securenow 7.6.5 → 7.6.7

package/cli/auth.js

@@ -237,7 +237,7 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp, { local });
+    config.setAuth(token, email, exp, { local, enableFirewall: true });
     if (local) config.ensureLocalGitignore();
     console.log('');
     ui.success(`Logged in as ${ui.c.bold(email)}`);
@@ -255,7 +255,7 @@ async function login(args, flags) {
     const email = payload?.email || 'unknown';
     const exp = payload?.exp ? payload.exp * 1000 : null;
 
-    config.setAuth(token, email, exp, { local, app });
+    config.setAuth(token, email, exp, { local, app, enableFirewall: true });
     if (apiKey) config.setApiKey(apiKey, { local });
     if (local) config.ensureLocalGitignore();
     console.log('');

package/cli/config.js

@@ -101,11 +101,22 @@ function saveCredentials(creds, { local = false } = {}) {
   saveJSON(targetFile, appConfig.withCredentialDefaults(creds) || {});
 }
 
-function ensureCredentialDefaults({ local } = {}) {
+function withOnboardingFirewallEnabled(creds) {
+  const payload = appConfig.withCredentialDefaults(creds || {}) || {};
+  payload.config = payload.config || {};
+  payload.config.firewall = payload.config.firewall || {};
+  payload.config.firewall.enabled = true;
+  return payload;
+}
+
+function ensureCredentialDefaults({ local, enableFirewall = false } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = credentialsFileForLocal(useLocal);
   const existing = loadJSON(targetFile);
-  saveJSON(targetFile, appConfig.withCredentialDefaults(existing || {}) || {});
+  const payload = enableFirewall
+    ? withOnboardingFirewallEnabled(existing || {})
+    : appConfig.withCredentialDefaults(existing || {}) || {};
+  saveJSON(targetFile, payload);
 }
 
 function clearCredentials({ local } = {}) {
@@ -132,7 +143,7 @@ function getToken() {
   return creds.token;
 }
 
-function setAuth(token, email, expiresAt, { local = false, app = null } = {}) {
+function setAuth(token, email, expiresAt, { local = false, app = null, enableFirewall = false } = {}) {
   const targetFile = credentialsFileForLocal(local);
   const payload = { ...loadJSON(targetFile), token, email, expiresAt };
   if (app && (app.key || app.name || app.instance)) {
@@ -142,7 +153,10 @@ function setAuth(token, email, expiresAt, { local = false, app = null } = {}) {
       instance: app.instance || null,
     };
   }
-  saveCredentials(payload, { local });
+  saveJSON(
+    targetFile,
+    enableFirewall ? withOnboardingFirewallEnabled(payload) : appConfig.withCredentialDefaults(payload) || {}
+  );
 }
 
 function getApp() {
@@ -154,7 +168,7 @@ function setApiKey(apiKey, { local } = {}) {
   const useLocal = local === true || (local == null && hasLocalCredentials());
   const targetFile = credentialsFileForLocal(useLocal);
   const existing = loadJSON(targetFile);
-  saveJSON(targetFile, appConfig.withCredentialDefaults({ ...existing, apiKey }) || { apiKey });
+  saveJSON(targetFile, withOnboardingFirewallEnabled({ ...existing, apiKey }));
 }
 
 function clearApiKey({ local } = {}) {
@@ -238,6 +252,7 @@ module.exports = {
   getAuthSource,
   hasLocalCredentials,
   ensureCredentialDefaults,
+  withOnboardingFirewallEnabled,
   ensureLocalGitignore,
   getApiUrl,
   getAppUrl,

package/cli/credentials.js

@@ -20,7 +20,7 @@ function buildRuntimeCredentials(options = {}) {
     options.env ||
     appConfig.resolveDeploymentEnvironment() ||
     'production';
-  const runtime = appConfig.withCredentialDefaults({
+  const runtime = config.withOnboardingFirewallEnabled({
     apiKey: creds.apiKey || null,
     app: {
       key: creds.app?.key || null,
@@ -33,6 +33,10 @@ function buildRuntimeCredentials(options = {}) {
         ...(creds.config?.runtime || {}),
         deploymentEnvironment,
       },
+      firewall: {
+        ...(creds.config?.firewall || {}),
+        enabled: true,
+      },
     },
     _securenow: {
       ...(creds._securenow || {}),

package/cli/init.js

@@ -86,7 +86,7 @@ async function init(_args, flags) {
 }
 
 function initCredentials(flags) {
-  config.ensureCredentialDefaults({ local: true });
+  config.ensureCredentialDefaults({ local: true, enableFirewall: true });
   config.ensureLocalGitignore();
   const creds = config.loadCredentials();
   creds.config = creds.config || {};

package/firewall.js

@@ -45,12 +45,15 @@ let _circuitOpenedAt = 0;
 let _pollInflight = false;
 let _retryAfterUntil = 0;
 
-// Keep-alive agents — reuse TCP connections across polls (TLS handshake once)
-const _httpAgent = new http.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
-const _httpsAgent = new https.Agent({ keepAlive: true, maxSockets: 2, keepAliveMsecs: 30_000 });
+// Firewall control-plane traffic is low-frequency and correctness-critical.
+// Use non-keep-alive agents so clustered apps do not reuse sockets that an
+// upstream load balancer has silently closed between sync cycles.
+const _httpAgent = new http.Agent({ keepAlive: false });
+const _httpsAgent = new https.Agent({ keepAlive: false });
 const EVENT_FLUSH_INTERVAL_MS = 2_000;
 const EVENT_BATCH_SIZE = 25;
 const EVENT_QUEUE_MAX = 1_000;
+const TRANSIENT_NETWORK_CODES = new Set(['ECONNRESET', 'EPIPE', 'ETIMEDOUT', 'EAI_AGAIN']);
 
 // Unified sync uses /firewall/sync (v2). Falls back to legacy on 404.
 let _useUnifiedSync = true;
@@ -119,67 +122,95 @@ function jitter(baseMs) {
   return baseMs * (0.8 + Math.random() * 0.4);
 }
 
-function agentFor(url) {
-  return url.startsWith('https') ? _httpsAgent : _httpAgent;
-}
-
-function httpGet(url, extraHeaders, timeout, callback) {
-  const mod = url.startsWith('https') ? https : http;
-  const parsed = new URL(url);
-
-  const req = mod.request({
-    hostname: parsed.hostname,
-    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
-    path: parsed.pathname + parsed.search,
-    method: 'GET',
-    headers: {
-      'Authorization': `Bearer ${_options.apiKey}`,
-      'User-Agent': 'securenow-firewall-sdk',
-      ...extraHeaders,
-    },
-    timeout,
-    agent: agentFor(url),
-  }, (res) => {
-    let data = '';
-    res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => { callback(null, res, data); });
-  });
-
-  req.on('error', (err) => callback(err));
-  req.on('timeout', () => { req.destroy(); callback(new Error('Request timed out')); });
-  req.end();
+function agentFor(url) {
+  return url.startsWith('https') ? _httpsAgent : _httpAgent;
 }
 
-function httpPostJson(url, body, timeout, callback) {
+function isTransientNetworkError(err) {
+  if (!err) return false;
+  if (err.code && TRANSIENT_NETWORK_CODES.has(err.code)) return true;
+  return /socket hang up|connection reset|ECONNRESET/i.test(String(err.message || ''));
+}
+
+function formatRequestError(err) {
+  if (!err) return 'unknown error';
+  const parts = [err.message || String(err)];
+  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+  if (err.syscall) parts.push(`syscall=${err.syscall}`);
+  return parts.join(' ');
+}
+
+function requestOnce(method, url, body, extraHeaders, timeout, callback) {
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
-  const payload = JSON.stringify(body || {});
+  const payload = body == null ? null : JSON.stringify(body || {});
 
   const req = mod.request({
     hostname: parsed.hostname,
     port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
     path: parsed.pathname + parsed.search,
-    method: 'POST',
+    method,
     headers: {
       'Authorization': `Bearer ${_options.apiKey}`,
       'User-Agent': 'securenow-firewall-sdk',
-      'Content-Type': 'application/json',
-      'Content-Length': Buffer.byteLength(payload),
+      'Connection': 'close',
+      ...(payload
+        ? {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(payload),
+          }
+        : {}),
+      ...extraHeaders,
     },
     timeout,
     agent: agentFor(url),
   }, (res) => {
     let data = '';
     res.on('data', (chunk) => { data += chunk; });
-    res.on('end', () => { callback(null, res, data); });
+    res.on('end', () => { done(null, res, data); });
   });
 
-  req.on('error', (err) => callback(err));
-  req.on('timeout', () => { req.destroy(); callback(new Error('Request timed out')); });
-  req.write(payload);
+  let finished = false;
+  function done(...args) {
+    if (finished) return;
+    finished = true;
+    callback(...args);
+  }
+
+  req.on('error', (err) => done(err));
+  req.on('timeout', () => {
+    const err = new Error('Request timed out');
+    err.code = 'ETIMEDOUT';
+    done(err);
+    req.destroy(err);
+  });
+  if (payload) req.write(payload);
   req.end();
 }
 
+function requestWithRetry(method, url, body, extraHeaders, timeout, callback) {
+  requestOnce(method, url, body, extraHeaders, timeout, (err, res, data) => {
+    if (!err || !isTransientNetworkError(err)) return callback(err, res, data);
+
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall: transient API socket error, retrying once:', formatRequestError(err));
+    }
+
+    const retryTimer = setTimeout(() => {
+      requestOnce(method, url, body, extraHeaders, timeout, callback);
+    }, 100);
+    if (retryTimer.unref) retryTimer.unref();
+  });
+}
+
+function httpGet(url, extraHeaders, timeout, callback) {
+  requestWithRetry('GET', url, null, extraHeaders, timeout, callback);
+}
+
+function httpPostJson(url, body, timeout, callback) {
+  requestWithRetry('POST', url, body, {}, timeout, callback);
+}
+
 function scheduleEventFlush() {
   if (_eventTimer || _eventQueue.length === 0) return;
   _eventTimer = setTimeout(() => {
@@ -202,7 +233,7 @@ function flushFirewallEvents() {
   httpPostJson(url, { events: batch }, 5000, (err, res) => {
     if (err || !res || res.statusCode >= 400) {
       if (_options.log) {
-        const msg = err ? err.message : `API returned ${res.statusCode}`;
+        const msg = err ? formatRequestError(err) : `API returned ${res.statusCode}`;
         console.warn('[securenow] Firewall: failed to report blocked-request ledger:', msg);
       }
     }
@@ -448,19 +479,19 @@ function doLegacyPoll(callback) {
       callback(null, { blChanged, alChanged });
     }
 
-    if (blChanged) {
-      legacyBlocklistSync((err, changed, stats) => {
-        if (err && _options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
-        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
-        syncDone();
-      });
-    }
-    if (alChanged) {
-      legacyAllowlistSync((err, changed, stats) => {
-        if (err && _options.log) console.warn('[securenow] Firewall: allowlist sync failed:', err.message);
-        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
-        syncDone();
-      });
+    if (blChanged) {
+      legacyBlocklistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', formatRequestError(err));
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+        syncDone();
+      });
+    }
+    if (alChanged) {
+      legacyAllowlistSync((err, changed, stats) => {
+        if (err && _options.log) console.warn('[securenow] Firewall: allowlist sync failed:', formatRequestError(err));
+        else if (changed && stats && _options.log) console.log('[securenow] Firewall: re-synced %d allowed IPs', stats.total);
+        syncDone();
+      });
     }
   }
 
@@ -495,7 +526,7 @@ function pollOnce(callback) {
       _consecutiveErrors++;
       _stats.errors++;
       maybeOpenCircuit();
-      if (_options.log) console.warn('[securenow] Firewall: poll failed:', err.message);
+      if (_options.log) console.warn('[securenow] Firewall: poll failed:', formatRequestError(err));
       return callback(err);
     }
     _consecutiveErrors = 0;
@@ -565,7 +596,7 @@ function startSyncLoop() {
           if (retryTimer.unref) retryTimer.unref();
           return;
         }
-        if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
+        if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', formatRequestError(err));
         if (_options.failMode === 'closed') {
           _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.6.5",
+  "version": "7.6.7",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",