(1|true)$/i.test(String(noUuidEnv).trim())
+    : !!baseName;
 const strict = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
 
 function uuidv4(): string {