securenow 7.2.1 → 7.4.0

package/cli/auth.js

@@ -19,6 +19,18 @@ function openBrowser(url) {
   }
 }
 
+function buildCliAuthUrl(appUrl, port, nonce, extra = {}) {
+  const url = new URL('/cli/auth', appUrl);
+  url.searchParams.set('callback', `http://127.0.0.1:${port}/callback`);
+  url.searchParams.set('state', nonce);
+  for (const [key, value] of Object.entries(extra)) {
+    if (value !== undefined && value !== null) {
+      url.searchParams.set(key, String(value));
+    }
+  }
+  return url.toString();
+}
+
 function decodeJwtPayload(token) {
   try {
     const parts = token.split('.');
@@ -98,7 +110,7 @@ async function loginWithBrowser() {
           const email = payload?.email || 'unknown account';
           const safeEmail = email.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
           const port = server.address().port;
-          const switchUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}&force_login=1`;
+          const switchUrl = buildCliAuthUrl(appUrl, port, nonce, { force_login: 1 });
 
           res.end([
             '<!DOCTYPE html><html><head><meta charset="utf-8"><title>SecureNow CLI Login</title></head>',
@@ -171,7 +183,7 @@ async function loginWithBrowser() {
 
     server.listen(0, '127.0.0.1', () => {
       const port = server.address().port;
-      const authUrl = `${appUrl}/cli/auth?callback=http://127.0.0.1:${port}/callback&state=${encodeURIComponent(nonce)}`;
+      const authUrl = buildCliAuthUrl(appUrl, port, nonce);
 
       console.log('');
       ui.info('Opening browser for authentication...');

package/cli/firewall.js

@@ -97,4 +97,78 @@ async function testIp(args, flags) {
   }
 }
 
-module.exports = { status, testIp };
+async function resolveAppKey(flags) {
+  if (flags && flags.app) return String(flags.app);
+  try {
+    const { resolveAppKey: r } = require('../app-config');
+    const k = r();
+    if (k) return k;
+  } catch (_) {}
+  return null;
+}
+
+async function setEnabled(args, flags, enabled) {
+  requireAuth();
+  const appKey = await resolveAppKey(flags);
+  if (!appKey) {
+    ui.error('No app selected. Pass --app <key> or run `securenow login` / `securenow apps default <key>`.');
+    process.exit(1);
+  }
+
+  const verb = enabled ? 'Enabling' : 'Disabling';
+  const s = ui.spinner(`${verb} firewall for ${appKey}`);
+  try {
+    const data = await api.patch(`/firewall/app/${encodeURIComponent(appKey)}`, { enabled });
+    s.stop(`Firewall ${enabled ? 'enabled' : 'disabled'}`);
+
+    if (flags.json) { ui.json(data); return; }
+
+    const app = data.app || {};
+    console.log('');
+    console.log(`  ${ui.c.bold(enabled ? ui.c.green('Firewall: ENABLED') : ui.c.yellow('Firewall: DISABLED'))} — ${app.name || appKey}`);
+    console.log(`  ${ui.c.dim('App key:')} ${app.key || appKey}`);
+    console.log('');
+    console.log(`  ${ui.c.dim('Running SDK instances pick up the change within ~10s.')}`);
+    console.log('');
+  } catch (err) {
+    s.fail(`Failed to ${enabled ? 'enable' : 'disable'} firewall`);
+    throw err;
+  }
+}
+
+async function enable(args, flags) { return setEnabled(args, flags, true); }
+async function disable(args, flags) { return setEnabled(args, flags, false); }
+
+async function appsList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Loading apps');
+  try {
+    const data = await api.get('/firewall/apps');
+    s.stop('Apps loaded');
+
+    if (flags.json) { ui.json(data); return; }
+
+    const apps = data.apps || [];
+    if (apps.length === 0) {
+      console.log('');
+      console.log(`  ${ui.c.dim('No apps yet. Create one with `securenow apps create <name>`.')}`);
+      console.log('');
+      return;
+    }
+
+    console.log('');
+    for (const a of apps) {
+      const tag = a.firewallEnabled ? ui.c.green('ON ') : ui.c.yellow('OFF');
+      console.log(`  ${tag}  ${ui.c.bold(a.name)}  ${ui.c.dim(a.key)}`);
+    }
+    console.log('');
+    console.log(`  ${ui.c.dim('Toggle:')} securenow firewall enable --app <key>`);
+    console.log(`  ${ui.c.dim('       :')} securenow firewall disable --app <key>`);
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to list apps');
+    throw err;
+  }
+}
+
+module.exports = { status, testIp, enable, disable, appsList };

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');
@@ -178,10 +178,14 @@ const COMMANDS = {
     defaultSub: 'list',
   },
   firewall: {
-    desc: 'Firewall status and IP testing',
+    desc: 'Firewall status, per-app toggle, and IP testing',
     usage: 'securenow firewall <subcommand> [options]',
+    flags: { app: 'App key (defaults to logged-in app)', json: 'Output as JSON' },
     sub: {
       status: { desc: 'Show firewall status, layers, and blocklist info', run: (a, f) => require('./cli/firewall').status(a, f) },
+      apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
+      enable: { desc: 'Turn the firewall ON for an app', usage: 'securenow firewall enable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
+      disable: { desc: 'Turn the firewall OFF for an app', usage: 'securenow firewall disable [--app <key>]', flags: { app: 'App key (defaults to logged-in app)' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
       'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip>', run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',

package/docs/ENVIRONMENT-VARIABLES.md

@@ -25,7 +25,7 @@ Complete reference for all environment variables supported by SecureNow.
 | **SECURENOW_DISABLE_INSTRUMENTATIONS** | Optional | - | Comma-separated list of OTel instrumentations to disable |
 | **SECURENOW_TEST_SPAN** | Optional | `0` | Emit a single test span on startup (prefer `npx securenow test-span`) |
 | **SECURENOW_HIDE_BANNER** | Optional | `0` | Hide the free-trial banner |
-| **SECURENOW_FIREWALL_ENABLED** | Optional | `1` (on when API key is set) | Firewall master switch |
+| **SECURENOW_FIREWALL_ENABLED** | Optional | (dashboard toggle) | Local override only — set to `0` to force-off regardless of dashboard. Primary control is the per-app toggle at `/dashboard/firewall` (≥ 7.3.0). |
 | **SECURENOW_ENABLE_MONGODB_INSTRUMENTATION** | Optional | `0` | Opt in to MongoDB instrumentation (off by default since a cursor bug on mongodb@6.6+; safe since SDK v6.0.2) |
 | **OTEL_SERVICE_NAME** | Optional | - | Alternative to SECURENOW_APPID (label only, no routing) |
 | **OTEL_EXPORTER_OTLP_ENDPOINT** | Optional | - | Alternative to SECURENOW_INSTANCE |

package/firewall-only.js

@@ -16,12 +16,17 @@ try { require('dotenv').config(); } catch (_) {}
 const env = (k) =>
   process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
 
-const { resolveApiKey } = require('./app-config');
+const { resolveApiKey, resolveAppKey } = require('./app-config');
 const firewallApiKey = resolveApiKey();
+const appKey = resolveAppKey();
 
+// SECURENOW_FIREWALL_ENABLED=0 is a hard local override (ops escape hatch).
+// In all other cases the toggle lives in the dashboard; default ON when an
+// API key is present.
 if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
   require('./firewall').init({
     apiKey: firewallApiKey,
+    appKey: appKey || null,
     apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
     versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
     syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/firewall.js

@@ -16,9 +16,16 @@ let _initialized = false;
 let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
+let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0, suppressedDisabled: 0 };
 let _localhostFallbackTried = false;
 
+// Remote toggle — set by /firewall/sync when an appKey is in scope. Default
+// true so a missing/unreachable backend fails open (matches pre-7.3 behavior).
+// When the dashboard / CLI flips this off, the next poll suppresses
+// enforcement without restarting the host process.
+let _remoteEnabled = true;
+let _lastRemoteEnabled = null;
+
 // Allowlist state
 let _allowlistMatcher = null;
 let _allowlistRawIps = [];
@@ -133,7 +140,8 @@ function httpGet(url, extraHeaders, timeout, callback) {
 // ────── Unified Sync (v2 — single request for everything) ──────
 
 function doUnifiedSync(callback) {
-  const url = buildUrl(_options.apiUrl, '/firewall/sync');
+  const appQuery = _options.appKey ? `?app=${encodeURIComponent(_options.appKey)}` : '';
+  const url = buildUrl(_options.apiUrl, '/firewall/sync') + appQuery;
   const headers = {};
   if (_lastVersion) headers['X-Blocklist-Version'] = _lastVersion;
   if (_lastAllowlistVersion) headers['X-Allowlist-Version'] = _lastAllowlistVersion;
@@ -165,6 +173,21 @@ function doUnifiedSync(callback) {
       let blChanged = false;
       let alChanged = false;
 
+      // Apply remote per-app toggle. Absent body.app means the backend either
+      // doesn't know about appKey-scoped sync (older API) or no appKey was
+      // sent — leave the previous value untouched (default true on first run).
+      if (body.app && typeof body.app.firewallEnabled === 'boolean') {
+        const next = body.app.firewallEnabled;
+        if (next !== _lastRemoteEnabled) {
+          _remoteEnabled = next;
+          if (_options.log) {
+            console.log('[securenow] Firewall: remote toggle → %s (app=%s)',
+              next ? 'ENABLED' : 'DISABLED', body.app.key || _options.appKey);
+          }
+          _lastRemoteEnabled = next;
+        }
+      }
+
       // Update blocklist version + data
       if (body.blocklist) {
         const newVer = body.blocklist.version;
@@ -559,6 +582,14 @@ function sendBlockResponse(req, res, ip) {
 }
 
 function firewallRequestHandler(req, res) {
+  // Remote disable wins over everything: when the dashboard / CLI flips the
+  // toggle off, requests pass through the SDK as if the firewall weren't
+  // installed. The poll loop keeps running so we re-enable within seconds.
+  if (_remoteEnabled === false) {
+    _stats.suppressedDisabled++;
+    return false;
+  }
+
   const ip = resolveClientIp(req);
 
   // Allowlist check: if active, only listed IPs are allowed through
@@ -711,10 +742,16 @@ function getStats() {
     circuitState: _circuitState,
     consecutiveErrors: _consecutiveErrors,
     unifiedSync: _useUnifiedSync,
+    remoteEnabled: _remoteEnabled,
+    appKey: _options ? _options.appKey || null : null,
   };
 }
 
-function getMatcher() { return _matcher; }
-function getAllowlistMatcher() { return _allowlistMatcher; }
+// Layers (TCP / iptables / cloud) read the matcher to populate kernel-level
+// rules. When the remote toggle is off, return null so they treat the policy
+// as "no IPs to block" without us mutating the cached matcher.
+function getMatcher() { return _remoteEnabled === false ? null : _matcher; }
+function getAllowlistMatcher() { return _remoteEnabled === false ? null : _allowlistMatcher; }
+function isRemoteEnabled() { return _remoteEnabled !== false; }
 
-module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher };
+module.exports = { init, shutdown, getStats, getMatcher, getAllowlistMatcher, isRemoteEnabled };

package/nextjs.js

@@ -616,11 +616,14 @@ function registerSecureNow(options = {}) {
   // Firewall — runs independently from OTel so it works even if tracing fails.
   // Key comes from env OR .securenow/credentials.json (set via
   // `npx securenow api-key set snk_live_...`), so you don't need a .env entry.
-  const firewallApiKey = require('./app-config').resolveApiKey();
+  const appConfig = require('./app-config');
+  const firewallApiKey = appConfig.resolveApiKey();
+  const firewallAppKey = appConfig.resolveAppKey();
   if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
     try {
       require('./firewall').init({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey || null,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/nuxt-server-plugin.mjs

@@ -328,11 +328,13 @@ export default defineNitroPlugin((nitroApp) => {
 
   // ── Firewall — runs independently from OTel ──
   const firewallApiKey = env('SECURENOW_API_KEY');
+  const firewallAppKey = env('SECURENOW_APPID') || null;
   if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
     try {
       const { init: fwInit } = await import('./firewall.js');
       fwInit({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.2.1",
+  "version": "7.4.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -611,11 +611,15 @@ const sdk = new NodeSDK({
       patchHttpForBanner();
     }
 
-    // Firewall — auto-activates when SECURENOW_API_KEY is set
-    const firewallApiKey = env('SECURENOW_API_KEY');
+    // Firewall — auto-activates only when a real snk_live_ key is resolvable.
+    // resolveApiKey() enforces the prefix, so we skip cleanly when the app has
+    // only an app-routing UUID (or nothing at all) — no 401 polling loops.
+    const firewallApiKey = appConfig.resolveApiKey();
+    const firewallAppKey = appConfig.resolveAppKey();
     if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
       require('./firewall').init({
         apiKey: firewallApiKey,
+        appKey: firewallAppKey || null,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
         versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
         syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,