securenow 7.7.15 → 7.8.1

package/cli/diagnostics.js

@@ -22,8 +22,8 @@ function resolvedConfig(options = {}) {
     ? (noUuid ? baseName : `${baseName}-<uuid-per-worker>`)
     : '(auto-generated)';
   const apiKey = firewall.apiKey || '';
-  const firewallEnabled = !!apiKey && firewall.enabled;
-  const firewallLocalEnabled = firewall.enabled;
+  const firewallEnabled = !!apiKey;
+  const firewallLocalEnabled = true;
 
   return {
     serviceName,
@@ -36,6 +36,8 @@ function resolvedConfig(options = {}) {
     apiKey,
     firewallLocalEnabled,
     apiUrl: config.getApiUrl(),
+    firewallApiUrl: firewall.apiUrl,
+    firewallSyncEndpoint: `${firewall.apiUrl.replace(/\/$/, '')}/api/v1/firewall/sync`,
     loggingEnabled: appConfig.boolConfig('logging.enabled', true),
     captureBody: appConfig.boolConfig('capture.body', true),
     captureMultipart: appConfig.boolConfig('capture.multipart', true),
@@ -330,11 +332,12 @@ async function logSend(args, flags) {
   }
 }
 
-function okHttpStatus(status) {
+function okHttpStatus(status, okStatuses) {
+  if (Array.isArray(okStatuses) && okStatuses.length) return okStatuses.includes(status);
   return status >= 200 && status < 300;
 }
 
-async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000 }) {
+async function probe({ endpoint, method = 'POST', headers = {}, body = null, timeoutMs = 3000, okStatuses = null }) {
   try {
     const res = await httpRequest({
       method,
@@ -344,9 +347,9 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
       timeoutMs,
     });
     return {
-      ok: okHttpStatus(res.status),
+      ok: okHttpStatus(res.status, okStatuses),
       status: res.status,
-      ...(okHttpStatus(res.status) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
+      ...(okHttpStatus(res.status, okStatuses) ? {} : { error: `HTTP ${res.status}`, body: res.body ? res.body.slice(0, 500) : '' }),
     };
   } catch (err) {
     return { ok: false, error: err.message };
@@ -356,7 +359,6 @@ async function probe({ endpoint, method = 'POST', headers = {}, body = null, tim
 function firewallStatusLabel(cfg) {
   if (cfg.firewallEnabled) return ui.c.green('enabled');
   if (!cfg.apiKey) return ui.c.dim('disabled (missing firewall API key)');
-  if (!cfg.firewallLocalEnabled) return ui.c.yellow('disabled (config.firewall.enabled=false)');
   return ui.c.dim('disabled');
 }
 
@@ -372,6 +374,8 @@ function env(_args, flags) {
     otlpHeaders: Object.keys(cfg.headers || {}).length ? '***' : null,
     firewallApiKey: cfg.apiKey ? `${cfg.apiKey.slice(0, 12)}...` : null,
     apiUrl: cfg.apiUrl,
+    firewallApiUrl: cfg.firewallApiUrl,
+    firewallSyncEndpoint: cfg.firewallSyncEndpoint,
     loggingEnabled: cfg.loggingEnabled,
     otelLogLevel: cfg.otelLogLevel,
     captureBody: cfg.captureBody,
@@ -397,6 +401,7 @@ function env(_args, flags) {
     ['Body capture', cfg.captureBody ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Multipart capture', cfg.captureMultipart ? ui.c.green('enabled') : ui.c.dim('disabled')],
     ['Firewall', firewallStatusLabel(cfg)],
+    ['Firewall sync', cfg.firewallEnabled ? cfg.firewallSyncEndpoint : ui.c.dim('(not active)')],
   ]);
 
   ui.heading('Resolved credentials');
@@ -454,6 +459,26 @@ async function doctor(_args, flags) {
     checks.push({ name: 'api', ...api });
   }
 
+  if (cfg.apiKey && cfg.firewallLocalEnabled) {
+    const query = new URLSearchParams();
+    if (cfg.appKey) query.set('app', cfg.appKey);
+    if (cfg.deploymentEnvironment) query.set('env', cfg.deploymentEnvironment);
+    const endpoint = `${cfg.firewallSyncEndpoint}${query.toString() ? `?${query.toString()}` : ''}`;
+    const spin4 = ui.spinner(`Probing firewall sync ${endpoint}`);
+    const sync = await probe({
+      method: 'GET',
+      endpoint,
+      headers: {
+        Authorization: `Bearer ${cfg.apiKey}`,
+        'X-SecureNow-Environment': cfg.deploymentEnvironment,
+      },
+      okStatuses: [200, 304],
+    });
+    if (sync.ok) spin4.stop(`Firewall sync reachable (HTTP ${sync.status})`);
+    else spin4.fail(`Firewall sync unreachable: ${sync.error}`);
+    checks.push({ name: 'firewall-sync', ...sync });
+  }
+
   const warnings = [];
   const singletonOkMessage = otelApiCheck.ok && otelApiCheck.packages.length
     ? `OpenTelemetry API singleton OK (${otelApiCheck.versions[0] || 'unknown'})`
@@ -465,7 +490,7 @@ async function doctor(_args, flags) {
     warnings.push('OpenTelemetry diagnostic log level is `none`; provider registration/export errors are hidden. Set config.otel.logLevel to `error`/`warn`, or temporarily run with OTEL_LOG_LEVEL=debug.');
   }
   if (!cfg.appKey) {
-    warnings.push('No app key resolved. Run `npx securenow login` or set app.key in .securenow/credentials.json.');
+    warnings.push('No app key resolved. Run `npx securenow app connect` or set app.key in .securenow/runtime.json.');
   }
   if (cfg.instance === 'https://ingest.securenow.ai') {
     warnings.push('Using the SecureNow ingest gateway. Dedicated instances are routed server-side after policy checks.');
@@ -475,9 +500,9 @@ async function doctor(_args, flags) {
     warnings.push('Using the legacy free-trial collector directly. Regenerate credentials so telemetry flows through https://ingest.securenow.ai.');
   }
   if (!cfg.apiKey && token) {
-    warnings.push('CLI/MCP is authenticated with your SecureNow session token. Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Admin CLI/MCP auth is connected, but runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
   } else if (!cfg.apiKey) {
-    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow login` or `npx securenow api-key set snk_live_...` to refresh .securenow/credentials.json.');
+    warnings.push('Runtime firewall enforcement key is missing. Run `npx securenow app connect` or `npx securenow api-key set snk_live_...` to refresh .securenow/runtime.json.');
   }
 
   const ok = checks.every((c) => c.ok);

package/cli/firewall.js

@@ -32,7 +32,9 @@ async function status(args, flags) {
     console.log(`  ${enabledLabel}`);
     console.log('');
     ui.keyValue([
-      ['Blocked IPs', `${data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Blocked IPs', `${data.totalIps} total`],
+      ['Global blocked IPs', `${data.globalBlockIps ?? data.totalIps} total (${data.exactCount} exact + ${data.cidrCount} CIDR ranges)`],
+      ['Scoped block rules', String(data.scopedBlockRuleCount ?? 0)],
       ['App scope', appKey || 'all apps'],
       ['Environment', data.environment || environment],
       ['Last updated', data.updatedAt || 'unknown'],
@@ -77,6 +79,8 @@ async function testIp(args, flags) {
     const appKey = await resolveAppKey(flags);
     const query = { environment };
     if (appKey) query.appKey = appKey;
+    if (flags.path || flags.route) query.path = flags.path || flags.route;
+    if (flags.method) query.method = flags.method;
     const data = await api.get(`/firewall/check/${encodeURIComponent(ip)}`, { query });
 
     s.stop(`IP ${ip} checked`);
@@ -99,10 +103,16 @@ async function testIp(args, flags) {
         console.log(`  ${ui.c.dim('Allowlist is active — only listed IPs are permitted')}`);
       } else {
         console.log(`  ${ui.c.bold(ui.c.red('BLOCKED'))} — ${ip} is in the blocklist`);
-        if (data.matchedEntry && data.matchedEntry !== ip) {
-          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
-        }
-      }
+        if (data.matchedEntry && data.matchedEntry !== ip) {
+          console.log(`  ${ui.c.dim(`Matched by: ${data.matchedEntry}`)}`);
+        }
+        if (data.matchedRule) {
+          const scope = data.matchedRule.pathPattern
+            ? `${data.matchedRule.method || 'ALL'} ${data.matchedRule.pathMatchMode || 'prefix'}:${data.matchedRule.pathPattern}`
+            : data.matchedRule.method || 'ALL';
+          console.log(`  ${ui.c.dim(`Rule scope: ${scope}`)}`);
+        }
+      }
     } else {
       if (data.allowlisted) {
         console.log(`  ${ui.c.bold(ui.c.green('ALLOWED'))} — ${ip} is on the allowlist`);
@@ -111,7 +121,9 @@ async function testIp(args, flags) {
       }
     }
     console.log(`  ${ui.c.dim(`App scope: ${appKey || 'all apps'} · Environment: ${data.environment || environment}`)}`);
-    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries`)}`);
+    if (data.path) console.log(`  ${ui.c.dim(`Request scope: ${data.method || 'GET'} ${data.path}`)}`);
+    if (data.scopedMatchRequiresPath) console.log(`  ${ui.c.dim('Scoped block rules exist; pass --path to test route-specific matches')}`);
+    console.log(`  ${ui.c.dim(`Blocklist contains ${data.totalBlockedIps} entries (${data.scopedBlockRuleCount || 0} scoped)`)}`);
     if (data.allowlistActive) {
       console.log(`  ${ui.c.dim('Allowlist is active')}`);
     }
@@ -136,7 +148,7 @@ async function setEnabled(args, flags, enabled) {
   requireAuth();
   const appKey = await resolveAppKey(flags);
   if (!appKey) {
-    ui.error('No app selected. Pass --app <key> or run `securenow login` / `securenow apps default <key>`.');
+    ui.error('No app selected. Pass --app <key> or run `securenow app connect` / `securenow apps default <key>`.');
     process.exit(1);
   }
 

package/cli/init.js

@@ -81,7 +81,7 @@ async function init(_args, flags) {
 
   console.log('');
   ui.success('Setup complete.');
-  ui.info('Run `npx securenow login` if this project is not linked to an app yet.');
+  ui.info('Run `npx securenow app connect` if this project is not linked to an app yet.');
   ui.info('Then verify with `npx securenow test-span` and `npx securenow status`.');
 }
 
@@ -101,10 +101,10 @@ function initCredentials(flags) {
       process.exit(1);
     }
     config.setApiKey(explicitApiKey, { local: true });
-    ui.success('Stored firewall API key in .securenow/credentials.json');
+    ui.success('Stored firewall API key in .securenow/runtime.json');
   }
 
-  ui.success('Ensured .securenow/credentials.json has secure defaults and explanations');
+  ui.success('Ensured .securenow/runtime.json has secure defaults and explanations');
 }
 
 async function initNextJs(dir, project, flags) {
@@ -233,8 +233,8 @@ function printAgentPrompt(kind, filename, major, project) {
   ui.heading('Codex/Claude prompt');
   console.log([
     'Set up SecureNow in this existing Next.js project without using .env files.',
-    'Use .securenow/credentials.json for local and production configuration; do not add .env files.',
-    'Ignore only .securenow/credentials.json and .securenow/credentials.*.json in git; keep the .securenow/ directory itself trackable for repo-owned files.',
+    'Use .securenow/runtime.json for local SDK runtime configuration and .securenow/credentials.<env>.json for production runtime exports; do not add .env files.',
+    'Ignore only SecureNow secret files (.securenow/admin.json, .securenow/runtime.json, and .securenow/credentials*.json); keep the .securenow/ directory itself trackable for repo-owned files.',
     commands
       ? `Use the project scripts for verification when appropriate: ${commands}. Ask before starting long-running dev/start servers, and ask which command to use if these scripts are not the right customer workflow.`
       : 'Ask the customer which command starts, builds, and tests this app because package.json does not expose an obvious script.',

package/cli/security.js

@@ -441,7 +441,14 @@ async function alertHistoryList(args, flags) {
 
 // ── Blocklist ──
 
-async function blocklistList(args, flags) {
+function describeBlockTarget(entry) {
+  const parts = [entry.ip || entry.cidr || '-'];
+  if (entry.method && entry.method !== 'ALL') parts.push(entry.method);
+  if (entry.pathPattern) parts.push(`${entry.pathMatchMode || 'prefix'}:${entry.pathPattern}`);
+  return parts.join(' ');
+}
+
+async function blocklistList(args, flags) {
   requireAuth();
   const s = ui.spinner('Fetching blocklist');
   try {
@@ -465,7 +472,7 @@ async function blocklistList(args, flags) {
     console.log('');
     const rows = items.map(b => [
       ui.c.dim(ui.truncate(b._id, 12)),
-      ui.c.red(b.ip || b.cidr || '—'),
+      ui.c.red(describeBlockTarget(b)),
       ui.truncate(b.reason || '', 40),
       b.source || '—',
       b.status || 'active',
@@ -475,7 +482,7 @@ async function blocklistList(args, flags) {
       b.unblockedAt ? ui.timeAgo(b.unblockedAt) : ui.c.dim('—'),
       b.expiresAt ? new Date(b.expiresAt).toLocaleDateString() : ui.c.dim('permanent'),
     ]);
-    ui.table(['ID', 'IP/CIDR', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
+    ui.table(['ID', 'Target', 'Reason', 'Source', 'Status', 'App', 'Env', 'Added', 'Unblocked', 'Expires'], rows);
     console.log('');
   } catch (err) {
     s.fail('Failed to fetch blocklist');
@@ -496,11 +503,16 @@ async function blocklistAdd(args, flags) {
   if (flags.duration) body.duration = flags.duration;
   if (flags.app) body.appKey = flags.app;
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Blocking ${ip}`);
-  try {
-    await api.post('/blocklist', body);
-    s.stop(`${ip} added to blocklist`);
+  if (flags.route || flags.path || flags.pattern) body.pathPattern = flags.route || flags.path || flags.pattern;
+  if (flags.mode || flags['path-mode']) body.pathMatchMode = flags.mode || flags['path-mode'];
+  if (flags.method) body.method = flags.method;
+
+  const target = describeBlockTarget({ ip, method: body.method, pathPattern: body.pathPattern, pathMatchMode: body.pathMatchMode });
+  const s = ui.spinner(`Blocking ${target}`);
+  try {
+    const data = await api.post('/blocklist', body);
+    s.stop(`${target} added to blocklist`);
+    if (flags.json) ui.json(data);
   } catch (err) {
     s.fail('Failed to add to blocklist');
     throw err;
@@ -611,9 +623,17 @@ async function allowlistAdd(args, flags) {
     body.applicationKeys = String(flags.app).split(',').map((x) => x.trim()).filter(Boolean);
   }
   if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
-
-  const s = ui.spinner(`Allowing ${ip}`);
-  try {
+
+  if (!flags.force && !flags.yes) {
+    ui.warn('IP Allowlist is deny-by-default: once active, only listed IPs can reach the scoped app/environment and all others are blocked.');
+    ui.info('Use `securenow trusted add` instead if this IP should be trusted without locking out normal visitors.');
+    const ok = await ui.confirm('Add this IP to the restrictive allowlist?');
+    if (!ok) { ui.info('Cancelled'); return; }
+  }
+  body.allowlistDenyAllApproved = true;
+
+  const s = ui.spinner(`Allowing ${ip}`);
+  try {
     await api.post('/allowlist', body);
     s.stop(`${ip} added to allowlist`);
   } catch (err) {

package/cli.js

@@ -40,12 +40,12 @@ function parseArgs(argv) {
 
 const COMMANDS = {
   init: {
-    desc: 'Set up SecureNow in the current project (instrumentation + .securenow credentials)',
+    desc: 'Set up SecureNow in the current project (instrumentation + runtime credentials)',
     usage: 'securenow init [--env local] [--key <API_KEY>] [--ts|--js] [--src|--root] [--force]',
     flags: {
-      env: 'Deployment environment to write into .securenow/credentials.json (default: local)',
+      env: 'Deployment environment to write into .securenow/runtime.json (default: local)',
       environment: 'Alias for --env',
-      key: 'Firewall API key to write to .securenow/credentials.json',
+      key: 'Firewall API key to write to .securenow/runtime.json',
       'api-key': 'Alias for --key',
       typescript: 'Force TypeScript',
       javascript: 'Force JavaScript',
@@ -55,28 +55,63 @@ const COMMANDS = {
     },
     run: (a, f) => require('./cli/init').init(a, f),
   },
-  login: {
-    desc: 'Authenticate with SecureNow (saves to project .securenow/ by default)',
-    usage: 'securenow login [--token <TOKEN>] [--global]',
+  login: {
+    desc: 'Onboard SecureNow admin auth and app runtime config',
+    usage: 'securenow login [--token <TOKEN>] [--global]',
     flags: {
       token: 'Authenticate with a token directly',
       global: 'Save credentials to ~/.securenow/ (shared across all projects)',
-    },
-    run: (a, f) => require('./cli/auth').login(a, f),
-  },
-  logout: {
-    desc: 'Clear stored credentials',
-    usage: 'securenow logout [--global]',
-    flags: { global: 'Clear global credentials (~/.securenow/) instead of project-local' },
-    run: (a, f) => require('./cli/auth').logout(a, f),
-  },
-  whoami: {
-    desc: 'Show current session info',
+    },
+    run: (a, f) => require('./cli/auth').login(a, f),
+  },
+  admin: {
+    desc: 'Manage admin/control-plane CLI and MCP auth',
+    usage: 'securenow admin <subcommand> [options]',
+    sub: {
+      login: {
+        desc: 'Authenticate admin/control-plane CLI and MCP tools',
+        usage: 'securenow admin login [--token <TOKEN>] [--global]',
+        flags: {
+          token: 'Authenticate with a token directly',
+          global: 'Save admin auth to ~/.securenow/admin.json',
+        },
+        run: (a, f) => require('./cli/auth').adminLogin(a, f),
+      },
+      logout: {
+        desc: 'Clear admin/control-plane auth',
+        usage: 'securenow admin logout [--global]',
+        flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+        run: (a, f) => require('./cli/auth').logout(a, f),
+      },
+    },
+    defaultSub: 'login',
+  },
+  app: {
+    desc: 'Connect the current project runtime to a SecureNow app',
+    usage: 'securenow app <subcommand> [options]',
+    sub: {
+      connect: {
+        desc: 'Select/create app, mint firewall key, and write SDK runtime config',
+        usage: 'securenow app connect [--global]',
+        flags: { global: 'Save runtime config to ~/.securenow/runtime.json' },
+        run: (a, f) => require('./cli/auth').appConnect(a, f),
+      },
+    },
+    defaultSub: 'connect',
+  },
+  logout: {
+    desc: 'Clear admin/control-plane auth',
+    usage: 'securenow logout [--global]',
+    flags: { global: 'Clear global admin auth (~/.securenow/admin.json)' },
+    run: (a, f) => require('./cli/auth').logout(a, f),
+  },
+  whoami: {
+    desc: 'Show admin auth and SDK runtime status',
     usage: 'securenow whoami',
     run: () => require('./cli/auth').whoami(),
   },
   'api-key': {
-    desc: 'Manage the firewall API key stored in .securenow/credentials.json',
+    desc: 'Manage the firewall API key stored in runtime credentials',
     usage: 'securenow api-key <subcommand> [options]',
     sub: {
       create: {
@@ -90,7 +125,7 @@ const COMMANDS = {
         run: (a, f) => require('./cli/apiKey').create(a, f),
       },
       set: {
-        desc: 'Save an API key (snk_live_...) to the credentials file',
+        desc: 'Save an API key (snk_live_...) to runtime credentials',
         usage: 'securenow api-key set <snk_live_...> [--global]',
         flags: { global: 'Save to ~/.securenow/ instead of project-local' },
         run: (a, f) => require('./cli/apiKey').set(a, f),
@@ -273,7 +308,7 @@ const COMMANDS = {
       apps: { desc: 'List apps with their firewall on/off state', run: (a, f) => require('./cli/firewall').appsList(a, f) },
       enable: { desc: 'Turn the firewall ON for an app environment', usage: 'securenow firewall enable [--app <key>] [--env production]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').enable(a, f) },
       disable: { desc: 'Turn the firewall OFF for an app environment', usage: 'securenow firewall disable [--app <key>] [--env local]', flags: { app: 'App key (defaults to logged-in app)', env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').disable(a, f) },
-      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
+      'test-ip': { desc: 'Check if an IP would be blocked', usage: 'securenow firewall test-ip <ip> [--path /admin/users] [--method GET] [--env production]', flags: { env: 'Environment (default: production)', environment: 'Alias for --env' }, run: (a, f) => require('./cli/firewall').testIp(a, f) },
     },
     defaultSub: 'status',
   },
@@ -379,10 +414,10 @@ const COMMANDS = {
   blocklist: {
     desc: 'Manage IP blocklist',
     usage: 'securenow blocklist <subcommand> [options]',
-    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', json: 'Output as JSON' },
+    flags: { app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', page: 'Page number', limit: 'Max results', status: 'Entry status: active or removed', 'approval-status': 'Approval filter: pending, approved, or rejected', search: 'IP prefix search', view: 'List view: all or operational', reason: 'Audit reason for unblock', route: 'Route pattern such as /admin*', path: 'Alias for --route', pattern: 'Alias for --route', mode: 'Route match mode: prefix, exact, or regex', 'path-mode': 'Alias for --mode', method: 'HTTP method, or ALL', duration: 'Expiry, e.g. 24h or 7d', json: 'Output as JSON' },
     sub: {
       list: { desc: 'List blocked IPs', run: (a, f) => require('./cli/security').blocklistList(a, f) },
-      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--app <key>] [--env production] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
+      add: { desc: 'Block an IP', usage: 'securenow blocklist add <ip> [--route /admin*] [--mode prefix] [--method GET] [--app <key>] [--env production] [--duration 24h] [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistAdd(a, f) },
       unblock: { desc: 'Unblock an IP and keep block history', usage: 'securenow blocklist unblock <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       remove: { desc: 'Unblock an IP (compatibility alias)', usage: 'securenow blocklist remove <id> [--reason <reason>]', run: (a, f) => require('./cli/security').blocklistRemove(a, f) },
       stats: { desc: 'Blocklist statistics', run: (a, f) => require('./cli/security').blocklistStats(a, f) },

package/firewall-only.js

@@ -17,15 +17,15 @@ try { require('dotenv').config({ quiet: true }); } catch (_) {}
 const appConfig = require('./app-config');
 const firewallOptions = appConfig.resolveFirewallOptions();
 
-// config.firewall.enabled=false disables the local SDK firewall.
-// In all other cases the toggle lives in the dashboard; default ON when an
-// API key is present.
-if (firewallOptions.apiKey && firewallOptions.enabled) {
+// Runtime enable/disable is controlled by the dashboard/API toggle. If a
+// firewall key is present, start sync so the remote toggle can be applied.
+if (firewallOptions.apiKey) {
   require('./firewall').init({
     apiKey: firewallOptions.apiKey,
     appKey: firewallOptions.appKey,
     environment: firewallOptions.environment,
     apiUrl: firewallOptions.apiUrl,
+    apiUrlFallbacks: firewallOptions.apiUrlFallbacks,
     versionCheckInterval: firewallOptions.versionCheckInterval,
     syncInterval: firewallOptions.syncInterval,
     failMode: firewallOptions.failMode,