securenow 7.7.15 → 7.7.16

package/SKILL-API.md

@@ -336,7 +336,7 @@ const appConfig = require('securenow/app-config');
 
 await firewall.init({
   ...appConfig.resolveFirewallOptions(),
-  apiUrl: 'https://api.securenow.ai',
+  apiUrl: 'https://ingest.securenow.ai',
   syncInterval: 3600,       // safety-net full sync every hour
   versionCheckInterval: 10, // lightweight ETag check every 10s
   failMode: 'open',         // 'open' or 'closed'

package/app-config.js

@@ -18,6 +18,7 @@ const os = require('os');
 
 const FREE_TRIAL_INSTANCE = 'https://ingest.securenow.ai';
 const DEFAULT_API_URL = 'https://api.securenow.ai';
+const DEFAULT_FIREWALL_API_URL = FREE_TRIAL_INSTANCE;
 const LEGACY_SECURENOW_GATEWAY = 'https://api.securenow.ai/api/otlp';
 const LEGACY_ENV_FALLBACK_FLAG = 'SECURENOW_ENABLE_LEGACY_ENV';
 const CONFIG_SCHEMA_VERSION = 2;
@@ -111,7 +112,7 @@ const CONFIG_EXPLANATIONS = Object.freeze({
   'config.runtime.testSpan': 'If true, emit a startup smoke span. Prefer `npx securenow test-span` for manual checks.',
   'config.runtime.hideBanner': 'Hide the free-trial response banner when using the managed free-trial collector.',
   'config.firewall.enabled': 'Secure default: app firewall enforcement starts when apiKey is present and the dashboard toggle is on.',
-  'config.firewall.apiUrl': 'SecureNow API base URL for firewall sync.',
+  'config.firewall.apiUrl': 'Optional SecureNow firewall control-plane base URL. Leave unset/default so hosted SDKs sync through the SecureNow ingest gateway.',
   'config.firewall.versionCheckInterval': 'Seconds between lightweight firewall version/ETag checks.',
   'config.firewall.syncInterval': 'Seconds between safety-net full firewall blocklist syncs.',
   'config.firewall.failMode': 'open allows traffic if SecureNow is temporarily unreachable; closed blocks all on sync failure.',
@@ -457,6 +458,41 @@ function normalizeSignalEndpoint(value, signalType) {
   return endpoint;
 }
 
+function normalizeFirewallApiUrl(value) {
+  const raw = pick(value);
+  if (raw == null) return DEFAULT_FIREWALL_API_URL;
+  const endpoint = normalizeInstanceEndpoint(raw);
+  if (!endpoint) return DEFAULT_FIREWALL_API_URL;
+  const trimmed = String(endpoint).trim().replace(/\/$/, '').replace(/\/api(?:\/v1)?$/i, '');
+
+  // api.securenow.ai was the historical SDK default. Hosted runtime sync now
+  // shares the ingest gateway so telemetry and firewall state fail or recover
+  // together, and so customer apps need only one public SecureNow egress host.
+  if (trimmed === DEFAULT_API_URL || trimmed === LEGACY_SECURENOW_GATEWAY) {
+    return DEFAULT_FIREWALL_API_URL;
+  }
+  if (trimmed === DEFAULT_FIREWALL_API_URL) return DEFAULT_FIREWALL_API_URL;
+
+  return trimmed;
+}
+
+function resolveFirewallApiUrl() {
+  return normalizeFirewallApiUrl(configValue('firewall.apiUrl', DEFAULT_API_URL));
+}
+
+function resolveFirewallApiFallbacks(primary = resolveFirewallApiUrl()) {
+  const normalizedPrimary = normalizeFirewallApiUrl(primary);
+  const fallbacks = [];
+
+  if (normalizedPrimary === DEFAULT_FIREWALL_API_URL) {
+    fallbacks.push(DEFAULT_API_URL);
+  } else if (normalizedPrimary === DEFAULT_API_URL) {
+    fallbacks.push(DEFAULT_FIREWALL_API_URL);
+  }
+
+  return uniq(fallbacks.filter((url) => url && url !== normalizedPrimary));
+}
+
 function pick(value) {
   if (value === undefined || value === null) return null;
   if (typeof value === 'string') {
@@ -694,6 +730,10 @@ function resolveOtlpHeaders() {
   if (appKey && !headers['x-api-key']) {
     headers['x-api-key'] = appKey;
   }
+  const deploymentEnvironment = resolveDeploymentEnvironment();
+  if (deploymentEnvironment && !headers['x-securenow-environment']) {
+    headers['x-securenow-environment'] = deploymentEnvironment;
+  }
   return headers;
 }
 
@@ -721,12 +761,14 @@ function resolveFirewallEnabled() {
 }
 
 function resolveFirewallOptions() {
+  const apiUrl = resolveFirewallApiUrl();
   return {
     apiKey: resolveApiKey(),
     appKey: resolveAppKey() || null,
     environment: resolveDeploymentEnvironment(),
     enabled: resolveFirewallEnabled(),
-    apiUrl: configValue('firewall.apiUrl', DEFAULT_API_URL) || DEFAULT_API_URL,
+    apiUrl,
+    apiUrlFallbacks: resolveFirewallApiFallbacks(apiUrl),
     versionCheckInterval: numberConfig('firewall.versionCheckInterval', 10, 1),
     syncInterval: numberConfig('firewall.syncInterval', 3600, 1),
     failMode: configValue('firewall.failMode', 'open') || 'open',
@@ -755,6 +797,7 @@ function resolveFirewallOptions() {
 module.exports = {
   FREE_TRIAL_INSTANCE,
   DEFAULT_API_URL,
+  DEFAULT_FIREWALL_API_URL,
   LEGACY_SECURENOW_GATEWAY,
   LEGACY_ENV_FALLBACK_FLAG,
   CONFIG_SCHEMA_VERSION,
@@ -783,6 +826,9 @@ module.exports = {
   resolveOtlpHeaderString,
   resolveEndpoints,
   resolveFirewallEnabled,
+  normalizeFirewallApiUrl,
+  resolveFirewallApiUrl,
+  resolveFirewallApiFallbacks,
   resolveFirewallOptions,
   env,
   boolEnv,

package/cli/diagnostics.js

@@ -36,6 +36,8 @@ function resolvedConfig(options = {}) {
     apiKey,
     firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
+    firewallApiUrl: firewall.apiUrl,
+    firewallSyncEndpoint: `${firewall.apiUrl.replace(/\/$/, '')}/api/v1/firewall/sync`,
     loggingEnabled: appConfig.boolConfig('logging.enabled', true),
     captureBody: appConfig.boolConfig('capture.body', true),
     captureMultipart: appConfig.boolConfig('capture.multipart', true),
@@ -330,11 +332,12 @@ async function logSend(args, flags) {
   }
 }
 
-function okHttpStatus(status) {
+function okHttpStatus(status, okStatuses) {
+  if (Array.isArray(okStatuses) && okStatuses.length) return okStatuses.includes(status);
   return status >= 200 && status < 300;
 }
 
-async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000 }) {
+async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000, okStatuses = null }) {
   try {
     const res = await httpRequest({
       method,
@@ -344,9 +347,9 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
       timeoutMs,
     });
     return {
-      ok: okHttpStatus(res.status),
+      ok: okHttpStatus(res.status, okStatuses),
       status: res.status,
-      ...(okHttpStatus(res.status) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
+      ...(okHttpStatus(res.status, okStatuses) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
     };
   } catch (err) {
     return { ok: false, error: err.message };
@@ -372,6 +375,8 @@ function env(_args, flags) {
     otlpHeaders: Object.keys(cfg.headers || {}).length ? '***' : null,
     firewallApiKey: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
     apiUrl: cfg.apiUrl,
+    firewallApiUrl: cfg.firewallApiUrl,
+    firewallSyncEndpoint: cfg.firewallSyncEndpoint,
     loggingEnabled: cfg.loggingEnabled,
     otelLogLevel: cfg.otelLogLevel,
     captureBody: cfg.captureBody,
@@ -397,6 +402,7 @@ function env(_args, flags) {
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Firewall', firewallStatusLabel(cfg)],
+    ['Firewall sync', cfg.firewallEnabled ? cfg.firewallSyncEndpoint : ui.c.dim('(not active)')],
   ]);
 
   ui.heading('Resolved credentials');
@@ -454,6 +460,26 @@ async function doctor(_args, flags) {
     checks.push({ name: 'api', ...api });
   }
 
+  if (cfg.apiKey && cfg.firewallLocalEnabled) {
+    const query = new URLSearchParams();
+    if (cfg.appKey) query.set('app', cfg.appKey);
+    if (cfg.deploymentEnvironment) query.set('env', cfg.deploymentEnvironment);
+    const endpoint = `${cfg.firewallSyncEndpoint}${query.toString() ? `?${query.toString()}` : ''}`;
+    const spin4 = ui.spinner(`Probing firewall sync ${endpoint}`);
+    const sync = await probe({
+      method: 'GET',
+      endpoint,
+      headers: {
+        Authorization: `Bearer ${cfg.apiKey}`,
+        'X-SecureNow-Environment': cfg.deploymentEnvironment,
+      },
+      okStatuses: [200, 304],
+    });
+    if (sync.ok) spin4.stop(`Firewall sync reachable (HTTP ${sync.status})`);
+    else spin4.fail(`Firewall sync unreachable: ${sync.error}`);
+    checks.push({ name: 'firewall-sync', ...sync });
+  }
+
   const warnings = [];
   const singletonOkMessage = otelApiCheck.ok && otelApiCheck.packages.length
     ? `OpenTelemetry API singleton OK (${otelApiCheck.versions[0] || 'unknown'})`

package/firewall-only.js

@@ -26,6 +26,7 @@ if (firewallOptions.apiKey && firewallOptions.enabled) {
     appKey: firewallOptions.appKey,
     environment: firewallOptions.environment,
     apiUrl: firewallOptions.apiUrl,
+    apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
     versionCheckInterval: firewallOptions.versionCheckInterval,
     syncInterval: firewallOptions.syncInterval,
     failMode: firewallOptions.failMode,

package/firewall.js

@@ -21,6 +21,7 @@ let _stats = { syncs: 0, blocked: 0, rateLimited: 0, allowed: 0, versionChecks:
 let _localhostFallbackTried = false;
 let _eventQueue = [];
 let _eventTimer = null;
+let _remainingApiUrlFallbacks = [];
 
 // Remote toggle - set by /firewall/sync when an appKey is in scope. Default
 // true so a missing/unreachable backend fails open (matches pre-7.3 behavior).
@@ -60,7 +61,7 @@ const _httpsAgent = new https.Agent({ keepAlive: false });
 const EVENT_FLUSH_INTERVAL_MS = 2_000;
 const EVENT_BATCH_SIZE = 25;
 const EVENT_QUEUE_MAX = 1_000;
-const TRANSIENT_NETWORK_CODES = new Set(['ECONNRESET', 'EPIPE', 'ETIMEDOUT', 'EAI_AGAIN']);
+const TRANSIENT_NETWORK_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'EPIPE', 'ETIMEDOUT', 'EAI_AGAIN', 'ENOTFOUND']);
 
 // Unified sync uses /firewall/sync (v2). Falls back to legacy on 404.
 let _useUnifiedSync = true;
@@ -156,7 +157,13 @@ function agentFor(url) {
 function isTransientNetworkError(err) {
   if (!err) return false;
   if (err.code && TRANSIENT_NETWORK_CODES.has(err.code)) return true;
-  return /socket hang up|connection reset|ECONNRESET/i.test(String(err.message || ''));
+  return /socket hang up|connection reset|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(String(err.message || ''));
+}
+
+function isApiReachabilityError(err) {
+  if (isTransientNetworkError(err)) return true;
+  const text = `${err && err.code || ''} ${err && err.message || ''}`;
+  return /TLS|SSL|certificate|CERT_|UNABLE_TO_VERIFY|self signed/i.test(text);
 }
 
 function formatRequestError(err) {
@@ -167,6 +174,33 @@ function formatRequestError(err) {
   return parts.join(' ');
 }
 
+function resetApiUrlFallbacks() {
+  const seen = new Set([_options && _options.apiUrl].filter(Boolean));
+  _remainingApiUrlFallbacks = [];
+  for (const candidate of Array.isArray(_options && _options.apiUrlFallbacks) ? _options.apiUrlFallbacks : []) {
+    const url = String(candidate || '').trim().replace(/\/$/, '');
+    if (!url || seen.has(url)) continue;
+    seen.add(url);
+    _remainingApiUrlFallbacks.push(url);
+  }
+}
+
+function switchToNextApiUrl(reason) {
+  if (!_options || _remainingApiUrlFallbacks.length === 0) return false;
+  const previous = _options.apiUrl;
+  _options.apiUrl = _remainingApiUrlFallbacks.shift();
+  _lastUnifiedEtag = null;
+  _lastSyncEtag = null;
+  _lastAllowlistSyncEtag = null;
+  if (_options.log) {
+    fwWarn('[securenow] Firewall: %s unreachable (%s), retrying sync via %s',
+      previous,
+      reason || 'network error',
+      _options.apiUrl);
+  }
+  return true;
+}
+
 function requestOnce(method, url, body, extraHeaders, timeout, callback) {
   const mod = url.startsWith('https') ? https : http;
   const parsed = new URL(url);
@@ -562,9 +596,15 @@ function pollOnce(callback) {
 
   const done = (err, result) => {
     _pollInflight = false;
-    if (err) {
-      _consecutiveErrors++;
-      _stats.errors++;
+    if (err) {
+      if (isApiReachabilityError(err) && switchToNextApiUrl(formatRequestError(err))) {
+        _pollInflight = false;
+        const retryTimer = setTimeout(() => pollOnce(callback), 1000);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      _consecutiveErrors++;
+      _stats.errors++;
       maybeOpenCircuit();
       if (_options.log) fwWarn('[securenow] Firewall: poll failed:', formatRequestError(err));
       return callback(err);
@@ -623,9 +663,14 @@ function startSyncLoop() {
     const syncFn = _useUnifiedSync ? doUnifiedSync : (cb) => doLegacyPoll(cb);
 
     syncFn((err, result) => {
-      if (err) {
-        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
-        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
+      if (err) {
+        const isConnErr = /ECONNREFUSED|ENOTFOUND|timed out/i.test(err.message);
+        if (isApiReachabilityError(err) && switchToNextApiUrl(formatRequestError(err))) {
+          const retryTimer = setTimeout(initialSync, 1000);
+          if (retryTimer.unref) retryTimer.unref();
+          return;
+        }
+        if (isConnErr && !_localhostFallbackTried && _options.apiUrl !== 'http://localhost:4000') {
           _localhostFallbackTried = true;
           const origUrl = _options.apiUrl;
           _options.apiUrl = 'http://localhost:4000';
@@ -981,10 +1026,15 @@ function patchHttpLayer() {
 
 // Init
 
-function init(options) {
-  _options = options;
+function init(options) {
+  _options = options || {};
+  _options.apiUrl = String(_options.apiUrl || '').trim().replace(/\/$/, '');
+  _localhostFallbackTried = false;
+  _useUnifiedSync = true;
+  resetApiUrlFallbacks();
 
   if (_options.log) fwLog('[securenow] Firewall: ENABLED');
+  if (_options.log && _options.apiUrl) fwLog('[securenow] Firewall: sync endpoint=%s/api/v1/firewall/sync', _options.apiUrl);
   if (_options.log && _options.environment) fwLog('[securenow] Firewall: environment=%s', _options.environment);
 
   patchHttpLayer();
@@ -1043,8 +1093,10 @@ function shutdown() {
   _consecutiveErrors = 0;
   _pollInflight = false;
   _retryAfterUntil = 0;
+  _localhostFallbackTried = false;
   _rateLimitRules = [];
   _rateLimitBuckets = new Map();
+  _remainingApiUrlFallbacks = [];
 
   _httpAgent.destroy();
   _httpsAgent.destroy();

package/nextjs.js

@@ -189,6 +189,8 @@ function registerSecureNow(options = {}) {
       if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
       if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
       if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+      const headerString = appConfig.headersToString(headers);
+      if (headerString && !process.env.OTEL_EXPORTER_OTLP_HEADERS) process.env.OTEL_EXPORTER_OTLP_HEADERS = headerString;
     }
 
     console.log('[securenow] Next.js App -> service.name=%s', serviceName);
@@ -376,11 +378,11 @@ function registerSecureNow(options = {}) {
     // the remote end (ECONNRESET / "socket hang up"). These transient errors
     // sometimes escape as unhandled exceptions or rejections. We catch them
     // here and log at debug level instead of crashing the host app.
-    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
     function _isOtlpTransientError(err) {
       if (!err) return false;
       if (_TRANSIENT_CODES.has(err.code)) return true;
-      if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+      if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
       return false;
     }
     function _looksLikeOtlpStack(err) {
@@ -389,21 +391,53 @@ function registerSecureNow(options = {}) {
       return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
         || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
     }
+    function _looksLikeConfiguredOtlpEndpoint(err) {
+      const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+      try {
+        const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+        return hosts.some((host) => host && text.includes(host));
+      } catch (_) {
+        return false;
+      }
+    }
     const _diagDebug = otelLogLevel === 'debug';
+    let _lastSuppressedOtlpErrorLogAt = 0;
+    function _originalConsole(method) {
+      const originals = console.__securenow_original || console.__securenowOriginalConsole;
+      return (originals && originals[method]) || console[method] || console.log;
+    }
+    function _formatOtlpError(err) {
+      if (!err) return 'unknown error';
+      const parts = [err.message || String(err)];
+      if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+      if (err.syscall) parts.push(`syscall=${err.syscall}`);
+      if (err.hostname) parts.push(`host=${err.hostname}`);
+      return parts.join(' ');
+    }
+    function _reportSuppressedOtlpError(kind, err, origin) {
+      if (otelLogLevel === 'none') return;
+      const now = Date.now();
+      if (!_diagDebug && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+      _lastSuppressedOtlpErrorLogAt = now;
+      const method = _diagDebug ? 'debug' : 'error';
+      _originalConsole(method).call(
+        console,
+        '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+        kind,
+        origin || 'async',
+        _formatOtlpError(err)
+      );
+    }
     process.on('uncaughtException', (err, origin) => {
-      if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-        }
+      if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+        _reportSuppressedOtlpError('error', err, origin);
         return;
       }
       throw err;
     });
     process.on('unhandledRejection', (reason) => {
-      if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-        if (_diagDebug) {
-          console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-        }
+      if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+        _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
         return;
       }
       throw reason;
@@ -632,6 +666,7 @@ function registerSecureNow(options = {}) {
         appKey: firewallOptions.appKey,
         environment: deploymentEnvironment || firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/nuxt-server-plugin.mjs

@@ -326,6 +326,7 @@ export default defineNitroPlugin(async (nitroApp) => {
         appKey: firewallOptions.appKey,
         environment: deploymentEnvironment || firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.7.15",
+  "version": "7.7.16",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -580,11 +580,11 @@ if (loggingEnabled) {
 // request's error path isn't fully covered by the OTel library. We install
 // targeted process-level handlers to catch them and log at debug level instead
 // of crashing the host app.
-const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN', 'ENOTFOUND']);
 function _isOtlpTransientError(err) {
   if (!err) return false;
   if (_TRANSIENT_CODES.has(err.code)) return true;
-  if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+  if (typeof err.message === 'string' && /socket hang up|ECONNRESET|ECONNREFUSED|ENOTFOUND|EAI_AGAIN|timed out/i.test(err.message)) return true;
   return false;
 }
 function _looksLikeOtlpStack(err) {
@@ -593,22 +593,55 @@ function _looksLikeOtlpStack(err) {
   return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
     || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
 }
+function _looksLikeConfiguredOtlpEndpoint(err) {
+  const text = `${err && err.hostname || ''} ${err && err.host || ''} ${err && err.message || ''}`;
+  try {
+    const hosts = [new URL(tracesUrl).hostname, new URL(logsUrl).hostname].filter(Boolean);
+    return hosts.some((host) => host && text.includes(host));
+  } catch (_) {
+    return false;
+  }
+}
+function _originalConsole(method) {
+  const originals = console.__securenow_original || console.__securenowOriginalConsole;
+  return (originals && originals[method]) || console[method] || console.log;
+}
+let _lastSuppressedOtlpErrorLogAt = 0;
+function _formatOtlpError(err) {
+  if (!err) return 'unknown error';
+  const parts = [err.message || String(err)];
+  if (err.code && !parts[0].includes(err.code)) parts.push(`code=${err.code}`);
+  if (err.syscall) parts.push(`syscall=${err.syscall}`);
+  if (err.hostname) parts.push(`host=${err.hostname}`);
+  return parts.join(' ');
+}
+function _reportSuppressedOtlpError(kind, err, origin) {
+  const level = String(diagLevel || '').toLowerCase();
+  if (level === 'none') return;
+  const now = Date.now();
+  if (level !== 'debug' && now - _lastSuppressedOtlpErrorLogAt < 60_000) return;
+  _lastSuppressedOtlpErrorLogAt = now;
+  const method = level === 'debug' ? 'debug' : 'error';
+  _originalConsole(method).call(
+    console,
+    '[securenow] OTLP exporter %s suppressed (%s). Telemetry may be missing until the ingest endpoint is reachable: %s',
+    kind,
+    origin || 'async',
+    _formatOtlpError(err)
+  );
+}
 
 process.on('uncaughtException', (err, origin) => {
-  if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
-    }
-    return; // swallow — do not crash
+  if (_isOtlpTransientError(err) && (_looksLikeOtlpStack(err) || _looksLikeConfiguredOtlpEndpoint(err))) {
+    _reportSuppressedOtlpError('error', err, origin);
+    return; // swallow - do not crash
   }
   // Not ours — re-throw so the default handler (or the app's own handler) fires
   throw err;
 });
 process.on('unhandledRejection', (reason) => {
-  if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
-    if (diagLevel === 'debug') {
-      console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
-    }
+  if (_isOtlpTransientError(reason) && (_looksLikeOtlpStack(reason) || _looksLikeConfiguredOtlpEndpoint(reason))) {
+    _reportSuppressedOtlpError('rejection', reason, 'unhandledRejection');
     return; // swallow
   }
   // Not ours — re-throw as unhandled so Node's default behaviour applies
@@ -669,6 +702,7 @@ const sdk = new NodeSDK({
         appKey: firewallOptions.appKey,
         environment: firewallOptions.environment,
         apiUrl: firewallOptions.apiUrl,
+        apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
         versionCheckInterval: firewallOptions.versionCheckInterval,
         syncInterval: firewallOptions.syncInterval,
         failMode: firewallOptions.failMode,

package/web-vite.mjs

@@ -145,6 +145,9 @@ const tracesUrl =
 const headers = parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS'));
 const deploymentEnvironment =
   env('SECURENOW_DEPLOYMENT_ENVIRONMENT') || env('SECURENOW_ENVIRONMENT') || viteEnv.MODE || 'production';
+const browserAppKey = env('SECURENOW_APPID');
+if (browserAppKey && !headers['x-api-key']) headers['x-api-key'] = browserAppKey;
+if (deploymentEnvironment && !headers['x-securenow-environment']) headers['x-securenow-environment'] = deploymentEnvironment;
 
 // ---- naming rules (mirrors tracing.js) ----
 const rawBase = (env('OTEL_SERVICE_NAME') || env('SECURENOW_APPID') || '').trim().replace(/^['"]|['"]$/g, '');